Subject | Re: [Firebird-Java] Jaybird 3.0.5 FBXADataSource |
---|---|
Author | Sascha Horn |
Post date | 2019-08-15T20:16:50Z |
Hi Mark,
On 15-8-2019 16:52, procar informatik AG - Sascha Horn s.horn@...
[Firebird-Java] wrote:
> Hi Mark,
>
> thanks for your quick response.
>
> Both connections are using the same user/password.
>
> jdbc settings are :
>
> driver: org.firebirdsql.jdbc.FBDriver
> Connection url: jdbc:firebirdsql://localhost/3050:/opt/databases/catalogs/mydb.fdb?lc_ctype=ISO8859_1
> usr: SYSDBA
> pwd: ******
> props: null
>
> Code:
[..]
>
> Firebird Version installed is Firebird-3.0.4.33054_0_x64.
I can reproduce the problem if I use the limited strength Cryptographic
Jurisdiction Policy, however with that setting both ways of connecting
should produce the same error.
Was the code using DriverManager run with the same JBoss instance as the
one using FBXADataSource? Or did you run it on a different machine or
Java installation, or with a different security policy?
No, the DriverManager code is used as standalone application.
It is possible that this code is executed in an other javavm. i will check this tomorrow.
Am i correct, that every jre 8 version 161+ should work out of the box, or did i misunderstood the stackoverflow topic?
I can only explain the difference you observed with two different Java
installs/processes, or at least a difference Java security policy.
I don't know if within a single JBoss instance multiple different
policies might be applied that could reduce the cryptographic strength
in one part (data sources) and not the other (your application), but
that might also be a thing to investigate.
With my reproduction, Jaybird will log a number of warnings before the
exception is thrown. It will log the messages:
WARNING: Wire encryption established, but some plugins failed; see other
loglines for details
and
WARNING: Encryption plugin failed
org.firebirdsql.gds.ng.wire.crypt.FBSQLEncryptException: Encryption key
did not meet algorithm requirements of Symmetric/Arc4 [SQLState:28000,
ISC error code:337248282]
+ stacktrace
(the last one is logged twice, once for the encryption and once for the
decryption)
The solution is to make sure that Java uses the unlimited strength
Cryptographic Jurisdiction Policy, see
https://www.firebirdsql.org/file/documentation/drivers_documentation/java/faq.html#encryption-key-did-not-meet-algorithm-requirements-of-symmetricarc4-337248282
and
https://stackoverflow.com/questions/3862800/invalidkeyexception-illegal-key-size/3864276#3864276
We have tried setting WireCrypt = Enabled within firebird.com, but within JBoss the connection did not work.
Alternatively, as a workaround, you can reduce the Firebird wire
encryption requirements by setting WireCrypt in firebird.conf from its
default of Required to Enabled. Then Firebird will allow Jaybird to
connect without encryption.
With this workaround, Jaybird will still log those warnings I mentioned
(Jaybird 4 will reduce this log-spamming a bit by logging the stacktrace
on debug). To avoid this, you can set the Jaybird connection property
wireCrypt to disabled, then Jaybird doesn't attempt to establish wire
encryption.
Mark
--
Mark Rotteveel
I will check the java versions and the crypto policies tomorrow and will give you an update.
Thanks a lot.
Sascha
-- Mit freundlichen Grüßen, Sascha Horn Dipl. Ing. Informationstechnik (BA) procar informatik AG Software Entwicklung Stammsitz in Darmstadt: Heinrich-Hertz-Str. 1 64295 Darmstadt Geschäftsstelle in Berlin: Justus-von-Liebig-Str.7 12489 Berlin-Adlershof Telefon (Zentrale): +49 6151/85048-0 Fax (Zentrale): +49 6151/85048-29 mailto:s.horn@... http://www.procar.de http://www.facebook.com/procar.de Amtsgericht Darmstadt HRB 8268 USt.-IdNr. DE195354166 Vorstand: Dipl.-Ing. Volker Holthaus, Karl-Heinz Schlapp Vorsitzender des Aufsichtsrats: Dipl.-Ing. Wilfried Holthaus ============================================================ Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.