[JAVA-2876] Websphere SSL socket implementation can return null for SSLSocket.getSSLParameters() Created: 30/May/18  Updated: 28/Oct/23  Resolved: 05/Jun/18

Status: Closed
Project: Java Driver
Component/s: Connection Management
Affects Version/s: None
Fix Version/s: 3.8.0

Type: Bug Priority: Major - P3
Reporter: Alexander Komyagin Assignee: Jeffrey Yemin
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

MDB java 3.4.3
Websphere
SpringBoot



 Description   

This leads to obscure exceptions in enableHostNameVerification (Java 7) and enableSni (Java 8). Looks like there were FREE tix related for: FREE-134337 or FREE-132717



 Comments   
Comment by Githook User [ 05/Jun/18 ]

Author:

{'username': 'jyemin', 'name': 'Jeff Yemin', 'email': 'jeff.yemin@10gen.com'}

Message: JAVA-2876: Ignore spurious redundant null check error from SpotBugs
Branch: 3.7.x
https://github.com/mongodb/mongo-java-driver/commit/90d69dbf3a494a92c5e46cb741361a6cb328ce7c

Comment by Githook User [ 05/Jun/18 ]

Author:

{'username': 'jyemin', 'name': 'Jeff Yemin', 'email': 'jeff.yemin@10gen.com'}

Message: JAVA-2876: Ignore spurious redundant null check error from SpotBugs
Branch: master
https://github.com/mongodb/mongo-java-driver/commit/f903e07367a3705d056e3c71bbb64c2540c6f107

Comment by Githook User [ 05/Jun/18 ]

Author:

{'username': 'jyemin', 'name': 'Jeff Yemin', 'email': 'jeff.yemin@10gen.com'}

Message: JAVA-2876: Create SSLParameters if SSLSocket returns null reference

On some JDKs the SSLSocket#getSSLParameters method can return null,
which triggers an NPE in the driver. To work around this, construct a
new SSLParameters instance when null is returned, so that SNI and host
name validation properties can be set on it before calling
SSLSocket#setSSLParameters.
Branch: 3.7.x
https://github.com/mongodb/mongo-java-driver/commit/44f22f19c88141c87a5c1673b1d47ec0d197161a

Comment by Githook User [ 05/Jun/18 ]

Author:

{'username': 'jyemin', 'name': 'Jeff Yemin', 'email': 'jeff.yemin@10gen.com'}

Message: JAVA-2876: Create SSLParameters if SSLSocket returns null reference

On some JDKs the SSLSocket#getSSLParameters method can return null,
which triggers an NPE in the driver. To work around this, construct a
new SSLParameters instance when null is returned, so that SNI and host
name validation properties can be set on it before calling
SSLSocket#setSSLParameters.
Branch: master
https://github.com/mongodb/mongo-java-driver/commit/ba920400da19c5bbc990535f1d681025b00f5176

Comment by Vlad Banishevskii [ 30/May/18 ]

jeff.yemin They're using MongoClientOptions builder on JDK 1.7:

 

 
@Bean
public MongoTemplate template(MongoDbFactory factory) throws Exception {
  return new MongoTemplate(customFactory());
}
public MongoDbFactory customFactory() throws Exception {
  return new SimpleMongoDbFactory(new MongoClientURI("mongodb://username:password@host1133:2703/dbname", customMongoBuilder()));
}
 
public Builder customMongoBuilder() {
  MongoClientOptions.Builder builder = MongoClientOptions.builder();
  builder.connectTimeout(connTimeOut);
  builder.socketKeepAlive(isKeepAlive);
  builder.sslEnabled(true);
  builder.sslInvalidHostNameAllowed(true); // Fix #1 to make the SSL connection work
  // builder.socketFactory(buildSslSocketFactory()); // Fix #2 to make the SSL connection work
  return builder;
}
 
private static SSLSocketFactory buildSslSocketFactory() {
  SSLContext sslContext;
  try {
    sslContext = SSLContext.getInstance("SSL");
    sslContext.init(null, new TrustManager[] { new X509TrustManager() {
      @Override
      public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException { }
      @Override
      public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException { }
      @Override public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; }
    } }, new SecureRandom());
  } catch (NoSuchAlgorithmException | KeyManagementException e) { ... }
  return sslContext.getSocketFactory();
}

 

 

Comment by Jeffrey Yemin [ 30/May/18 ]

Also, what version of the JDK is this? And is the "javax.net.ssl.SNIHostName" class available in this JDK?

Comment by Vlad Banishevskii [ 30/May/18 ]

Command used to check the getSSLParameters()

try {
  SSLSocket socket = (SSLSocket) SSLSocketFactory.getDefault().createSocket();
  System.out.println("SSLParameters: " + socket.getSSLParameters());
} catch (IOException e) {
  e.printStackTrace();
}

 

Comment by Jeffrey Yemin [ 30/May/18 ]

Can you provide the SSL configuration for the MongoClient? In particular, is a javax.net.ssl.SSLContext or javax.net.SocketFactory being configured in MongoClientOptions?

Comment by Vlad Banishevskii [ 30/May/18 ]

WebSphere default socket factory: com.ibm.websphere.ssl.protocol.SSLSocketFactory

 

Exception:

com.mongodb.MongoException: java.lang.NullPointerException

        at com.mongodb.connection.InternalStreamConnection.open(InternalStreamConnection.java:126)

        at com.mongodb.connection.DefaultServerMonitor$ServerMonitorRunnable.run(DefaultServerMonitor.java:113)

        at java.lang.Thread.run(Thread.java:809)

Caused by: java.lang.NullPointerException: null

        at com.mongodb.internal.connection.SslHelper.enableHostNameVerification(SslHelper.java:58)

        at com.mongodb.connection.SocketStreamHelper.initialize(SocketStreamHelper.java:53)

        at com.mongodb.connection.SocketStream.open(SocketStream.java:58)

        at com.mongodb.connection.InternalStreamConnection.open(InternalStreamConnection.java:115)

        ... 2 common frames omitted

Generated at Thu Feb 08 08:58:16 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.