Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8232952

JConsole HTTPS connection fails with javax.crypto.ShortBufferException

    Details

      Description

      ADDITIONAL SYSTEM INFORMATION :
      Solaris SPARCv9 / Oracle Solaris 11.3 SPARC / Oracle Java 8 JDK 1.8.0_221

      A DESCRIPTION OF THE PROBLEM :
      JConsole HTTPS connection fails with "javax.crypto.ShortBufferException: Output buffer must be (at least) 8192 bytes long. Got: 8176" on Solaris SPARCv9.
      The same scenario works on Linux and Windows (and on AIX, but there we use an IBM JRE so it's less relevant).
      I'm pretty sure there is a bug in the hardware-accelerated security provider which only affects Solaris SPARCv9.
      This looks related to https://bugs.openjdk.java.net/browse/JDK-8179532, which was supposedly fixed in 8u192 (but maybe not for Solaris SPARCv9?).

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      Start JConsole (on Solaris).
      Actually, we use the JBoss EAP 7.2 jconsole.sh script, which is a wrapper script that starts the jconsole in JAVA_HOME with some JBoss JARs added to the classpath.

      export JAVA_HOME=/home/weblogic/jdk/jdk1.8.0_221
      export PATH=$JAVA_HOME/bin:$PATH
      jboss-eap/bin/jconsole.sh -J-Djavax.net.ssl.trustStorePassword=myTrustStorePassword -J-Djavax.net.ssl.trustStore=/path/to/my/trustStore.jks

      Connect over HTTPS to a running application with username and password.

      service:jmx:remote+https://hostnameOrIP:managementPort
      username=monitor
      password=myPassword

      Cipher is AES/GCM/NoPadding.

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      Connection is established.
      ACTUAL -
      Connection fails with "javax.crypto.ShortBufferException: Output buffer must be (at least) 8192 bytes long. Got: 8176":

      ---
      May 15, 2019 2:52:48 PM org.jboss.remoting3.EndpointImpl <clinit>
      INFO: JBoss Remoting version 5.0.5.Final-redhat-1
      May 15, 2019 2:52:48 PM org.xnio.Xnio <clinit>
      INFO: XNIO version 3.5.4.Final-redhat-1
      May 15, 2019 2:52:48 PM org.xnio.nio.NioXnio <clinit>
      INFO: XNIO NIO Implementation Version 3.5.4.Final-redhat-1
      May 15, 2019 2:52:49 PM org.wildfly.security.Version <clinit>
      INFO: ELY00001: WildFly Elytron version 1.1.7.Final-redhat-1
      May 15, 2019 2:52:53 PM org.xnio.ChannelListeners invokeChannelListener
      ERROR: XNIO001007: A channel event listener threw an exception
      java.security.ProviderException: Could not determine buffer size
       at javax.crypto.CipherSpi.bufferCrypt(CipherSpi.java:843)
       at javax.crypto.CipherSpi.engineDoFinal(CipherSpi.java:730)
       at javax.crypto.Cipher.doFinal(Cipher.java:2459)
       at sun.security.ssl.CipherBox.decrypt(CipherBox.java:536)
       at sun.security.ssl.EngineInputRecord.decrypt(EngineInputRecord.java:200)
       at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:963)
       at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:896)
       at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:766)
       at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
       at org.xnio.ssl.JsseSslConduitEngine.engineUnwrap(JsseSslConduitEngine.java:688)
       at org.xnio.ssl.JsseSslConduitEngine.unwrap(JsseSslConduitEngine.java:620)
       at org.xnio.ssl.JsseSslStreamSourceConduit.read(JsseSslStreamSourceConduit.java:126)
       at org.xnio.conduits.PushBackStreamSourceConduit.read(PushBackStreamSourceConduit.java:56)
       at org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:123)
       at org.jboss.remoting3.remote.MessageReader.getMessage(MessageReader.java:132)
       at org.jboss.remoting3.remote.RemoteReadListener.handleEvent(RemoteReadListener.java:72)
       at org.jboss.remoting3.remote.RemoteReadListener.handleEvent(RemoteReadListener.java:46)
       at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
       at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
       at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
       at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)
      Caused by: javax.crypto.ShortBufferException: Output buffer must be (at least) 8192 bytes long. Got: 8176
       at com.oracle.security.ucrypto.NativeGCMCipher.engineDoFinal(NativeGCMCipher.java:404)
       at javax.crypto.CipherSpi.bufferCrypt(CipherSpi.java:830)
       ... 20 more

      CUSTOMER SUBMITTED WORKAROUND :
      As workaround, it suffices to disable the hardware-accelerated security provider, or use Bouncy Castle's instead.

      Edit jre/lib/security/ucrypto-solaris.cfg and add Cipher.AES/GCM/NoPadding to the disabled services (the first 2 were already there):

      disabledServices = {
        # disabled due to Solaris bug 7121679
        Cipher.AES/CFB128/PKCS5Padding
        Cipher.AES/CFB128/NoPadding
        Cipher.AES/GCM/NoPadding
      }

      An alternative workaround is to use Bouncy Castle's security provider.

      FREQUENCY : always


        Attachments

          Activity

            People

            • Assignee:
              rpallath Rajendrakumar Pallath
              Reporter:
              webbuggrp Webbug Group
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated: