Re: [Quickfixj-users] Problem with SSL and JdK 11

[<seb...@or...>]

Hi Christoph,
Thank you for your answers, I have succeeded yesterday evening in finding a solution.

I had two problems :

·         There was a missing rule in our AWS IaaS for allowing mina to create its SSL session

·         Since Jdk11 migration, we have a libraries versions problem : mina-core-2.0.17 was used instead of mina-core-2.0.19. The 2.0.17 version was imported by another maven dependency. We force to use the more recent version. You mentionned this difference in a previous post, and you were right.

With theese two fixes, I was abled to make our module working with QuickfixJ and SSL activated on Jdk11 (amazon correto).

Thank you for your help.
Cheers,
Sebastien.

De : Christoph John <chr...@ma...>
Envoyé : mardi 2 février 2021 15:06
À : qui...@li...; MEDARD Sebastien OBS/DD <seb...@or...>
Objet : Re: [Quickfixj-users] Problem with SSL and JdK 11

Hi Sebastien,

as Philip has pointed out earlier in this thread it might as well be the case that this Exception should be ignored. https://bugs.mysql.com/bug.php?id=93590
MySQL and Netty seemed to have "solved" this by ignoring the Exception. Maybe MINA (connection framework used by QFJ) needs to do the same although it is ugly.

But hopefully your comparison against JDK 8 will lead you to a solution.

Cheers,
Chris.

On 28.01.21 10:31, seb...@or...<mailto:seb...@or...> wrote:

QuickFIX/J Documentation: http://www.quickfixj.org/documentation/

QuickFIX/J Support: http://www.quickfixj.org/support/






Hi Christoph,

Thank for your answer, I follow your suggestion, you’re right, I made the change.

I try to add my certificate in the jdk cacerts, and use it as truststore for QuickfixJ, but it don’t slove my problem.
I try another idea, get back on openjdk8, with ssl and handshake in debug mode. I got this :

2021-01-28 08:45:50.184 INFO 10 --- [ NioProcessor-1] q.mina.acceptor.AcceptorIoHandler : MINA session created: local=/172.18.12.72:1085, class org.apache.mina.transport.socket.nio.NioSocketSession, remote=/172.18.0.91:23463
NioProcessor-1, called closeOutbound()
NioProcessor-1, closeOutboundInternal()
NioProcessor-1, called closeInbound()
NioProcessor-1, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?
javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
NioProcessor-1, SEND TLSv1.2 ALERT: fatal, description = internal_error
NioProcessor-1, Exception sending alert: java.io.IOException: writer side was already closed.
NioProcessor-1, called closeOutbound()
NioProcessor-1, closeOutboundInternal()
NioProcessor-2, called closeInbound()
NioProcessor-2, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?
javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
NioProcessor-2, SEND TLSv1.2 ALERT: fatal, description = internal_error
NioProcessor-2, Exception sending alert: java.io.IOException: writer side was already closed.
NioProcessor-2, called closeOutbound()
NioProcessor-2, closeOutboundInternal()
Using SSLEngineImpl.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false

In fact it seems the errors was already present with openjdk8, but doesn’t block, because we were able to establish securised connection with QuickFixJ.
I will try to investigate on this logs.

Cheers,
Sebastien.

_________________________________________________________________________________________________________________________



Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc

pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler

a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,

Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.



This message and its attachments may contain confidential or privileged information that may be protected by law;

they should not be distributed, used or copied without authorisation.

If you have received this email in error, please notify the sender and delete this message and its attachments.

As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.

Thank you.




_______________________________________________

Quickfixj-users mailing list

Qui...@li...<mailto:Qui...@li...>

https://lists.sourceforge.net/lists/listinfo/quickfixj-users



--

Christoph John

Software Engineering

T +49 241 557080-28

chr...@ma...<mailto:chr...@ma...>



MACD GmbH

Oppenhoffallee 103

52066 Aachen, Germany

www.macd.com<http://www.macd.com>



Amtsgericht Aachen: HRB 8151

Ust.-Id: DE 813021663

Geschäftsführer: George Macdonald

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.