Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

Encrypted buffer max length exceeded error when performing a PATCH or PUT operation under load in IDM 7.0.2, 7.0.3 and 7.1.0

Last updated Jan 11, 2023

The purpose of this article is to provide assistance if you encounter a "javax.net.ssl.SSLHandshakeException: Encrypted buffer max length exceeded" error or see an ECONNRESET response when trying to update IDM using PATCH or PUT. These errors are seen when IDM is under load, for example, you are using PATCH to send large payloads to IDM.

Symptoms

Updates to IDM using PATCH or PUT when IDM is under load fail. Depending on how you are making these updates, you will see ECONNRESET errors when the update fails. For example

  • Via a script:"RequestError: socket hang up (ECONNRESET)"
  • Via Postman: "Error": "read ECONNRESET"

ECONNRESET errors aren't specific to this issue, they simply mean the connection has been abruptly ended by the other side, but are seen in this situation.

Enable debug logging for Jetty

If you know you are putting IDM under load when you see these errors, you should enable debug logging for Jetty (set org.eclipse.jetty.io.level=FINE in logging.properties and restart IDM) and repeat your updates.

You should then see the following errors in the openidm.log if you are experiencing the issue outlined in this article: [105] 2022-03-10T12:42:56.380+0000 FINE org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint fill org.eclipse.jetty.io.ssl.SslConnection: net filled=890 [105] 2022-03-10T12:42:56.380+0000 FINE org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint fill org.eclipse.jetty.io.ssl.SslConnection: unwrap net_filled=890 Status = BUFFER_UNDERFLOW HandshakeStatus = NOT_HANDSHAKING bytesConsumed = 0 bytesProduced = 0 encryptedBuffer=[p=16416,l=17408,c=17408,r=997] unwrapBuffer=HeapByteBuffer@688b0e00[p=0,l=0,c=17408,r=0]={<<<>>>PATCH /op...\x00\x00\x00\x00\x00\x00\x00} appBuffer=HeapByteBuffer@688b0e00[p=0,l=0,c=17408,r=0]={<<<>>>PATCH /op...\x00\x00\x00\x00\x00\x00\x00} [105] 2022-03-10T12:42:56.380+0000 FINE org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint handleException org.eclipse.jetty.io.ssl.SslConnection: DecryptedEndPoint@4b565b8e{l=/192.0.2.255:8443,r=/192.0.0.0:8443,OPEN,fill=-,flush=-,to=6/30000} stored fill exception javax.net.ssl.SSLHandshakeException: Encrypted buffer max length exceeded   at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:735) ...

Note

Please be aware that Jetty can leak sensitive information when debug logging is enabled, so be mindful of this and revert the logging level back to INFO as soon as you have verified this issue.

Recent Changes

Upgraded to, or installed IDM 7.0.2, IDM 7.0.3 or IDM 7.1.0.

Causes

The Jetty version used in these IDM versions is 9.4.39.v20210325, which has a known issue that causes this Encrypted buffer max length exceeded error. See Jetty 9.4.39 SSLHandshakeException issue causes POST operations to fail with EOF exception. #1600 and SSLHandshakeException in Jetty client when reading long files over SSL #6121 for further information. 

In summary, Jetty is not freeing up buffer capacity, which means it incorrectly determines there is no space between the buffer limit and capacity, and triggers this exception. You can observe this happening in the error, as you will see the limit (l) and capacity (c) values are the same (l=17408,c=17408 in the above example).

This issue is fixed in Jetty versions 9.4.40 and above.

Solution

This issue can be resolved by upgrading to IDM 7.1.2 or later (which includes Jetty version 9.4.41.v20210516); you can download this from Backstage.

See Also

How do I configure Jetty Request logging for IDM (All versions)?

Related Training

N/A

Related Issue Tracker IDs

N/A
Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.