Subject Re: [Firebird-Java] Jaybird 3.0.5 FBXADataSource
Author Mark Rotteveel
On 15-8-2019 16:52, procar informatik AG - Sascha Horn s.horn@...
[Firebird-Java] wrote:
> Hi Mark,
>
> thanks for your quick response.
>
> Both connections are using the same user/password.
>
> jdbc settings are :
>
> driver: org.firebirdsql.jdbc.FBDriver
> Connection url: jdbc:firebirdsql://localhost/3050:/opt/databases/catalogs/mydb.fdb?lc_ctype=ISO8859_1
> usr: SYSDBA
> pwd: ******
> props: null
>
> Code:
[..]
>
> Firebird Version installed is Firebird-3.0.4.33054_0_x64.

I can reproduce the problem if I use the limited strength Cryptographic
Jurisdiction Policy, however with that setting both ways of connecting
should produce the same error.

Was the code using DriverManager run with the same JBoss instance as the
one using FBXADataSource? Or did you run it on a different machine or
Java installation, or with a different security policy?

I can only explain the difference you observed with two different Java
installs/processes, or at least a difference Java security policy.

I don't know if within a single JBoss instance multiple different
policies might be applied that could reduce the cryptographic strength
in one part (data sources) and not the other (your application), but
that might also be a thing to investigate.

With my reproduction, Jaybird will log a number of warnings before the
exception is thrown. It will log the messages:

WARNING: Wire encryption established, but some plugins failed; see other
loglines for details

and

WARNING: Encryption plugin failed
org.firebirdsql.gds.ng.wire.crypt.FBSQLEncryptException: Encryption key
did not meet algorithm requirements of Symmetric/Arc4 [SQLState:28000,
ISC error code:337248282]
+ stacktrace

(the last one is logged twice, once for the encryption and once for the
decryption)

The solution is to make sure that Java uses the unlimited strength
Cryptographic Jurisdiction Policy, see
https://www.firebirdsql.org/file/documentation/drivers_documentation/java/faq.html#encryption-key-did-not-meet-algorithm-requirements-of-symmetricarc4-337248282
and
https://stackoverflow.com/questions/3862800/invalidkeyexception-illegal-key-size/3864276#3864276

Alternatively, as a workaround, you can reduce the Firebird wire
encryption requirements by setting WireCrypt in firebird.conf from its
default of Required to Enabled. Then Firebird will allow Jaybird to
connect without encryption.

With this workaround, Jaybird will still log those warnings I mentioned
(Jaybird 4 will reduce this log-spamming a bit by logging the stacktrace
on debug). To avoid this, you can set the Jaybird connection property
wireCrypt to disabled, then Jaybird doesn't attempt to establish wire
encryption.

Mark
--
Mark Rotteveel