Netty SSL Handshake - ssl

I am trying to build a sample server using netty which will handle ssl data as well.
Have created SSLContext as below
File privateKey = new File("privatekey.pem");
File publicKey = new File("certificate.pem");
SslContext sslCtx = SslContextBuilder.forServer(publicKey,privateKey)
.build();
After creating ssl context I have added the same into my pipeline as below
SSLEngine engine = sslCtx.newEngine(ch.alloc());
ch.pipeline().addLast(new SslHandler(engine, true),<other custom handlers>);
I have also imported the certificate.pem into client software. Still whenever I am initiating any connection i get below logs in server log.
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:472)
at io.netty.handler.codec.ByteToMessageDecoder.channelInputClosed(ByteToMessageDecoder.java:405)
at io.netty.handler.codec.ByteToMessageDecoder.channelInputClosed(ByteToMessageDecoder.java:372)
at io.netty.handler.codec.ByteToMessageDecoder.channelInactive(ByteToMessageDecoder.java:355)
at io.netty.handler.ssl.SslHandler.channelInactive(SslHandler.java:1054)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:245)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:231)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelInactive(AbstractChannelHandlerContext.java:224)
at io.netty.handler.logging.LoggingHandler.channelInactive(LoggingHandler.java:167)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:245)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:231)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelInactive(AbstractChannelHandlerContext.java:224)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelInactive(DefaultChannelPipeline.java:1429)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:245)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:231)
at io.netty.channel.DefaultChannelPipeline.fireChannelInactive(DefaultChannelPipeline.java:947)
at io.netty.channel.AbstractChannel$AbstractUnsafe$8.run(AbstractChannel.java:826)
at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:163)
at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:404)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:474)
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:909)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1647)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1615)
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1781)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1070)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:896)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:766)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:295)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1301)
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1203)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1247)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441)
... 22 more
Can someone please guide what am I doing wrong here? Or any implementation for reference.
Netty Version - 4.1.32
Thanks in advance.

Related

ktor how to hide javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown

I'm developing a web app, and the app uses navigator.mediaDevices.getUserMedia, so it needs HTTPS.
So I created a dummy certificate and localhost KTOR loads it.
Which is great! Except it litters the logs with
2022-10-05 10:26:10.046 [eventLoopGroupProxy-3-4] WARN i.n.h.s.ApplicationProtocolNegotiationHandler - [id: 0x96c37772, L:0.0.0.0/0.0.0.0:8443] TLS handshake failed:
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
Is there any way to keep those from spamming the log?
(either through an improved self-signed cert, or through a filter, or a ktor config of "I get it, stop bothering me...")

Kafka Broker Failed authentication - SSL handshake failed

Getting SSL errors in a cluster of three Kafka servers that communicate over SSL (only).
Why is this happening / how can I fix it?
server.properties
listeners=SSL://some_host_name.corp.com:9092
inter.broker.listener.name=SSL
ssl.keystore.location=/some/path/to/keystore.p12
ssl.keystore.password=***
ssl.key.password=***
ssl.truststore.location=/some/path/to/server.truststore.jks
ssl.truststore.password=***
ssl.enabled.protocols=TLSv1.2
ssl.client.auth=required
ssl.keystore.type=PKCS12
ssl.truststore.type=JKS
#listener.security.protocol.map=PLAINTEXT:PLAINTEXT,SSL:SSL,SASL_PLAINTEXT:SASL_PLAINTEXT,SASL_SSL:SASL_SSL
# Kafka is running with -Djavax.net.debug=ssl
# Assume localhost IP address is 1.2.3.4
18:31:29.479 [data-plane-kafka-socket-acceptor-ListenerName(SSL)-SSL-9092] DEBUG kafka.network.Acceptor - Accepted connection from /1.2.3.4:46732 on /1.2.3.4:9092 and assigned it to processor 1, sendBufferSize [actual|requested]: [212992|1048576] recvBufferSize [actual|requested]: [212992|1048576]
18:31:29.479 [data-plane-kafka-network-thread-1-ListenerName(SSL)-SSL-1] DEBUG kafka.network.Processor - Processor 1 listening to new connection from /1.2.3.4:46732
Using SSLEngineImpl.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
data-plane-kafka-network-thread-1-ListenerName(SSL)-SSL-1, fatal error: 80: problem unwrapping net record
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
data-plane-kafka-network-thread-1-ListenerName(SSL)-SSL-1, SEND TLSv1.2 ALERT: fatal, description = internal_error
data-plane-kafka-network-thread-1-ListenerName(SSL)-SSL-1, WRITE: TLSv1.2 Alert, length = 2
data-plane-kafka-network-thread-1-ListenerName(SSL)-SSL-1, called closeOutbound()
data-plane-kafka-network-thread-1-ListenerName(SSL)-SSL-1, closeOutboundInternal()
data-plane-kafka-network-thread-1-ListenerName(SSL)-SSL-1, called closeInbound()
data-plane-kafka-network-thread-1-ListenerName(SSL)-SSL-1, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
18:31:29.481 [data-plane-kafka-network-thread-1-ListenerName(SSL)-SSL-1] DEBUG o.a.k.c.network.SslTransportLayer - [SslTransportLayer channelId=1.2.3.4:9092-1.2.3.4:46732-108 key=sun.nio.ch.SelectionKeyImpl#33a4cffe] SSLEngine.closeInBound() raised an exception.
javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[na:1.8.0_181]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) ~[na:1.8.0_181]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) ~[na:1.8.0_181]
at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) ~[na:1.8.0_181]
at org.apache.kafka.common.network.SslTransportLayer.handshakeFailure(SslTransportLayer.java:871) [kafka-clients-2.7.0.jar:na]
at org.apache.kafka.common.network.SslTransportLayer.maybeProcessHandshakeFailure(SslTransportLayer.java:909) [kafka-clients-2.7.0.jar:na]
at org.apache.kafka.common.network.SslTransportLayer.handshake(SslTransportLayer.java:295) [kafka-clients-2.7.0.jar:na]
at org.apache.kafka.common.network.KafkaChannel.prepare(KafkaChannel.java:173) [kafka-clients-2.7.0.jar:na]
at org.apache.kafka.common.network.Selector.pollSelectionKeys(Selector.java:543) [kafka-clients-2.7.0.jar:na]
at org.apache.kafka.common.network.Selector.poll(Selector.java:481) [kafka-clients-2.7.0.jar:na]
at kafka.network.Processor.poll(SocketServer.scala:923) [kafka_2.12-2.7.0.jar:na]
at kafka.network.Processor.run(SocketServer.scala:826) [kafka_2.12-2.7.0.jar:na]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_181]
18:31:29.481 [data-plane-kafka-network-thread-1-ListenerName(SSL)-SSL-1] INFO o.a.kafka.common.network.Selector - [SocketServer brokerId=1] Failed authentication with /1.2.3.4 (SSL handshake failed)
data-plane-kafka-network-thread-1-ListenerName(SSL)-SSL-1, called closeOutbound()
data-plane-kafka-network-thread-1-ListenerName(SSL)-SSL-1, closeOutboundInternal()
Elsewhere in the log of another cluster member, authentication succeeds. So why does it work between different nodes, but not from one node to itself?
20:07:39.479 [data-plane-kafka-network-thread-3-ListenerName(SSL)-SSL-1] DEBUG o.a.k.c.network.SslTransportLayer - [SslTransportLayer channelId=1.2.3.6:9092-1.2.3.5:41182-0 key=sun.nio.ch.SelectionKeyImpl#69864b7d] SSL handshake completed successfully with peerHost '1.2.3.5' peerPort 41182 peerPrincipal '...' cipherSuite 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384'
20:07:39.480 [data-plane-kafka-network-thread-3-ListenerName(SSL)-SSL-1] DEBUG o.a.kafka.common.network.Selector - [SocketServer brokerId=3] Successfully authenticated with /1.2.3.5
I have solved the issue by moving the SSL listener away from the default port of 9092.
This leaves me with a different question: if I have configured only one listener, with SSL, on port 9092, why is there any PLAINTEXT activity on that same port?
The errors shown above were caused by each broker trying to connect to itself on port 9092, probably using PLAINTEXT, even though I had configured only SSL.
Also: what is the difference between settings (1) and (2) below?
# (1) The address the socket server listens on. It will get the value returned from
# java.net.InetAddress.getCanonicalHostName() if not configured.
# FORMAT:
# listeners = listener_name://host_name:port
# EXAMPLE:
# listeners = PLAINTEXT://your.host.name:9092
#listeners=PLAINTEXT://:9092
listeners=SSL://$auto_host:9092
# (2) The port the socket server listens on
port=9092

Peoplesoft Integration broker Received fatal alert: protocol_version

I am trying to consume third party rest service. When I send Get request the services should return json with link that I would open and transfer the user.
The things that I've done so far:
created request and response documents
created messages
created webservice that generates the correct URI
added the certs in digital storage and in keystorage on the web server
encrypted the secureFileKeystorePasswd
added JavaVM Options=-Dxdo.ConfigFile=%PS_HOME%/appserv/xdo.cfg -Xms32m -Xmx128m -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 in appserv and prcsserv
added -Dweblogic.security.SSL.protocolVersion=TLS1.2 with setEnv.cmd
created custom node with implicit SSLProtocols with TLS1.2. When I ping the node it works fine if the header with the TLS1.2 is missing it doesn’t work.
When I invoke %IntBroker.SyncRequest(&msg); this is the error I get:
javax.net.ssl.SSLException: Received fatal alert: protocol_version
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1979)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1086)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343)
at psft.pt8.pshttp.https.HttpsClient.doConnect(HttpsClient.java:246)
at sun.net.NetworkClient.openServer(NetworkClient.java:136)
at psft.pt8.pshttp.https.HttpClient.openServer(HttpClient.java:529)
at psft.pt8.pshttp.https.HttpClient.<init>(HttpClient.java:350)
at psft.pt8.pshttp.https.HttpsClient.<init>(HttpsClient.java:76)
at psft.pt8.pshttp.https.HttpsClient.newClient(HttpsClient.java:132)
at psft.pt8.pshttp.https.HttpsClient.newClient(HttpsClient.java:100)
at psft.pt8.pshttp.https.HttpsURLConnection.connect(HttpsURLConnection.java:468)
at psft.pt8.pshttp.PSHttp.getResponseCode(PSHttp.java:378)
at com.peoplesoft.pt.integrationgateway.targetconnector.HttpTargetConnector.send(HttpTargetConnector.java:843)
at com.peoplesoft.pt.integrationgateway.service.BasicConnectorInvocator.execute(BasicConnectorInvocator.java:131)
at com.peoplesoft.pt.integrationgateway.framework.GatewayManager.invokeService(GatewayManager.java:148)
at com.peoplesoft.pt.integrationgateway.framework.GatewayManager.connect(GatewayManager.java:192)
at com.peoplesoft.pt.integrationgateway.listeningconnector.PeopleSoftListeningConnector.doPost(PeopleSoftListeningConnector.java:186)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:751)
at com.peoplesoft.pt.integrationgateway.listeningconnector.PeopleSoftListeningConnector.service(PeopleSoftListeningConnector.java:87)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:844)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:280)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:254)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:136)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:346)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:25)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79)
at com.peoplesoft.pt.integrationgateway.common.IBFilter.doFilter(IBFilter.java:84)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3436)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3402)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:57)
at weblogic.servlet.internal.WebAppServletContext.doSecuredExecute(WebAppServletContext.java:2285)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2201)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2179)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1572)
at weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run(ContainerSupportProviderImpl.java:255)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:311)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:263)
I have found what was the problem for me. I needed to configure the generated routing in the service I made for protocol TLSv1.2.

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure in WAS 8.5.5.9

We have a single installation of WAS(8.5.5.9),with java of 1.8_64 and TLSv1.2 enabled on JVM. But when I run the code sslSocket.getEnabledProtocols(), it gives me `supported protocols=[TLSv1], which is V1.0.
When I check in Security > SSL certificate and key management, and under Related Items, click SSL configurations. ( such as CellDefaultSSLsetting , NodedefaultSSLsetting and any other SSLConfig), it shows 'TLSv1.2' as the protocol, under QoP settings.
To give you some background, am trying to connect to a dropwizard application which is configured with supported protocols as TLSv1.2 from an application deployed on WAS.
Since it tries to connect via TLS1, it gives javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure.
Error:
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at com.ibm.jsse2.j.a(j.java:31)
at com.ibm.jsse2.j.a(j.java:43)
at com.ibm.jsse2.as.b(as.java:816)
at com.ibm.jsse2.as.a(as.java:752)
at com.ibm.jsse2.as.i(as.java:130)
at com.ibm.jsse2.as.a(as.java:483)
at com.ibm.jsse2.as.startHandshake(as.java:160)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:415)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:359)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
at org.apache.camel.component.http4.HttpProducer.executeMethod(HttpProducer.java:334)
at org.apache.camel.component.http4.HttpProducer.process(HttpProducer.java:193)
at org.apache.camel.util.AsyncProcessorConverterHelper$ProcessorToAsyncProcessorBridge.process(AsyncProcessorConverterHelper.java:61)
at org.apache.camel.processor.RedeliveryErrorHandler.process(RedeliveryErrorHandler.java:541)
at org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:198)
at org.apache.camel.processor.MulticastProcessor.doProcessSequential(MulticastProcessor.java:695)
at org.apache.camel.processor.MulticastProcessor.doProcessSequential(MulticastProcessor.java:623)
at org.apache.camel.processor.MulticastProcessor.process(MulticastProcessor.java:247)
at org.apache.camel.processor.RecipientList.sendToRecipientList(RecipientList.java:172)
at org.apache.camel.processor.RecipientList.process(RecipientList.java:132)
at org.apache.camel.processor.Pipeline.process(Pipeline.java:120)
at org.apache.camel.processor.Pipeline.process(Pipeline.java:83)
at org.apache.camel.management.InstrumentationProcessor.process(InstrumentationProcessor.java:77)
at org.apache.camel.processor.RedeliveryErrorHandler.process(RedeliveryErrorHandler.java:541)
at org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:198)
at org.apache.camel.processor.Pipeline.process(Pipeline.java:120)
at org.apache.camel.processor.Pipeline.process(Pipeline.java:83)
at org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:198)
at org.apache.camel.component.direct.DirectProducer.process(DirectProducer.java:62)
at org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:198)
at org.apache.camel.processor.DelegateAsyncProcessor.process(DelegateAsyncProcessor.java:97)
at org.apache.camel.impl.ProducerCache$1.doInProducer(ProducerCache.java:529)
at org.apache.camel.impl.ProducerCache$1.doInProducer(ProducerCache.java:497)
at org.apache.camel.impl.ProducerCache.doInProducer(ProducerCache.java:365)
at org.apache.camel.impl.ProducerCache.sendExchange(ProducerCache.java:497)
at org.apache.camel.impl.ProducerCache.send(ProducerCache.java:242)
at org.apache.camel.impl.DefaultProducerTemplate.send(DefaultProducerTemplate.java:148)
at org.apache.camel.impl.DefaultProducerTemplate.send(DefaultProducerTemplate.java:135)
at org.apache.camel.impl.DefaultProducerTemplate.request(DefaultProducerTemplate.java:301)
Please guide me on how to fix the issue.
Thanks,
Sravan Kumar

Incoming HTTP post over HTTPS causing exception

I have made a simple RESTlet that I have hosted on an Amazon EC2 instance.
I can reach this when i run it over HTTP.
I needed to convert this to working with HTTPS so followed the RESTlet guide at https://restlet.com/open-source/documentation/user-guide/2.2/core/security/https
When I connect to it over HTTP I get this error..
Restlet-917142466, READ: TLSv1.2 Alert, length = 2
Restlet-917142466, RECV TLSv1.2 ALERT: fatal, certificate_unknown
Restlet-917142466, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
Restlet-917142466, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
Restlet-917142466, called closeInbound()
Restlet-917142466, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
Restlet-917142466, called closeOutbound()
Restlet-917142466, closeOutboundInternal()
The Java code is very simple and mirrors the sample RESTlet server in the guide.
Any suggestions on what I could try to fix this?