TLS connectivity issue with search.jabber.network (#1292)

Activities
wojciech.kapcia@tigase.net opened 3 years ago
Jonas reported problems when connecting from search.jabber.network.
wojciech.kapcia@tigase.net commented 3 years ago
It turns his library was sending entire CAs collection which resulted in the following exception:
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.451 CEST|SSLEngineInputRecord.java:214|READ: TLSv1.2 handshake, length = 122
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.453 CEST|ServerHello.java:888|Consuming ServerHello handshake message (
"ServerHello": {
  "server version"      : "TLSv1.2",
  "random"              : "2E AC C0 92 D8 4F 3C FB 36 9B 43 36 E6 5E 89 22 02 6A CF 04 A0 52 89 48 51 68 F1 23 28 CE 58 02",
  "session id"          : "90 C0 48 CF C2 B7 38 26 6F 9D 22 1E 33 03 1E FD 2F 7C 35 B2 83 A8 6D B3 63 05 92 1B E7 52 0A C7",
  "cipher suite"        : "TLS_CHACHA20_POLY1305_SHA256(0x1303)",
  "compression methods" : "00",
  "extensions"          : [
    "key_share (51)": {
      "server_share": {
        "named group": x25519
        "key_exchange": {
          0000: B6 5F F4 04 1C 1D 2B 6D   C6 CD 5E 1D 9E FE 5C 2F  ._....+m..^...\/
          0010: 1F 0B 48 3C BA 27 C7 B2   F6 4C 06 C5 8F AE 52 49  ..H<.'...L....RI
        }
      },
    },
    "supported_versions (43)": {
      "selected version": [TLSv1.3]
    }
  ]
}
)
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.453 CEST|SSLExtensions.java:192|Consumed extension: supported_versions
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.454 CEST|ServerHello.java:984|Negotiated protocol version: TLSv1.3
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.455 CEST|SSLExtensions.java:163|Ignore unsupported extension: server_name
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.455 CEST|SSLExtensions.java:163|Ignore unsupported extension: max_fragment_length
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.455 CEST|SSLExtensions.java:163|Ignore unsupported extension: status_request
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.455 CEST|SSLExtensions.java:163|Ignore unsupported extension: ec_point_formats
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.455 CEST|SSLExtensions.java:163|Ignore unsupported extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.455 CEST|SSLExtensions.java:163|Ignore unsupported extension: status_request_v2
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.455 CEST|SSLExtensions.java:163|Ignore unsupported extension: extended_master_secret
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.456 CEST|SSLExtensions.java:163|Ignore unsupported extension: session_ticket
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.456 CEST|SSLExtensions.java:192|Consumed extension: supported_versions
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.458 CEST|SSLExtensions.java:192|Consumed extension: key_share
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.458 CEST|SSLExtensions.java:163|Ignore unsupported extension: renegotiation_info
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.458 CEST|PreSharedKeyExtension.java:925|Handling pre_shared_key absence.
javax.net.ssl|ALL|E1|pool-5-thread-4|2021-09-21 19:07:43.459 CEST|SSLSessionImpl.java:220|Session initialized:  Session(1632244063459|TLS_CHACHA20_POLY1305_SHA256)
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.459 CEST|SSLExtensions.java:207|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.459 CEST|SSLExtensions.java:207|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.459 CEST|SSLExtensions.java:207|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.459 CEST|SSLExtensions.java:207|Ignore unavailable extension: ec_point_formats
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.459 CEST|SSLExtensions.java:207|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.459 CEST|SSLExtensions.java:207|Ignore unavailable extension: status_request_v2
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.460 CEST|SSLExtensions.java:207|Ignore unavailable extension: extended_master_secret
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.460 CEST|SSLExtensions.java:207|Ignore unavailable extension: session_ticket
javax.net.ssl|WARNING|E1|pool-5-thread-4|2021-09-21 19:07:43.460 CEST|SSLExtensions.java:215|Ignore impact of unsupported extension: supported_versions
javax.net.ssl|WARNING|E1|pool-5-thread-4|2021-09-21 19:07:43.460 CEST|SSLExtensions.java:215|Ignore impact of unsupported extension: key_share
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.460 CEST|SSLExtensions.java:207|Ignore unavailable extension: renegotiation_info
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.460 CEST|SSLExtensions.java:207|Ignore unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.472 CEST|SSLCipher.java:2563|algorithm = CHACHA20-POLY1305:KEYUPDATE
countdown value = 0
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.473 CEST|SSLEngineOutputRecord.java:510|WRITE: TLSv1.3 change_cipher_spec, length = 1
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.473 CEST|SSLEngineInputRecord.java:214|READ: TLSv1.2 change_cipher_spec, length = 1
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.474 CEST|ChangeCipherSpec.java:246|Consuming ChangeCipherSpec message
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.474 CEST|SSLEngineInputRecord.java:214|READ: TLSv1.2 application_data, length = 27
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.476 CEST|EncryptedExtensions.java:171|Consuming EncryptedExtensions handshake message (
"EncryptedExtensions": [
  "server_name (0)": {
    <empty extension_data field>
  }
]
)
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.477 CEST|SSLExtensions.java:192|Consumed extension: server_name
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.477 CEST|SSLExtensions.java:173|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.477 CEST|SSLExtensions.java:173|Ignore unavailable extension: supported_groups
javax.net.ssl|WARNING|E1|pool-5-thread-4|2021-09-21 19:07:43.477 CEST|SSLExtensions.java:215|Ignore impact of unsupported extension: server_name
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.477 CEST|SSLExtensions.java:207|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.477 CEST|SSLExtensions.java:207|Ignore unavailable extension: supported_groups
javax.net.ssl|DEBUG|E1|pool-5-thread-4|2021-09-21 19:07:43.477 CEST|SSLExtensions.java:207|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|E2|pool-5-thread-5|2021-09-21 19:07:43.494 CEST|SSLEngineInputRecord.java:214|READ: TLSv1.2 application_data, length = 16401
javax.net.ssl|ERROR|E2|pool-5-thread-5|2021-09-21 19:07:43.507 CEST|TransportContext.java:361|Fatal (UNEXPECTED_MESSAGE): The size of the handshake message (42207) exceeds the maximum allowed size (32768) (
"throwable" : {
  javax.net.ssl.SSLProtocolException: The size of the handshake message (42207) exceeds the maximum allowed size (32768)
  	at java.base/sun.security.ssl.SSLEngineInputRecord.decodeInputRecord(SSLEngineInputRecord.java:301)
  	at java.base/sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputRecord.java:197)
  	at java.base/sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputRecord.java:160)
  	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:111)
  	at java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:736)
  	at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:691)
  	at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:506)
  	at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:482)
  	at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:679)
  	at tigase.io.JcaTLSWrapper.unwrap(JcaTLSWrapper.java:279)
  	at tigase.io.TLSIO.decodeData(TLSIO.java:349)
  	at tigase.io.TLSIO.read(TLSIO.java:176)
  	at tigase.net.IOService.readData(IOService.java:741)
  	at tigase.xmpp.XMPPIOService.processSocketData(XMPPIOService.java:476)
  	at tigase.net.IOService.call(IOService.java:205)
  	at tigase.xmpp.XMPPIOService.call(XMPPIOService.java:152)
  	at tigase.xmpp.XMPPIOService.call(XMPPIOService.java:53)
  	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
  	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
  	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
  	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
  	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
  	at java.base/java.lang.Thread.run(Thread.java:831)}

)
Which is caused by the JDK defaults: https://docs.oracle.com/en/java/javase/11/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-A41282C3-19A3-400A-A40F-86F4DA22ABA9 specifies:
I configured the property with 64k limit, which fixed the issue (and should be enough)
Type	Bug
Priority	Normal
Assignee	wojciech.kapcia@tigase.net
Version	tigase-server-8.2.0
Spent time	2h
Child Issue
Parent Issue
tigase-private/systems-maintenance/servers#292 You are not authorized to access this issue
Issue Votes (0)
Watchers (0)
Reference
tigase/_server/server-core#1292