-
Bug
-
Resolution: Unresolved
-
P4
-
None
-
8
-
sparc
-
solaris_11
ADDITIONAL SYSTEM INFORMATION :
Solaris SPARCv9 / Oracle Solaris 11.3 SPARC / Oracle Java 8 JDK 1.8.0_221
A DESCRIPTION OF THE PROBLEM :
JConsole HTTPS connection fails with "javax.crypto.ShortBufferException: Output buffer must be (at least) 8192 bytes long. Got: 8176" on Solaris SPARCv9.
The same scenario works on Linux and Windows (and on AIX, but there we use an IBM JRE so it's less relevant).
I'm pretty sure there is a bug in the hardware-accelerated security provider which only affects Solaris SPARCv9.
This looks related to https://bugs.openjdk.java.net/browse/JDK-8179532, which was supposedly fixed in 8u192 (but maybe not for Solaris SPARCv9?).
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Start JConsole (on Solaris).
Actually, we use the JBoss EAP 7.2 jconsole.sh script, which is a wrapper script that starts the jconsole in JAVA_HOME with some JBoss JARs added to the classpath.
export JAVA_HOME=/home/weblogic/jdk/jdk1.8.0_221
export PATH=$JAVA_HOME/bin:$PATH
jboss-eap/bin/jconsole.sh -J-Djavax.net.ssl.trustStorePassword=myTrustStorePassword -J-Djavax.net.ssl.trustStore=/path/to/my/trustStore.jks
Connect over HTTPS to a running application with username and password.
service:jmx:remote+https://hostnameOrIP:managementPort
username=monitor
password=myPassword
Cipher is AES/GCM/NoPadding.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Connection is established.
ACTUAL -
Connection fails with "javax.crypto.ShortBufferException: Output buffer must be (at least) 8192 bytes long. Got: 8176":
---
May 15, 2019 2:52:48 PM org.jboss.remoting3.EndpointImpl <clinit>
INFO: JBoss Remoting version 5.0.5.Final-redhat-1
May 15, 2019 2:52:48 PM org.xnio.Xnio <clinit>
INFO: XNIO version 3.5.4.Final-redhat-1
May 15, 2019 2:52:48 PM org.xnio.nio.NioXnio <clinit>
INFO: XNIO NIO Implementation Version 3.5.4.Final-redhat-1
May 15, 2019 2:52:49 PM org.wildfly.security.Version <clinit>
INFO: ELY00001: WildFly Elytron version 1.1.7.Final-redhat-1
May 15, 2019 2:52:53 PM org.xnio.ChannelListeners invokeChannelListener
ERROR: XNIO001007: A channel event listener threw an exception
java.security.ProviderException: Could not determine buffer size
at javax.crypto.CipherSpi.bufferCrypt(CipherSpi.java:843)
at javax.crypto.CipherSpi.engineDoFinal(CipherSpi.java:730)
at javax.crypto.Cipher.doFinal(Cipher.java:2459)
at sun.security.ssl.CipherBox.decrypt(CipherBox.java:536)
at sun.security.ssl.EngineInputRecord.decrypt(EngineInputRecord.java:200)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:963)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:896)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:766)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.xnio.ssl.JsseSslConduitEngine.engineUnwrap(JsseSslConduitEngine.java:688)
at org.xnio.ssl.JsseSslConduitEngine.unwrap(JsseSslConduitEngine.java:620)
at org.xnio.ssl.JsseSslStreamSourceConduit.read(JsseSslStreamSourceConduit.java:126)
at org.xnio.conduits.PushBackStreamSourceConduit.read(PushBackStreamSourceConduit.java:56)
at org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:123)
at org.jboss.remoting3.remote.MessageReader.getMessage(MessageReader.java:132)
at org.jboss.remoting3.remote.RemoteReadListener.handleEvent(RemoteReadListener.java:72)
at org.jboss.remoting3.remote.RemoteReadListener.handleEvent(RemoteReadListener.java:46)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)
Caused by: javax.crypto.ShortBufferException: Output buffer must be (at least) 8192 bytes long. Got: 8176
at com.oracle.security.ucrypto.NativeGCMCipher.engineDoFinal(NativeGCMCipher.java:404)
at javax.crypto.CipherSpi.bufferCrypt(CipherSpi.java:830)
... 20 more
CUSTOMER SUBMITTED WORKAROUND :
As workaround, it suffices to disable the hardware-accelerated security provider, or use Bouncy Castle's instead.
Edit jre/lib/security/ucrypto-solaris.cfg and add Cipher.AES/GCM/NoPadding to the disabled services (the first 2 were already there):
disabledServices = {
# disabled due to Solaris bug 7121679
Cipher.AES/CFB128/PKCS5Padding
Cipher.AES/CFB128/NoPadding
Cipher.AES/GCM/NoPadding
}
An alternative workaround is to use Bouncy Castle's security provider.
FREQUENCY : always
Solaris SPARCv9 / Oracle Solaris 11.3 SPARC / Oracle Java 8 JDK 1.8.0_221
A DESCRIPTION OF THE PROBLEM :
JConsole HTTPS connection fails with "javax.crypto.ShortBufferException: Output buffer must be (at least) 8192 bytes long. Got: 8176" on Solaris SPARCv9.
The same scenario works on Linux and Windows (and on AIX, but there we use an IBM JRE so it's less relevant).
I'm pretty sure there is a bug in the hardware-accelerated security provider which only affects Solaris SPARCv9.
This looks related to https://bugs.openjdk.java.net/browse/JDK-8179532, which was supposedly fixed in 8u192 (but maybe not for Solaris SPARCv9?).
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Start JConsole (on Solaris).
Actually, we use the JBoss EAP 7.2 jconsole.sh script, which is a wrapper script that starts the jconsole in JAVA_HOME with some JBoss JARs added to the classpath.
export JAVA_HOME=/home/weblogic/jdk/jdk1.8.0_221
export PATH=$JAVA_HOME/bin:$PATH
jboss-eap/bin/jconsole.sh -J-Djavax.net.ssl.trustStorePassword=myTrustStorePassword -J-Djavax.net.ssl.trustStore=/path/to/my/trustStore.jks
Connect over HTTPS to a running application with username and password.
service:jmx:remote+https://hostnameOrIP:managementPort
username=monitor
password=myPassword
Cipher is AES/GCM/NoPadding.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Connection is established.
ACTUAL -
Connection fails with "javax.crypto.ShortBufferException: Output buffer must be (at least) 8192 bytes long. Got: 8176":
---
May 15, 2019 2:52:48 PM org.jboss.remoting3.EndpointImpl <clinit>
INFO: JBoss Remoting version 5.0.5.Final-redhat-1
May 15, 2019 2:52:48 PM org.xnio.Xnio <clinit>
INFO: XNIO version 3.5.4.Final-redhat-1
May 15, 2019 2:52:48 PM org.xnio.nio.NioXnio <clinit>
INFO: XNIO NIO Implementation Version 3.5.4.Final-redhat-1
May 15, 2019 2:52:49 PM org.wildfly.security.Version <clinit>
INFO: ELY00001: WildFly Elytron version 1.1.7.Final-redhat-1
May 15, 2019 2:52:53 PM org.xnio.ChannelListeners invokeChannelListener
ERROR: XNIO001007: A channel event listener threw an exception
java.security.ProviderException: Could not determine buffer size
at javax.crypto.CipherSpi.bufferCrypt(CipherSpi.java:843)
at javax.crypto.CipherSpi.engineDoFinal(CipherSpi.java:730)
at javax.crypto.Cipher.doFinal(Cipher.java:2459)
at sun.security.ssl.CipherBox.decrypt(CipherBox.java:536)
at sun.security.ssl.EngineInputRecord.decrypt(EngineInputRecord.java:200)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:963)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:896)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:766)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.xnio.ssl.JsseSslConduitEngine.engineUnwrap(JsseSslConduitEngine.java:688)
at org.xnio.ssl.JsseSslConduitEngine.unwrap(JsseSslConduitEngine.java:620)
at org.xnio.ssl.JsseSslStreamSourceConduit.read(JsseSslStreamSourceConduit.java:126)
at org.xnio.conduits.PushBackStreamSourceConduit.read(PushBackStreamSourceConduit.java:56)
at org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:123)
at org.jboss.remoting3.remote.MessageReader.getMessage(MessageReader.java:132)
at org.jboss.remoting3.remote.RemoteReadListener.handleEvent(RemoteReadListener.java:72)
at org.jboss.remoting3.remote.RemoteReadListener.handleEvent(RemoteReadListener.java:46)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)
Caused by: javax.crypto.ShortBufferException: Output buffer must be (at least) 8192 bytes long. Got: 8176
at com.oracle.security.ucrypto.NativeGCMCipher.engineDoFinal(NativeGCMCipher.java:404)
at javax.crypto.CipherSpi.bufferCrypt(CipherSpi.java:830)
... 20 more
CUSTOMER SUBMITTED WORKAROUND :
As workaround, it suffices to disable the hardware-accelerated security provider, or use Bouncy Castle's instead.
Edit jre/lib/security/ucrypto-solaris.cfg and add Cipher.AES/GCM/NoPadding to the disabled services (the first 2 were already there):
disabledServices = {
# disabled due to Solaris bug 7121679
Cipher.AES/CFB128/PKCS5Padding
Cipher.AES/CFB128/NoPadding
Cipher.AES/GCM/NoPadding
}
An alternative workaround is to use Bouncy Castle's security provider.
FREQUENCY : always