Subject Re: [Firebird-Java] Jaybird 3.0.5 FBXADataSource
Author Sascha Horn

Hi Mark,

Am 15.08.19 um 20:21 schrieb Mark Rotteveel mark@... [Firebird-Java]:
 

On 15-8-2019 16:52, procar informatik AG - Sascha Horn s.horn@...
[Firebird-Java] wrote:
> Hi Mark,
>
> thanks for your quick response.
>
> Both connections are using the same user/password.
>
> jdbc settings are :
>
> driver: org.firebirdsql.jdbc.FBDriver
> Connection url: jdbc:firebirdsql://localhost/3050:/opt/databases/catalogs/mydb.fdb?lc_ctype=ISO8859_1
> usr: SYSDBA
> pwd: ******
> props: null
>
> Code:
[..]
>
> Firebird Version installed is Firebird-3.0.4.33054_0_x64.

I can reproduce the problem if I use the limited strength Cryptographic
Jurisdiction Policy, however with that setting both ways of connecting
should produce the same error.

Was the code using DriverManager run with the same JBoss instance as the
one using FBXADataSource? Or did you run it on a different machine or
Java installation, or with a different security policy?

No, the DriverManager code is used as standalone application.

It is possible that this code is executed in an other javavm. i will check this tomorrow.


I can only explain the difference you observed with two different Java
installs/processes, or at least a difference Java security policy.

I don't know if within a single JBoss instance multiple different
policies might be applied that could reduce the cryptographic strength
in one part (data sources) and not the other (your application), but
that might also be a thing to investigate.

With my reproduction, Jaybird will log a number of warnings before the
exception is thrown. It will log the messages:

WARNING: Wire encryption established, but some plugins failed; see other
loglines for details

and

WARNING: Encryption plugin failed
org.firebirdsql.gds.ng.wire.crypt.FBSQLEncryptException: Encryption key
did not meet algorithm requirements of Symmetric/Arc4 [SQLState:28000,
ISC error code:337248282]
+ stacktrace

(the last one is logged twice, once for the encryption and once for the
decryption)

The solution is to make sure that Java uses the unlimited strength
Cryptographic Jurisdiction Policy, see
https://www.firebirdsql.org/file/documentation/drivers_documentation/java/faq.html#encryption-key-did-not-meet-algorithm-requirements-of-symmetricarc4-337248282
and
https://stackoverflow.com/questions/3862800/invalidkeyexception-illegal-key-size/3864276#3864276

Am i correct, that every jre 8 version 161+ should work out of the box, or did i misunderstood the stackoverflow topic?


Alternatively, as a workaround, you can reduce the Firebird wire
encryption requirements by setting WireCrypt in firebird.conf from its
default of Required to Enabled. Then Firebird will allow Jaybird to
connect without encryption.

We have tried setting WireCrypt = Enabled within firebird.com, but within JBoss the connection did not work.


With this workaround, Jaybird will still log those warnings I mentioned
(Jaybird 4 will reduce this log-spamming a bit by logging the stacktrace
on debug). To avoid this, you can set the Jaybird connection property
wireCrypt to disabled, then Jaybird doesn't attempt to establish wire
encryption.

Mark
--
Mark Rotteveel

I will check the java versions and the crypto policies tomorrow and will give you an update.

Thanks a lot.

Sascha

-- 
Mit freundlichen Grüßen,

Sascha Horn
Dipl. Ing. Informationstechnik (BA)

procar informatik AG
Software Entwicklung

Stammsitz in Darmstadt:

Heinrich-Hertz-Str. 1
64295 Darmstadt

Geschäftsstelle in Berlin:

Justus-von-Liebig-Str.7
12489 Berlin-Adlershof

Telefon (Zentrale): +49 6151/85048-0
Fax (Zentrale):     +49 6151/85048-29

mailto:s.horn@...
http://www.procar.de
http://www.facebook.com/procar.de

Amtsgericht Darmstadt HRB 8268
USt.-IdNr. DE195354166
Vorstand: Dipl.-Ing. Volker Holthaus, Karl-Heinz Schlapp
Vorsitzender des Aufsichtsrats: Dipl.-Ing. Wilfried Holthaus
============================================================

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.

This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.