I'm developing a web app, and the app uses navigator.mediaDevices.getUserMedia, so it needs HTTPS.
So I created a dummy certificate and localhost KTOR loads it.
Which is great! Except it litters the logs with
2022-10-05 10:26:10.046 [eventLoopGroupProxy-3-4] WARN i.n.h.s.ApplicationProtocolNegotiationHandler - [id: 0x96c37772, L:0.0.0.0/0.0.0.0:8443] TLS handshake failed:
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
Is there any way to keep those from spamming the log?
(either through an improved self-signed cert, or through a filter, or a ktor config of "I get it, stop bothering me...")
Describe the bug:
We configured SSL using PEM via documentation guide.
This works fine and the web front-end is available with https. When trying to send data from rulechain to HTTP integration an error occurs due to SSL problems.
Is there anything missing which needs to be added to the config?
Server Environment:
ThingsBoard Version 3.3.3
Ubuntu
local infrastructure
Steps to reproduce the behavior:
Apply Config for SSL
Create a new HTTP Integration and Copy the URL
Create a rulechain with generator node
Add rest api call node using the Integration URL
Inspect Debug logs of rest api call node
Expected behavior:
Request to the HTTP Integration should be successful without any SSL issues.
Additional context:
Error Message printed in debug logs:
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:477)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:719)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:655)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:581)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:986)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.handshakeException(ReferenceCountedOpenSslEngine.java:1883)
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.wrap(ReferenceCountedOpenSslEngine.java:806)
at java.base/javax.net.ssl.SSLEngine.wrap(SSLEngine.java:522)
at io.netty.handler.ssl.SslHandler.wrap(SslHandler.java:1041)
at io.netty.handler.ssl.SslHandler.wrapNonAppData(SslHandler.java:927)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1409)
at io.netty.handler.ssl.SslHandler.decodeNonJdkCompatible(SslHandler.java:1247)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1287)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:507)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:446)
... 17 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:276)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141)
at io.netty.handler.ssl.ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verify(ReferenceCountedOpenSslClientContext.java:234)
at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:740)
at io.netty.internal.tcnative.CertificateVerifierTask.runTask(CertificateVerifierTask.java:36)
at io.netty.internal.tcnative.SSLTask.run(SSLTask.java:48)
at io.netty.internal.tcnative.SSLTask.run(SSLTask.java:42)
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine$TaskDecorator.run(ReferenceCountedOpenSslEngine.java:1446)
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1549)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1395)
... 21 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
... 34 more
We have a single installation of WAS(8.5.5.9),with java of 1.8_64 and TLSv1.2 enabled on JVM. But when I run the code sslSocket.getEnabledProtocols(), it gives me `supported protocols=[TLSv1], which is V1.0.
When I check in Security > SSL certificate and key management, and under Related Items, click SSL configurations. ( such as CellDefaultSSLsetting , NodedefaultSSLsetting and any other SSLConfig), it shows 'TLSv1.2' as the protocol, under QoP settings.
To give you some background, am trying to connect to a dropwizard application which is configured with supported protocols as TLSv1.2 from an application deployed on WAS.
Since it tries to connect via TLS1, it gives javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure.
Error:
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at com.ibm.jsse2.j.a(j.java:31)
at com.ibm.jsse2.j.a(j.java:43)
at com.ibm.jsse2.as.b(as.java:816)
at com.ibm.jsse2.as.a(as.java:752)
at com.ibm.jsse2.as.i(as.java:130)
at com.ibm.jsse2.as.a(as.java:483)
at com.ibm.jsse2.as.startHandshake(as.java:160)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:415)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:359)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
at org.apache.camel.component.http4.HttpProducer.executeMethod(HttpProducer.java:334)
at org.apache.camel.component.http4.HttpProducer.process(HttpProducer.java:193)
at org.apache.camel.util.AsyncProcessorConverterHelper$ProcessorToAsyncProcessorBridge.process(AsyncProcessorConverterHelper.java:61)
at org.apache.camel.processor.RedeliveryErrorHandler.process(RedeliveryErrorHandler.java:541)
at org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:198)
at org.apache.camel.processor.MulticastProcessor.doProcessSequential(MulticastProcessor.java:695)
at org.apache.camel.processor.MulticastProcessor.doProcessSequential(MulticastProcessor.java:623)
at org.apache.camel.processor.MulticastProcessor.process(MulticastProcessor.java:247)
at org.apache.camel.processor.RecipientList.sendToRecipientList(RecipientList.java:172)
at org.apache.camel.processor.RecipientList.process(RecipientList.java:132)
at org.apache.camel.processor.Pipeline.process(Pipeline.java:120)
at org.apache.camel.processor.Pipeline.process(Pipeline.java:83)
at org.apache.camel.management.InstrumentationProcessor.process(InstrumentationProcessor.java:77)
at org.apache.camel.processor.RedeliveryErrorHandler.process(RedeliveryErrorHandler.java:541)
at org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:198)
at org.apache.camel.processor.Pipeline.process(Pipeline.java:120)
at org.apache.camel.processor.Pipeline.process(Pipeline.java:83)
at org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:198)
at org.apache.camel.component.direct.DirectProducer.process(DirectProducer.java:62)
at org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:198)
at org.apache.camel.processor.DelegateAsyncProcessor.process(DelegateAsyncProcessor.java:97)
at org.apache.camel.impl.ProducerCache$1.doInProducer(ProducerCache.java:529)
at org.apache.camel.impl.ProducerCache$1.doInProducer(ProducerCache.java:497)
at org.apache.camel.impl.ProducerCache.doInProducer(ProducerCache.java:365)
at org.apache.camel.impl.ProducerCache.sendExchange(ProducerCache.java:497)
at org.apache.camel.impl.ProducerCache.send(ProducerCache.java:242)
at org.apache.camel.impl.DefaultProducerTemplate.send(DefaultProducerTemplate.java:148)
at org.apache.camel.impl.DefaultProducerTemplate.send(DefaultProducerTemplate.java:135)
at org.apache.camel.impl.DefaultProducerTemplate.request(DefaultProducerTemplate.java:301)
Please guide me on how to fix the issue.
Thanks,
Sravan Kumar
I do not understand the origin of this issue:
com.ibm.sslite.d: reason=2; alert=40; exception=null
It happens when i call:
int statusCode = httpClient.executeMethod(method);
It might be related to the SSL protocol and maybe websphere is quite old and incompatible.
12:56:46 [sid=] [uid=] [oid=] - ERROR com.darty.ecom.frontoffice.newespaceclient.core.service.cev.CevProxyConnection - CEV > STACK TRACE >
com.ibm.sslite.d: reason=2; alert=40; exception=null
at com.ibm.sslite.m.a(m.java:50)
at com.ibm.sslite.t.b(t.java:113)
at com.ibm.sslite.t.a(t.java:43)
at com.ibm.sslite.a.read(a.java:7)
at com.ibm.jsse.a.read(Unknown Source)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:200)
at java.io.BufferedInputStream.read(BufferedInputStream.java:218)
at org.apache.commons.httpclient.HttpParser.readRawLine(HttpParser.java:77)
at org.apache.commons.httpclient.HttpParser.readLine(HttpParser.java:105)
at org.apache.commons.httpclient.HttpConnection.readLine(HttpConnection.java:1115)
at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.readLine(MultiThreadedHttpConnectionManager.java:1373)
at org.apache.commons.httpclient.HttpMethodBase.readStatusLine(HttpMethodBase.java:1832)
at org.apache.commons.httpclient.HttpMethodBase.readResponse(HttpMethodBase.java:1590)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:995)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:397)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
at com.darty.ecom.frontoffice.newespaceclient.core.service.cev.CevProxyConnection.executeMethod(CevProxyConnection.java:137)
the same error in the integration environmenent is a little different and says:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
That means the server-side sent a TLS alert telling you the handshake failed. (alert#40) You'll need to debug the why on the server -- maybe it requries TLS client authentication, maybe your client only uses ancient protocols/ciphers or visa versa.
I have the PushAdapter from the example push notification defined in an new project, and, I've added the apns-certificate-sandbox.p12 to the native api application (a native api), added the correct bundleId value in the application-descriptor.xml, but, I keep getting this error:
[WARNING ] Failed to retreive invalid devices
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
[ERROR ] Couldn't get feedback connection
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
[ERROR ] Unknown exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
Unknown exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
This is a new installation of Worklight (6.0.0.20130909-1459), and I've tried two separate installations (one into Eclipse and one into RAD), both same errors.
Is there some additional work that needs to be done for push testing to work in the Worklight Development Server (Websphere Liberty) environment for SSL to work? There aren't any devices subscribed yet, but, not sure why this error is occurring or if it's relevant at all.
The detailed trace is here:
[11/1/13 11:50:20:834 EDT] 00000034 com.worklight.core.exceptions.InstrumentedException E Unknown exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
com.worklight.core.exceptions.InstrumentedException: Unknown exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
at com.worklight.core.exceptions.DefaultExceptionHandler.handleException(DefaultExceptionHandler.java:56)
at com.worklight.core.tasks.TaskThread.run(TaskThread.java:113)
Caused by: java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
at com.notnoop.apns.internal.Utilities.parseFeedbackStreamRaw(Utilities.java:201)
at com.notnoop.apns.internal.Utilities.parseFeedbackStream(Utilities.java:211)
at com.notnoop.apns.internal.ApnsFeedbackConnection.getInactiveDevicesImpl(ApnsFeedbackConnection.java:87)
at com.notnoop.apns.internal.ApnsFeedbackConnection.getInactiveDevices(ApnsFeedbackConnection.java:67)
at com.notnoop.apns.internal.AbstractApnsService.getInactiveDevices(AbstractApnsService.java:99)
at com.notnoop.apns.internal.ApnsServiceImpl.getInactiveDevices(ApnsServiceImpl.java:36)
at com.worklight.integration.notification.apns.ApplicationConnection.getInactiveDevices(ApplicationConnection.java:110)
at com.worklight.integration.notification.apns.APNSMediator.maintain(APNSMediator.java:95)
at com.worklight.integration.notification.Dispatcher.maintain(Dispatcher.java:148)
at com.worklight.integration.notification.NotificationCleanupTask.step(NotificationCleanupTask.java:29)
at com.worklight.core.tasks.TaskThread.run(TaskThread.java:111)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1961)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1077)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:882)
at sun.security.ssl.AppInputStream.read(AppInputStream.java:102)
at sun.security.ssl.AppInputStream.read(AppInputStream.java:69)
at java.io.DataInputStream.readInt(DataInputStream.java:387)
at com.notnoop.apns.internal.Utilities.parseFeedbackStreamRaw(Utilities.java:192)
... 10 more
This looks like an error from the server trying to test a connection to the Apple Push/Feedback service.
A couple of things to check:
Is the application built for development or distribution?
If development, ensure you are using the Development SSL certificate. Export both the certificate and private key into a file named: apns-certificate-sandbox.p12
If distribution, ensure you are using the Production SSL certificate. Export both the certificate and private key into the a file named: apns-certificate-production.p12
Ensure the .p12 file was created correctly and that you specified the corresponding password in the application descriptor file.
Ensure that your Worklight server can access the APNs hosts/ports for the push and for feedback service. i.e Firewall ports need to be opened for the following:
gateway.push.apple.com, port 2195
gateway.sandbox.push.apple.com, port 2195
feedback.push.apple.com, port 2196
feedback.sandbox.push.apple.com on port 2196
Worklight product never used http://code.google.com/p/javapns for push, it is using com.notnoop.apns . This package works well with Oracle JDK 1.6 and 1.7
Can you shed some more light on which JDK exactly version were you using ?
I tested push sample on the embedded Liberty+Oracle JDK 1.7_07b +iPhone 5 and it worked.
how did you create this certificate ? can you write here step-by-step what you did? (and specify every file you copied,edited i the way)
If you are asking about using javaPNS: Ofcourse, since its an open framework, you could manually copy (and use) any jar into your Worklight project as a 3rd party dependency, however, it seems that this javaPNS jar has some bugs with SSL.
Why don't you look at the Worklight's push notification samples and work your way from there ( http://www.ibm.com/developerworks/mobile/worklight/getting-started.html#client-basics ) ? (Worklight comes with a working push notification solution , works on JDK1.6 or 1.7 without issues with your PKCS12 certificates)
On my side it has been veririfed that in OS X (sometimes in Windows too actually), the certificate_unknown error is thrown when using JRE 7 instead of JRE 6. It seems that the notnoop open source library used in Worklight is not handling well Java 7.
https://github.com/notnoop/java-apns/issues/54