-
Type:
Bug
-
Resolution: Gone away
-
Priority:
Major - P3
-
None
-
Affects Version/s: None
-
Component/s: None
-
None
-
Java Drivers
Summary
We are facing an issue with using the MongoDb Client with Quarkus and the Bouncy Castle (BC) JSSE provider.
It looks like the MongoDb client tries to call the SSLEngine.beginHandshake method multiple times during the initial TLS handshake. And according to the SSLEngine documentation for the beginHandshake method: "Some protocols may not support multiple handshakes on an existing engine and may throw an SSLException." and it appears that the BC implementation works just that way. On the second call it always throws java.lang.UnsupportedOperationException: Renegotiation not supported
To reproduce the issue we used mongodb-driver-core-4.11.1 with following software:
java:11.0.22+7
quarkus:3.6.9
org.bouncycastle:bc-fips:1.0.2.4
org.bouncycastle:bctls-fips:1.0.18
How to Reproduce
Clone the Quickstarts repository for the Quarkus framework
git clone https://github.com/quarkusio/quarkus-quickstarts.git
Apply following changes in the getting-started module:
Add following dependencies to pom.xml:
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-mongodb-client</artifactId>
</dependency>
<dependency>
<groupId>io.quarkus</groupId>
<artifactId>quarkus-security</artifactId>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bc-fips</artifactId>
<version>1.0.2.4</version>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bctls-fips</artifactId>
<version>1.0.18</version>
</dependency>
Add following properties to src/main/resources/application.properties
quarkus.mongodb.connection-string=mongodb://<your.mongodb.server>:10255
quarkus.mongodb.tls=true
quarkus.mongodb.tls-insecure=false
quarkus.security.security-providers=BCFIPSJSSE
Add following files to src\main\java\org\acme\getting\started\
File1: TestService.java
package org.acme.getting.started;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.inject.Inject;
import io.smallrye.mutiny.Uni;
import io.quarkus.mongodb.reactive.ReactiveMongoClient;
@ApplicationScoped
public class TestService {
@Inject
ReactiveMongoClient mongoClient;
public Uni<String> test()
{ return Uni.createFrom() .item(() -> mongoClient.getDatabase("dummy")) .flatMap(db -> Uni.createFrom().item(db.getName())); }
}
File2: TestResource.java
package org.acme.getting.started;
import jakarta.inject.Inject;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.core.MediaType;
import io.smallrye.mutiny.Uni;
@Path("/test")
public class TestResource {
@Inject
TestService service;
@GET
@Produces(MediaType.TEXT_PLAIN)
public Uni<String> test()
{ return service.test(); }}
—----------------------------------
Follow the instructions from README.md to build and run the quarkus project.
Once the quarkus is running visit the endpoint: http://127.0.0.1:8080/test
During our tests we observed following error:
2024-02-07 19:29:12,585 ERROR [org.mon.dri.con.tls] (async-channel-group-0-handler-executor) error in operation: java.lang.UnsupportedOperationException: Renegotiation not supported
at org.bouncycastle.jsse.provider.ProvSSLEngine.beginHandshake(ProvSSLEngine.java:96)
at com.mongodb.internal.connection.tlschannel.impl.TlsChannelImpl.doHandshake(TlsChannelImpl.java:534)
at com.mongodb.internal.connection.tlschannel.impl.TlsChannelImpl.handshake(TlsChannelImpl.java:522)
at com.mongodb.internal.connection.tlschannel.impl.TlsChannelImpl.write(TlsChannelImpl.java:378)
at com.mongodb.internal.connection.tlschannel.ClientTlsChannel.write(ClientTlsChannel.java:184)
at com.mongodb.internal.connection.tlschannel.async.AsynchronousTlsChannelGroup.writeHandlingTasks(AsynchronousTlsChannelGroup.java:539)
at com.mongodb.internal.connection.tlschannel.async.AsynchronousTlsChannelGroup.doWrite(AsynchronousTlsChannelGroup.java:497)
at com.mongodb.internal.connection.tlschannel.async.AsynchronousTlsChannelGroup.lambda$processWrite$4(AsynchronousTlsChannelGroup.java:458)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
—------------------------------
Network traffic analysis showed that the MongoDb client sent TLS ClientHello and failed during processing of the first TLS flight (ServerHello, ChangeCipherSpec and ApplicationData) from the server.
After removing the BCFIPSJSSE provider from the Quarkus configuration the TLS connection was successful.
- is related to
-
JAVA-5411 Revendor tlschannel
-
- Backlog
-