Commit Graph

10 Commits

Author SHA1 Message Date
Norman Maurer
6fd5550ad7 Add whitelist entry to BlockHound config to workaround issue when TLS… (#10459)
Motivation:

SSLEngineImpl.unwrap(...) may call FileInputStream.read(...) internally when TLS1.3 is used. This will cause an BlockingOperationError when BlockHound is enabled.

For more details see https://mail.openjdk.java.net/pipermail/security-dev/2020-August/022271.html

Modifications:

- Add whitelist entry to BlockHound config for now
- Update NettyBlockHoundIntegrationTest to include testing for this workaround

Result:

No BlockingOperationError when TLS1.3 is used with JDK SSL implementation and BlockHound is enabled
2020-08-10 11:12:52 +02:00
violetagg
f9e8c9ca11 Do not report ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verify as blocking call (#10387)
Motivation:

When BlockHound is installed,
ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verify
is reported as blocking call.

Modifications:

Add allowBlockingCallsInside configuration for
ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verify

Result:

Fixes #10384
2020-07-06 09:36:00 +02:00
Norman Maurer
760de7dde4 Hardcode TLS version used during blockhound tests (#10162)
Motivation:

Different versions of the JDK use different TLS versions by default. We should define the versions explicit

Modifications:

Explicit specify TLSv1.2

Result:

Blockhound tests pass on JDK14 as well
2020-04-03 14:49:14 +02:00
Norman Maurer
ff9667b1f9 Add profile to build on JDK 14 (#10148)
Motivation:

JDK 14 was released and need some special settings to be able to build with. Also there seems to be one regression that we need to workaround for now.

Modifications:

- Add maven profile for JDK 14
- Update blockhound version to be able to work on JDK 14
- Add workaround for possible JDK 14 regression

Result:

Be able to build on JDK 14
2020-03-31 16:03:10 +02:00
Norman Maurer
2c3833472a Update to Blockhound 1.0.2 (#10007)
Motivation:

A new version of blockhound was released today

Modifications:

Upgrade to latest blockhound version

Result:

Use latest blockhound release
2020-02-08 17:04:51 +01:00
Johno Crawford
7413372c01 SSL / BlockHound works out of the box with the default SSL provider (#9969)
Motivation:

JDK is the default SSL provider and internally uses blocking IO operations.

Modifications:

Add allowBlockingCallsInside configuration for SslHandler runAllDelegate function.

Result:

When BlockHound is installed, SSL works out of the box with the default SSL provider.

Co-authored-by: violetagg <milesg78@gmail.com>
2020-01-30 11:50:15 +01:00
Sergei Egorov
6591a6501c Test that NettyBlockHoundIntegration can be loaded with ServiceLoader (#9743)
Motivation:

If something is mis-configured, the "main" test will fail but it is unclear
whether it fails because the integration does not work or it wasn't applied
at all.
Also see:
https://github.com/netty/netty/issues/9738#issuecomment-548416693

Modifications:

This change adds a test that uses the same mechanism as BlockHound does
(`ServiceLoader`) and checks that `NettyBlockHoundIntegration` is present.

Result:

It is now clear whether the integration is not working or it wasn't loaded at all.
2019-11-01 07:07:59 +01:00
Sergei Egorov
17cff0ee77 Make BlockHound tests run on Java 13 (#9742)
Motivation:
Java 13 requires special flags to be set to make BlockHound work

Modifications:
- Added jdk13 profile to `transport-blockhound-tests`
- Enabled `-XX:+AllowRedefinitionToAddDeleteMethods` on jdk13

Result:
The tests work on Java 13
2019-11-01 07:05:09 +01:00
Norman Maurer
5949e193ce Fix compilation error introduced by 2854c2c473 2019-10-25 17:47:27 +02:00
Sergei Egorov
2854c2c473 Add BlockHound integration that detects blocking calls in event loops (#9687)
Motivation:

Netty is an asynchronous framework.
If somebody uses a blocking call inside Netty's event loops,
it may lead to a severe performance degradation.
BlockHound is a tool that helps detecting such calls.

Modifications:

This change adds a BlockHound's SPI integration that marks
threads created by Netty (`FastThreadLocalThread`s) as non-blocking.
It also marks some of Netty's internal methods as whitelisted
as they are required to run the event loops.

Result:

When BlockHound is installed, any blocking call inside event loops
is intercepted and reported (by default an error will be thrown).
2019-10-25 15:14:44 +02:00