Synchronous routine from java X509ExtendedTrustManager to validate certificates are being executed on event loop

[uncbailey1]

Version

4.3.1

Context

this is referencing google groups thread: https://groups.google.com/g/vertx/c/GgH0zCSGrt0

We are implementing revocation checking for our client certificate validation in a custom TrustManager. This work involves calling out to a remote server to check whether the certificate has been revoked and will be long running. The TrustManager interface (X509ExtendedTrustManager::checkClientValid or any of the other checkXXXValid routines) is synchronous so we must block until all of the validation work is complete; however, in investigating this implementation we found that the validation work was being executed on an event loop thread as this was the default Netty behavior via the SslHandler. Obviously, we should not be blocking the event loop for this type of work, so we need to offload to a work thread.

Netty added the behavior to offload cert validation to a executor in early 2019, so it appears that vertx just needs to move to the SslHandler routines that allow a different Executor to be specified.

see https://github.com/netty/netty/pull/8847

Also note that while this work currently executes on the event loop, it is not registered to be monitored by the blockedThreadChecker, so many folks may be affected, but not know about it. We put a 5 min sleep in there, for giggles, and the block thread checker never complained.

Do you have a reproducer?

I don't have anything that I can share to demonstrate it other than adding logs to an existing TrustManager::checkClientTrusted implementation.

Here are some sample traces that were added to our X509ExtendedTrustManager::checkClientTrusted implementation showing that its running on an event loop thread.

Dec 08 21:06:31.721477 XXX-A control-path[78151]: [INFO ] [] [XXX|vert.x-eventloop-thread-3] CBAILEY_TEMP: Start CheckClientTrusted Dec 08 21:06:31.766632 XXX-A control-path[78151]: [INFO ] [] [XXX|vert.x-eventloop-thread-3] CBAILEY_TEMP: Exiting CheckClientTrusted : elapsed 42 ms Dec 08 21:06:33.286879 XXX-A control-path[78151]: [INFO ] [] [XXX|vert.x-eventloop-thread-3] CBAILEY_TEMP: Start CheckClientTrusted Dec 08 21:06:33.288073 XXX-A control-path[78151]: [INFO ] [] [XXX|vert.x-eventloop-thread-3] CBAILEY_TEMP: Exiting CheckClientTrusted : elapsed 1 ms

Extra

We used the following changes to get the validation code successfully off of the event loop:

diff --git a/src/main/java/io/vertx/core/http/impl/HttpServerWorker.java b/src/main/java/io/vertx/core/http/impl/HttpServerWorker.java
index af496c259..10221fefc 100644
--- a/src/main/java/io/vertx/core/http/impl/HttpServerWorker.java
+++ b/src/main/java/io/vertx/core/http/impl/HttpServerWorker.java
@@ -138,7 +138,7 @@ public class HttpServerWorker implements Handler<Channel> {
         SniHandler sniHandler = new SniHandler(sslHelper.serverNameMapper(vertx));
         pipeline.addLast(sniHandler);
       } else {
-        SslHandler handler = new SslHandler(sslHelper.createEngine(vertx));
+        SslHandler handler = new SslHandler(sslHelper.createEngine(vertx), context.getWorkerPool().executor());
         handler.setHandshakeTimeout(sslHelper.getSslHandshakeTimeout(), sslHelper.getSslHandshakeTimeoutUnit());
         pipeline.addLast("ssl", handler);
       }
diff --git a/src/main/java/io/vertx/core/impl/ContextImpl.java b/src/main/java/io/vertx/core/impl/ContextImpl.java
index 9815bdf92..23c822b5c 100644
--- a/src/main/java/io/vertx/core/impl/ContextImpl.java
+++ b/src/main/java/io/vertx/core/impl/ContextImpl.java
@@ -94,6 +94,8 @@ abstract class ContextImpl extends AbstractContext {
     return deployment;
   }

+  public WorkerPool getWorkerPool() { return workerPool; }
+
   @Override
   public CloseFuture closeFuture() {
     return closeFuture;

Here are some sample traces running with the proposed fixed which shows the same work being executed on a worker pool thread.

Dec 08 14:30:06.847418 XXX-A control-path[52879]: [INFO ] [] [XXX|vert.x-worker-thread-7] CBAILEY_TEMP: Start CheckClientTrusted Dec 08 14:30:06.932626 XXX-A control-path[52879]: [INFO ] [] [XXX|vert.x-worker-thread-7] CBAILEY_TEMP: Exiting CheckClientTrusted : elapsed 83 ms Dec 08 14:30:08.361856 XXX-A control-path[52879]: [INFO ] [] [XXX|vert.x-worker-thread-5] CBAILEY_TEMP: Start CheckClientTrusted Dec 08 14:30:08.364562 XXX-A control-path[52879]: [INFO ] [] [XXX|vert.x-worker-thread-5] CBAILEY_TEMP: Exiting CheckClientTrusted : elapsed 2 ms

[vietj]

now the ssl engine can be execute on a worker thread instead of the event-loop, the event-loop remains the default for now to avoid breaking behaviour in applications, this might become the new default in the next major version

[uncbailey1]

thanks @vietj for looking at this! We had a question about the fix...is there a chance of deadlock by using the default worker pool for blocking ssl operations? If the process of the certificate validation was to send a request to another verticle to actually do the validation and the second verticle also needed to utilize the worker pool (perhaps it is a worker verticle or a regular verticle that needs to offload something to a worker thread), is there any chance that the same worker pool thread would need to be used in both cases?

[vietj]

this is using the internal worker pool so there should'nt be any issue

On Mon, Jan 9, 2023 at 3:31 PM uncbailey1 @.***> wrote:

thanks @vietj https://github.com/vietj for looking at this! We had a question about the fix...is there a chance of deadlock by using the default worker pool for blocking ssl operations? If the process of the certificate validation was to send a request to another verticle to actually do the validation and the second verticle also needed to utilize the worker pool (perhaps it is a worker verticle or a regular verticle that needs to offload something to a worker thread), is there any chance that the same worker pool thread would need to be used in both cases?

— Reply to this email directly, view it on GitHub https://github.com/eclipse-vertx/vert.x/issues/4566#issuecomment-1375710435, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABXDCS253GCNC25MJX5BCTWRQOL3ANCNFSM6AAAAAASYTCGWY . You are receiving this because you were mentioned.Message ID: @.***>

[uncbailey1]

@vietj, do you have a feel for the general time frame when 4.4.0 will be available? We're pretty much dead in the water without this fix as its needed for a very important feature. We're making due with an private/internal fix, but this is cumbersome as we progress through feature development and we need to figure out our plan for integration. thanks for you help!

[vietj]

we can try backport this to 4.3.x for the next release.

On Thu, Jan 26, 2023 at 5:35 AM uncbailey1 @.***> wrote:

@vietj https://github.com/vietj, do you have a feel for the general time frame when 4.4.0 will be available? We're pretty much dead in the water without this fix as its needed for a very important feature. We're making due with an private/internal fix, but this is cumbersome as we progress through feature development and we need to figure out our plan for integration. thanks for you help!

— Reply to this email directly, view it on GitHub https://github.com/eclipse-vertx/vert.x/issues/4566#issuecomment-1404555567, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABXDCQ6RDYOCAGNES72R2DWUH5JVANCNFSM6AAAAAASYTCGWY . You are receiving this because you were mentioned.Message ID: @.***>

[uncbailey1]

@vietj that would be extremely helpful and we would greatly appreciate it.

[uncbailey1]

Hi @vietj I picked up your fix today and it didn't appear to work when you use OpenSSLEngineOptions in our environment, but JdkSSLEngineOptions does work. To validate this, I changed your unit tests to use OpenSSLEngineOptions instead of JdkOpenSSLEngine and they fail.

The problem is in the copy constructor....its missing a call to set the flag to use the worker thread.

public OpenSSLEngineOptions(OpenSSLEngineOptions other) { this.sessionCacheEnabled = other.isSessionCacheEnabled(); this.setUseWorkerThread(other.getUseWorkerThread()); ---->> add this line and the UTs pass. }

Our environment has to use OpenSSLEngineOptions, so we're still in a bit of a bind.

Thanks for taking a look!

[vietj]

can you open a new issue for this ?

as workaround you can extend the OpenSSLEngineOptions class and override the copy() method to do it, e.g

class MyOptions extends OpenSSLEngineOptions { public MyOptions(MyOptions that) { super(that); setUseWorkerThread(that.getUseWorkerThread()); } ... public MyOptions copy() { return new MyOptions(this); } }

On Fri, Feb 10, 2023 at 6:51 AM uncbailey1 @.***> wrote:

Hi @vietj https://github.com/vietj I picked up your fix today and it didn't appear to work when you use OpenSSLEngineOptions in our environment, but JdkSSLEngineOptions does work. To validate this, I changed your unit tests to use OpenSSLEngineOptions instead of JdkOpenSSLEngine and they fail.

The problem is in the copy constructor....its missing a call to set the flag to use the worker thread.

public OpenSSLEngineOptions(OpenSSLEngineOptions other) { this.sessionCacheEnabled = other.isSessionCacheEnabled(); this.setUseWorkerThread(other.getUseWorkerThread()); ---->> add this line and the UTs pass. }

Our environment has to use OpenSSLEngineOptions, so we're still in a bit of a bind.

Thanks for taking a look!

— Reply to this email directly, view it on GitHub https://github.com/eclipse-vertx/vert.x/issues/4566#issuecomment-1425219695, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABXDCRGQPRCOBGUNXVJUF3WWXJMNANCNFSM6AAAAAASYTCGWY . You are receiving this because you were mentioned.Message ID: @.***>

[vietj]

see https://github.com/eclipse-vertx/vert.x/pull/4607

On Fri, Feb 10, 2023 at 8:31 AM Julien Viet @.***> wrote:

can you open a new issue for this ?

as workaround you can extend the OpenSSLEngineOptions class and override the copy() method to do it, e.g

class MyOptions extends OpenSSLEngineOptions { public MyOptions(MyOptions that) { super(that); setUseWorkerThread(that.getUseWorkerThread()); } ... public MyOptions copy() { return new MyOptions(this); } }

On Fri, Feb 10, 2023 at 6:51 AM uncbailey1 @.***> wrote:

Hi @vietj https://github.com/vietj I picked up your fix today and it didn't appear to work when you use OpenSSLEngineOptions in our environment, but JdkSSLEngineOptions does work. To validate this, I changed your unit tests to use OpenSSLEngineOptions instead of JdkOpenSSLEngine and they fail.

The problem is in the copy constructor....its missing a call to set the flag to use the worker thread.

public OpenSSLEngineOptions(OpenSSLEngineOptions other) { this.sessionCacheEnabled = other.isSessionCacheEnabled(); this.setUseWorkerThread(other.getUseWorkerThread()); ---->> add this line and the UTs pass. }

Our environment has to use OpenSSLEngineOptions, so we're still in a bit of a bind.

Thanks for taking a look!

— Reply to this email directly, view it on GitHub https://github.com/eclipse-vertx/vert.x/issues/4566#issuecomment-1425219695, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABXDCRGQPRCOBGUNXVJUF3WWXJMNANCNFSM6AAAAAASYTCGWY . You are receiving this because you were mentioned.Message ID: @.***>

[uncbailey1]

@vietj thanks so much for the quick turnaround! Your suggested workaround should get us by until the next patch is available.

[uncbailey1]

@vietj I tried both the workaround and manually applying your fix; however, I am still seeing certificate validation occurring on an event loop when I use OpenSSLEngineOptions. I see expected behavior with JdkSSLEngineOptions, though. I validated that the proper parameters were correctly making it to the SSLHelper and even changed that code to ALWAYS pass the internal worker pool as the delegatedTaskExecutor, but still the cert validation was done on the event loop.

As best I can tell, vertx is properly creating the delegating SSL context and handler, but the operation is still not being delegated. I then poked around in some Netty code and am wondering if the bug isn't in the handling of the OpenSSLEngine; maybe it works differently than JdkSSLEngine and cert validation isn't delegated in the same way that it is with the JdkSSLEngine?

I'm assuming that I'm going to have to reach out to Netty folks on this. If you have any suggestions, please let me know.

Note that when I did the original investigation for this issue, we hadn't yet moved to the OpenSSLEngineOptions so this explains why I was able to make the investigation scenario work in the POC.

---

Here is a sample showing the unexpected behavior. Note that this has the vertx changes to always use the internal worker thread when creating the sslHandler and some extra traces.

## Create HTTP Server with an Instance of OpenSSLEngineOptions and UseWorkerThread = true
Feb 12 18:55:24 XXX-B control-path[72485]: [DEBUG] [] [XXX.HttpVerticle|vert.x-eventloop-thread-0] Using class io.vertx.core.net.OpenSSLEngineOptions with UseWorkerThread: true

## Authenticate a REST call with a client cert and trace inside of createSslHandler ##
Feb 12 18:56:10 XXX-B control-path[72485]: createSslHandler : USE WORKER POOL ? true
Feb 12 18:56:10 XXX-B control-path[72485]: createSslHandler : Address: null ServerName : null

## These traces occur in the checkClientTrusted routine of our custom trust 
## manager.  The code does a blocking call to send a request to another microservice.
Feb 12 18:56:10 XXX-B control-path[72485]: [DEBUG] [] [XXXTrustOptions|vert.x-eventloop-thread-0] Start Blocking Client Cert Validation
Feb 12 18:56:10 XXX-B control-path[72485]: [DEBUG] [] [XXXTrustOptions|vert.x-eventloop-thread-0] Finished Blocking Client Cert Validation

Here is the same example, but using JdkSSLOptions. We see the proper behavior in this case.

Feb 12 19:59:06 XXX-B control-path[79147]: [DEBUG] [] [XXX.HttpVerticle|vert.x-eventloop-thread-0] Using class io.vertx.core.net.JdkSSLEngineOptions with UseWorkerThread: true

## Authenticate a REST call with a client cert and trace inside of createSslHandler ##
Feb 12 20:00:35 XXX-B control-path[79147]: createSslHandler : USE WORKER POOL ? true
Feb 12 20:00:35 XXX-B control-path[79147]: createSslHandler : Address: null ServerName : null

Feb 12 20:00:35 XXX-B control-path[79147]: [DEBUG] [] [XXXTrustOptions|vert.x-internal-blocking-5] Start Blocking Client Cert Validation
Feb 12 20:00:35 XXX-B control-path[79147]: [DEBUG] [] [XXXTrustOptions|vert.x-internal-blocking-5] Finished Blocking Client Cert Validation

[vietj]

can you provide a stack trace ? it might be a netty related issue as you said and in this case we should open an issue there

there are two usage of the worker pool

• inside vertx to load the certificates (and that can be dynamic for SNI)
• using the netty ssl engine config

[uncbailey1]

@vietj we're not using SNI.

Thanks for taking a look!

Feb 13 12:54:14 -B control-path[13519]: [DEBUG] [] [TrustOptions|vert.x-eventloop-thread-0] Start Blocking Client Cert Validation Feb 13 12:54:14 -B control-path[13519]: java.lang.Throwable Feb 13 12:54:14 -B control-path[13519]: at CycTrustOptions$CycTrustManager.checkClientTrusted(TrustOptions.java:334) Feb 13 12:54:14 -B control-path[13519]: at io.netty.handler.ssl.ReferenceCountedOpenSslServerContext$ExtendedTrustManagerVerifyCallback.verify(ReferenceCountedOpenSslServerContext.java:276) Feb 13 12:54:14 -B control-path[13519]: at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:779) Feb 13 12:54:14 -B control-path[13519]: at io.netty.internal.tcnative.SSL.readFromSSL(Native Method) Feb 13 12:54:14 -B control-path[13519]: at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.readPlaintextData(ReferenceCountedOpenSslEngine.java:657) Feb 13 12:54:14 -B control-path[13519]: at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1267) Feb 13 12:54:14 -B control-path[13519]: at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1404) Feb 13 12:54:14 -B control-path[13519]: at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1447) Feb 13 12:54:14 -B control-path[13519]: at io.netty.handler.ssl.SslHandler$SslEngineType$1.unwrap(SslHandler.java:222) Feb 13 12:54:14 -B control-path[13519]: at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1343) Feb 13 12:54:14 -B control-path[13519]: at io.netty.handler.ssl.SslHandler.decodeNonJdkCompatible(SslHandler.java:1247) Feb 13 12:54:14 -B control-path[13519]: at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1287) Feb 13 12:54:14 -B control-path[13519]: at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529) Feb 13 12:54:14 -B control-path[13519]: at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468) Feb 13 12:54:14 -B control-path[13519]: at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290) Feb 13 12:54:14 -B control-path[13519]: at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) Feb 13 12:54:14 -B control-path[13519]: at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) Feb 13 12:54:14 -B control-path[13519]: at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) Feb 13 12:54:14 -B control-path[13519]: at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) Feb 13 12:54:14 -B control-path[13519]: at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440) Feb 13 12:54:14 -B control-path[13519]: at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) Feb 13 12:54:14 -B control-path[13519]: at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) Feb 13 12:54:14 -B control-path[13519]: at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166) Feb 13 12:54:14 -B control-path[13519]: at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788) Feb 13 12:54:14 -B control-path[13519]: at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724) Feb 13 12:54:14 -B control-path[13519]: at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650) Feb 13 12:54:14 -B control-path[13519]: at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562) Feb 13 12:54:15 -B control-path[13519]: at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997) Feb 13 12:54:15 -B control-path[13519]: at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) Feb 13 12:54:15 -B control-path[13519]: at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) Feb 13 12:54:15 -B control-path[13519]: at java.base/java.lang.Thread.run(Thread.java:829)

[uncbailey1]

Just for reference, here is a stack trace when using the JdkSSLEngine where we are properly delegating to the worker pool.

Feb 13 13:10:05 -B control-path[1707]: [DEBUG] [] [TrustOptions|vert.x-internal-blocking-3] Start Blocking Client Cert Validation Feb 13 13:10:05 -B control-path[1707]: java.lang.Throwable Feb 13 13:10:05 -B control-path[1707]: at CycTrustOptions$CycTrustManager.checkClientTrusted(CycTrustOptions.java:334) Feb 13 13:10:05 -B control-path[1707]: at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkClientCerts(CertificateMessage.java:682) Feb 13 13:10:05 -B control-path[1707]: at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:411) Feb 13 13:10:05 -B control-path[1707]: at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:375) Feb 13 13:10:05 -B control-path[1707]: at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) Feb 13 13:10:05 -B control-path[1707]: at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) Feb 13 13:10:05 -B control-path[1707]: at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074) Feb 13 13:10:05 -B control-path[1707]: at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061) Feb 13 13:10:05 -B control-path[1707]: at java.base/java.security.AccessController.doPrivileged(Native Method) Feb 13 13:10:05 -B control-path[1707]: at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008) Feb 13 13:10:05 -B control-path[1707]: at io.netty.handler.ssl.SslHandler$SslTasksRunner.run(SslHandler.java:1787) Feb 13 13:10:05 -B control-path[1707]: at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) Feb 13 13:10:05 -B control-path[1707]: at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) Feb 13 13:10:05 -B control-path[1707]: at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) Feb 13 13:10:05 -B control-path[1707]: at java.base/java.lang.Thread.run(Thread.java:829)

[vietj]

I see, it is obvious that Netty with OpenSSL is not using the worker executor, however I think there is no guarantee that callbacks are made from Netty to the trust manager using the worker thread, only computations.

[uncbailey1]

I guess I'll have to file something with Netty. I was under the impression that this particular use case with the trust manager was the reason why they provided this functionality in the first place. This particular trust manager interface can take a long time to execute if the trust manager needs to do revocation checking with an external server via OCSP. hopefully, its just a bug in the netty implementation with OpenSSLEngine. Thanks for all of your help!

[vietj]

send me the issue, so I can follow the resolution

On Mon, Feb 13, 2023 at 4:18 PM uncbailey1 @.***> wrote:

I guess I'll have to file something with Netty. I was under the impression that this particular use case with the trust manager was the reason why they provided this functionality in the first place. This particular trust manager interface can take a long time to execute if the trust manager needs to do revocation checking with an external server via OCSP. hopefully, its just a bug in the netty implementation with OpenSSLEngine. Thanks for all of your help!

— Reply to this email directly, view it on GitHub https://github.com/eclipse-vertx/vert.x/issues/4566#issuecomment-1428122765, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABXDCUJ5TAAYQ6KZ3BOH5LWXJGEPANCNFSM6AAAAAASYTCGWY . You are receiving this because you were mentioned.Message ID: @.***>