Menu
▾
▴
Re: [Quickfixj-users] Problem with SSL and JdK 11
|
From: Christoph J. <chr...@ma...> - 2021-02-03 02:18:40
|
Hi Sebastien, great, thanks for the update. Good that you included that version information on MINA in your earlier mails... Cheers, Chris. On 02.02.21 15:28, seb...@or... wrote: > QuickFIX/J Documentation: http://www.quickfixj.org/documentation/ > QuickFIX/J Support: http://www.quickfixj.org/support/ > > > > Hi Christoph, > > Thank you for your answers, I have succeeded yesterday evening in finding a solution. > > I had two problems : > > ·There was a missing rule in our AWS IaaS for allowing mina to create its SSL session > > ·Since Jdk11 migration, we have a libraries versions problem : mina-core-2.0.17 was used instead > of mina-core-2.0.19. The 2.0.17 version was imported by another maven dependency. We force to use > the more recent version. You mentionned this difference in a previous post, and you were right. > > With theese two fixes, I was abled to make our module working with QuickfixJ and SSL activated on > Jdk11 (amazon correto). > > Thank you for your help. > > Cheers, > > Sebastien. > > *De :*Christoph John <chr...@ma...> > *Envoyé :* mardi 2 février 2021 15:06 > *À :* qui...@li...; MEDARD Sebastien OBS/DD <seb...@or...> > *Objet :* Re: [Quickfixj-users] Problem with SSL and JdK 11 > > Hi Sebastien, > > as Philip has pointed out earlier in this thread it might as well be the case that this Exception > should be ignored. https://bugs.mysql.com/bug.php?id=93590 <https://bugs.mysql.com/bug.php?id=93590> > MySQL and Netty seemed to have "solved" this by ignoring the Exception. Maybe MINA (connection > framework used by QFJ) needs to do the same although it is ugly. > > But hopefully your comparison against JDK 8 will lead you to a solution. > > Cheers, > Chris. > > On 28.01.21 10:31, seb...@or... <mailto:seb...@or...> wrote: > > QuickFIX/J Documentation:http://www.quickfixj.org/documentation/ <http://www.quickfixj.org/documentation/> > > QuickFIX/J Support:http://www.quickfixj.org/support/ <http://www.quickfixj.org/support/> > > > > Hi Christoph, > > Thank for your answer, I follow your suggestion, you’re right, I made the change. > > I try to add my certificate in the jdk cacerts, and use it as truststore for QuickfixJ, but it > don’t slove my problem. > > I try another idea, get back on openjdk8, with ssl and handshake in debug mode. I got this : > > 2021-01-28 08:45:50.184 INFO 10 --- [ NioProcessor-1] q.mina.acceptor.AcceptorIoHandler : MINA > session created: local=/172.18.12.72:1085, class > org.apache.mina.transport.socket.nio.NioSocketSession, remote=/172.18.0.91:23463 > NioProcessor-1, called closeOutbound() > NioProcessor-1, closeOutboundInternal() > NioProcessor-1, called closeInbound() > NioProcessor-1, fatal error: 80: Inbound closed before receiving peer's close_notify: possible > truncation attack? > javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible > truncation attack? > NioProcessor-1, SEND TLSv1.2 ALERT: fatal, description = internal_error > NioProcessor-1, Exception sending alert: java.io.IOException: writer side was already closed. > NioProcessor-1, called closeOutbound() > NioProcessor-1, closeOutboundInternal() > NioProcessor-2, called closeInbound() > NioProcessor-2, fatal error: 80: Inbound closed before receiving peer's close_notify: possible > truncation attack? > javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible > truncation attack? > NioProcessor-2, SEND TLSv1.2 ALERT: fatal, description = internal_error > NioProcessor-2, Exception sending alert: java.io.IOException: writer side was already closed. > NioProcessor-2, called closeOutbound() > NioProcessor-2, closeOutboundInternal() > Using SSLEngineImpl. > Allow unsafe renegotiation: false > Allow legacy hello messages: true > Is initial handshake: true > Is secure renegotiation: false > > In fact it seems the errors was already present with openjdk8, but doesn’t block, because we > were able to establish securised connection with QuickFixJ. > > I will try to investigate on this logs. > > Cheers, > > Sebastien. > > _________________________________________________________________________________________________________________________ > > Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc > > pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler > > a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, > > Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. > > This message and its attachments may contain confidential or privileged information that may be protected by law; > > they should not be distributed, used or copied without authorisation. > > If you have received this email in error, please notify the sender and delete this message and its attachments. > > As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. > > Thank you. > > -- Christoph John Software Engineering T +49 241 557080-28 chr...@ma... MACD GmbH Oppenhoffallee 103 52066 Aachen, Germany www.macd.com Amtsgericht Aachen: HRB 8151 Ust.-Id: DE 813021663 Geschäftsführer: George Macdonald |
