We Keep Coding

ActiveMQ: Cant enable SSL over Stomp

I'm a new ActiveMQ user trying to enable SSL over Stomp with ActiveMQ. Previously I've enabled SSL over openwire for a CMS and I've tried to use both the certificate setup for the CMS and a new one for Stomp.
Here is my certificate setup
Creating the broker keystore:
keytool -genkeypair -alias broker -keyalg RSA -keysize 4096 -sigalg SHA256withRSA -validity 4383 -keystore AMQBroker.ks -storepass "password" -keypass "password" -dname "CN=localhost" -ext "SAN=DNS:localhost,DNS:%computername%.%userdomain%,IP:0.0.0.0,IP:127.0.0.1" -ext "BC:critical=ca:true" -ext "KU:critical=keyCertSign"
Creating the keystore for the CMS client:
keytool -genkey -alias client -keyalg RSA -keysize 4096 -sigalg SHA256withRSA -validity 4383 -keystore AMQClient.ks -storepass "password" -keypass "password" -dname "CN=localhost" -ext "SAN=DNS:localhost,DNS:%computername%.%userdomain%,IP:0.0.0.0,IP:127.0.0.1"
Creating truststores and importing certificates for the Broker and Client
keytool -export -alias broker -keystore AMQBroker.ks -storepass "password" -file AMQBroker.crt
keytool -export -alias client -keystore AMQClient.ks -storepass "password" -file AMQClient.crt
keytool -import -alias client -keystore AMQBroker.ts -storepass "password" -file AMQClient.crt -noprompt
keytool -import -alias broker -keystore AMQBroker.ts -storepass "password" -file AMQBroker.crt -noprompt (This was for the network connector)
Converting the broker keystore to p12 format to export as .pem format for the CMS client:
keytool -importkeystore -srckeystore AMQBroker.ks -destkeystore AMQBroker.p12 -srcstoretype jks -deststoretype pkcs12 -srcalias broker -deststorepass "password" -destkeypass "password" -srcstorepass "password"
openssl pkcs12 -in AMQBroker.p12 -out AMQClient-ts.pem -password pass:"password" -nokeys
Converting the client keystore to p12 format to export as .pem format for the CMS client. I also grabbed the .key file for testing with Stomp.py
keytool -importkeystore -srckeystore AMQClient.ks -destkeystore AMQClient.p12 -srcstoretype jks -deststoretype pkcs12 -srcalias client -deststorepass "password" -destkeypass "password" -srcstorepass "password"
openssl pkcs12 -in AMQClient.p12 -passin pass:"password" -out AMQClient.pem -passout pass:"password"
openssl pkcs12 -info -in AMQClient.p12 -passin pass:"password" -out AMQClient.key -nodes -nocerts
Here's some certificates generated trying to use Stomp specifically
openssl genrsa -out AMQStomp.key 4096
openssl req -sha256 -new -key AMQStomp.key -out AMQStomp.pem -subj "/CN=localhost" -addext "subjectAltName=DNS:localhost,DNS:%userdomain%,DNS:%computername%.%userdomain%,IP:0.0.0.0,IP:127.0.0.1"
keytool -import -alias stomp -keystore AMQBroker.ts -storepass "password" -file AMQStomp.pem -noprompt
keytool -exportcert -rfc -alias broker -keystore AMQBroker.ks -file AMQStomp-ts.pem -storepass "password"
Here's how I've setup my connection with Stomp.py
brokerPort = 61612
stomp_key = 'C:/path/to/AMQStomp.key'
stomp_cert = 'C:/path/to/AMQStomp.pem'
ca_cert = 'C:/path/to/AMQStomp-ts.pem'
self.__conn = stomp.Connection(host_and_ports=[(brokerHost, brokerPort)],
auto_content_length=False,
use_ssl=True,
ssl_key_file=stomp_key,
ssl_cert_file=stomp_cert,
ssl_ca_certs=ca_cert,
ssl_version=ssl.PROTOCOL_TLSv1_2)
self.__conn.set_ssl(
for_hosts=[(brokerHost, brokerPort)],
cert_file=stomp_cert,
key_file=stomp_key,
ca_certs=ca_cert,
ssl_version=ssl.PROTOCOL_TLSv1_2)
I've also tried the CMS certificates.
stomp_key = 'C:/path/to/AMQClient.key'
stomp_cert = 'C:/path/to/AMQClient.pem'
ca_cert = 'C:/path/to/AMQClient-ts.pem'
Here's what's currently configured with my activemq.xml
<sslContext>
<sslContext
keyStore="C:/path/to/AMQBroker.ks"
keyStorePassword="password"
trustStore="C:/path/to/AMQBroker.ts"
trustStorePassword="password" />
</sslContext>
<transportConnectors>
<transportConnector name="openwire+ssl" uri="ssl://0.0.0.0:61617?needClientAuth=true&maximumConnections=1000&transport.enabledProtocols=TLSv1.2&wireformat.maxFrameSize=104857600&wireFormat.maxInactivityDuration=-1"/>
<transportConnector name="stomp+ssl" uri="stomp+nio+ssl://0.0.0.0:61612?maximumConnections=1000&transport.enabledProtocols=TLSv1.2&needClientAuth=true"/>
</transportConnectors>
ACTIVEMQ_SSL_OPTS is set as:
-Djavax.net.ssl.keyStore=C:\path\to\AMQBroker.ks -Djavax.net.ssl.trustStore=C:\path\to\AMQBroker.ts -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStorePassword=password -Djavax.net.debug=ssl
Here's the error I'm getting when Trying to connect with Stomp
2021-01-18 19:35:40,184 | ERROR | Could not accept connection from null : {} | org.apache.activemq.broker.TransportConnector | ActiveMQ BrokerService[infrastructure] Task-10
java.io.IOException: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:196)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.stomp.StompNIOSSLTransport.initializeStreams(StompNIOSSLTransport.java:57)[activemq-stomp-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.tcp.TcpTransport.connect(TcpTransport.java:543)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.nio.NIOTransport.doStart(NIOTransport.java:174)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.nio.NIOSSLTransport.doStart(NIOSSLTransport.java:470)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.util.ServiceSupport.start(ServiceSupport.java:55)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.stomp.StompTransportFilter.start(StompTransportFilter.java:65)[activemq-stomp-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.AbstractInactivityMonitor.start(AbstractInactivityMonitor.java:169)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.broker.TransportConnection.start(TransportConnection.java:1072)[activemq-broker-5.15.9.jar:5.15.9]
at org.apache.activemq.broker.TransportConnector$1$1.run(TransportConnector.java:218)[activemq-broker-5.15.9.jar:5.15.9]
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)[:]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)[:]
at java.base/java.lang.Thread.run(Unknown Source)[:]
2021-01-18 19:35:40,184 | DEBUG | Reason: java.io.IOException: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection? | org.apache.activemq.broker.TransportConnector | ActiveMQ BrokerService[infrastructure] Task-10
java.io.IOException: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:196)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.stomp.StompNIOSSLTransport.initializeStreams(StompNIOSSLTransport.java:57)[activemq-stomp-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.tcp.TcpTransport.connect(TcpTransport.java:543)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.nio.NIOTransport.doStart(NIOTransport.java:174)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.nio.NIOSSLTransport.doStart(NIOSSLTransport.java:470)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.util.ServiceSupport.start(ServiceSupport.java:55)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.stomp.StompTransportFilter.start(StompTransportFilter.java:65)[activemq-stomp-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.AbstractInactivityMonitor.start(AbstractInactivityMonitor.java:169)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)[activemq-client-5.15.9.jar:5.15.9]
at org.apache.activemq.broker.TransportConnection.start(TransportConnection.java:1072)[activemq-broker-5.15.9.jar:5.15.9]
at org.apache.activemq.broker.TransportConnector$1$1.run(TransportConnector.java:218)[activemq-broker-5.15.9.jar:5.15.9]
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)[:]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)[:]
at java.base/java.lang.Thread.run(Unknown Source)[:]

It would be quite hard to know from the data given what is going on between the client and broker over the wire which is where you are going to need to look in order to understand what is going wrong. The Broker STOMP module has a number of tests that run using an SSL configuration which you can see here:
One means of debugging is to set the JVM option to enable debug for SSL:
-Djavax.net.debug=ssl
Review the handshake information to see where the negotiation goes wrong.

I did get this running from a smaller test file
the following code snippet was modified from https://developers.redhat.com/blog/2018/06/14/stomp-with-activemq-artemis-python/
stomp_test.py
import time
import sys
import stomp
import ssl
class MyListener(stomp.ConnectionListener):
def on_error(self, headers, message):
print('received an error "%s"' % message)
def on_message(self, headers, message):
print('received a message "%s"' % message)
hosts = [('localhost', 61613)]
stomp_key = 'D:/FOSS/ActiveMQ/conf/AMQClient.key'
stomp_cert = 'D:/FOSS/ActiveMQ/conf/AMQClient.pem'
stomp_ca = 'D:/FOSS/ActiveMQ/conf/AMQClient-ts.pem'
conn = stomp.Connection(host_and_ports=hosts,
use_ssl=True,
ssl_key_file=stomp_key,
ssl_cert_file=stomp_cert,
ssl_ca_certs=stomp_ca,
ssl_version=ssl.PROTOCOL_TLSv1_2)
conn.set_ssl(for_hosts=hosts,
cert_file=stomp_cert,
key_file=stomp_key,
ca_certs=stomp_ca,
ssl_version=ssl.PROTOCOL_TLSv1_2,
password='password')
conn.set_listener('', MyListener())
conn.connect('admin', 'admin', wait=True,headers = {'client-id': 'clientname'} )
conn.subscribe(destination='A.B.C.D', id=1, ack='auto',headers = {'subscription-type': 'MULTICAST','durable-subscription-name':'someValue'})
conn.send(body=' '.join(sys.argv[1:]), destination='A.B.C.D')
time.sleep(2)
conn.disconnect()
I also had to add a few more extensions to my broker's keystore (I went a little overkill)
-ext KeyUsage=digitalSignature,keyEncipherment,keyCertSign -ext ExtendedKeyUsage=serverAuth,clientAuth -ext BasicConstraints=ca:true
keytool -genkeypair -alias broker -keyalg RSA -keysize 4096 -sigalg SHA256withRSA -validity 4383 -keystore AMQBroker.ks -storepass "password" -keypass "password" -dname "CN=localhost" -ext "SAN=DNS:localhost,IP:0.0.0.0,IP:127.0.0.1" -ext KeyUsage=digitalSignature,keyEncipherment,keyCertSign -ext ExtendedKeyUsage=serverAuth,clientAuth -ext BasicConstraints=ca:true
I also removed nio from my stomp transportConnector in the activemq.xml
<transportConnector name="stomp+ssl" uri="stomp+ssl://0.0.0.0:61613?maximumConnections=1000&transport.enabledProtocols=TLSv1.2&needClientAuth=true"/>
I hope this helps anyone with a similar issue.

Configuring Kafka SSL with Let's Encrypt

I'm trying to setup a Kafka cluster and add SSL to it, but I'm getting always the same error:
INFO [SocketServer brokerId=0] Failed authentication with /XXX.XXX.XXX.XXX (SSL handshake failed) (org.apache.kafka.common.network.Selector)
I read several stackoverflow posts about this problem but I cannot fix it.
I'm using Kafka 2.5.0 on Ubuntu 18.04 with OpenJDK 14 and I used Let's Encrypt to generate certificates for my domain name (that are working perfectly with nginx).
First I created a pkcs12 file with the following command:
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out keystore.p12 -name kafka1 -CAfile chain.pem -caname root
...then I created the keystore (with the -ext option as described in kafka docs):
keytool -importkeystore -deststorepass 'STRONG_PASS' -destkeypass 'STRONG_PASS' -destkeystore keystore.jks -srckeystore keystore.p12 -srcstoretype PKCS12 -srcstorepass 'STRONG_PASS' -alias kafka1 -ext SAN=DNS:{FQDN}
...also I added the certificate to the truststore:
keytool -trustcacerts -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit -noprompt -importcert -file /etc/letsencrypt/live/YOURDOMAIN/chain.pem
At this point, I believe that I have all of the necessary steps to have the keystore and the truststore correctly configured.
My broker config is:
broker.id=0
listeners=SSL://mydomain.com:9092
ssl.keystore.location=/path/to/keystore.jks
ssl.keystore.password=password
ssl.key.password=password
ssl.truststore.location=/path/to/jdk/lib/security/cacerts
ssl.truststore.password=changeit
ssl.secure.random.implementation=SHA1PRNG
security.inter.broker.protocol=SSL
ssl.endpoint.identification.algorithm= # I tried with and without this and the problem persists
advertised.listeners=SSL://mydomain.com:9092
num.network.threads=3
num.io.threads=8
socket.send.buffer.bytes=102400
socket.receive.buffer.bytes=102400
socket.request.max.bytes=104857600
log.dirs=/path/to/kafka_data
num.partitions=1
num.recovery.threads.per.data.dir=1
offsets.topic.num.partitions=3
offsets.topic.replication.factor=2
transaction.state.log.replication.factor=1
transaction.state.log.min.isr=1
min.insync.replicas=2
default.replication.factor=2
log.retention.hours=168
log.segment.bytes=1073741824
log.retention.check.interval.ms=300000
zookeeper.connect=IP1:2181,IP2:2181,IP3:2181
zookeeper.connection.timeout.ms=18000
group.initial.rebalance.delay.ms=3000
Then I run the broker and try to execute the following command to know if everything is working:
openssl s_client -debug -connect mydomain.com:9092 -tls1 | head -n 50
And the error is displayed:
INFO [SocketServer brokerId=0] Failed authentication with /XXX.XXX.XXX.XXX (SSL handshake failed) (org.apache.kafka.common.network.Selector)
My domain is not the same as my hostname in the machine, I don't know if it could be a problem. I only want to add security to the first broker and then repeat the same in the other two, but first have the first one working.
What is wrong with my config? Maybe the truststore? or the hostname and domain name?

WSO2 EI - 2 way SSL - handshake_failure

I've a problem setting up a two-way SSL authentication.
I need to access an HTTPS endpoint from wso2 entreprise integrator.
The service provider gave me a pfx keystore that containes certificates and private key that i have to provide to the server.
I installed this pfx keystore on my windows computer and tried to access the endpoint from Chrome (the endpoint has a GET service at root context that return hello message). When accessing this endpoint, chrome tell me to choose a certificate to provide to the server... i choose the good one and the hello message is returned... fine, the certificate works.
I tried with curl too, providing key, cacert and cert (extracted from pfx files using openssl). Everything worked fine.
The problem is when i try to access this endpoint from wso2 ei service.
I imported my pfx file into default keystore (wso2carbon.jks), following these steps, using keytool:
Import pfx in jks
keytool -importkeystore -srckeystore .pfx -srcstoretype pkcs12 -destkeystore wso2carbon.jks -deststoretype JKS -srcstorepass -deststorepass wso2carbon
Export jks public key
keytool -export -alias "" -keystore wso2carbon.jks -file publickey.pem -storepass wso2carbon
Import public key in default client-trustore.jks
keytool -import -alias "" -file publickey.pem -keystore client-truststore.jks -storepass wso2carbon
Update password of alias in wso2carbon keystore (must be the same as jks pwd)
keytool -keypasswd -alias "" -new wso2carbon -keystore wso2carbon.jks -keypass -storepass wso2carbon
Added root & intermediate server certificates to trustore
keytool -import -v -trustcacerts -alias root -file root.cer -keystore client-truststore.jks -storepass wso2carbon
keytool -import -v -trustcacerts -alias intermed -file intermed.cer -keystore client-truststore.jks -storepass wso2carbon
Restarted WSO2 EI then tried to access endpoint (handshake failure !!!)
I activated -Djavax.net.debug=ssl:handshake, below the trace of error.
Seems like WSO2 EI cannot find certificates asked by server
...
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withRSA, Unknown (hash:0x6, signature:0x2), SHA512withECDSA, SHA384withRSA, Unknown (hash:0x5, signature:0x2), SHA384withECDSA, SHA256withRSA, Unknown (hash:0x4, signature:0x2), SHA256withECDSA, SHA224withRSA, Unknown (hash:0x3, signature:0x2), SHA224withECDSA, SHA1withRSA, SHA1withDSA, SHA1withECDSA
Cert Authorities:
<CN=Autorite Bureau RTE, O=RTE, L=Pacy, ST=Eure, C=FR>
<CN=Autorite Racine RTE, O=RTE, L=Pacy, ST=Eure, C=FR>
<CN=Autorite Bureau Machine RTE, DC=bureau, DC=si, DC=interne>
*** ServerHelloDone
Warning: no suitable certificate found - continuing without client authentication
*** Certificate chain
<Empty>
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1.2
PassThroughMessageProcessor-2, WRITE: TLSv1.2 Handshake, length = 320
SESSION KEYGEN:
PreMaster Secret:
... no IV derived for this protocol
PassThroughMessageProcessor-2, WRITE: TLSv1.2 Change Cipher Spec, length = 64
*** Finished
verify_data: { 111, 185, 151, 74, 99, 156, 152, 185, 240, 222, 162, 116 }
***
PassThroughMessageProcessor-2, WRITE: TLSv1.2 Handshake, length = 80
PassThroughMessageProcessor-2, READ: TLSv1.2 Alert, length = 64
PassThroughMessageProcessor-2, RECV TLSv1.2 ALERT: fatal, handshake_failure
%% Invalidated: [Session-1, TLS_RSA_WITH_AES_256_CBC_SHA256]
%% Invalidated: [Session-2, TLS_RSA_WITH_AES_256_CBC_SHA256]
PassThroughMessageProcessor-2, called closeSocket()
PassThroughMessageProcessor-2, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
PassThroughMessageProcessor-2, called close()
PassThroughMessageProcessor-2, called closeInternal(true)
I tried with SOAP UI, referencing the previously created keystore, and the GET call returns the hello message (handshake succeeded).
I also tried with a snippet java class that use that keystore and the ssl handshake process goes fine.
System.setProperty("javax.net.ssl.keyStore", keystorePath);
System.setProperty("javax.net.ssl.keyStorePassword", CERT_PASSWORD);
System.setProperty("javax.net.ssl.keyStoreType", "JKS");
URL myUrl;
try {
myUrl = new URL(endpoint);
HttpsURLConnection conn = (HttpsURLConnection) myUrl.openConnection();
InputStream is = conn.getInputStream();
InputStreamReader isr = new InputStreamReader(is);
BufferedReader br = new BufferedReader(isr);
String inputLine;
while ((inputLine = br.readLine()) != null) {
System.out.println(inputLine);
}
Cert Authorities:
<CN=Autorite Bureau RTE, O=RTE, L=Pacy, ST=Eure, C=FR>
<CN=Autorite Racine RTE, O=RTE, L=Pacy, ST=Eure, C=FR>
<CN=Autorite Bureau Machine RTE, DC=bureau, DC=si, DC=interne>
*** ServerHelloDone
matching alias: alias-cert
I appreciate any help.
Thanks.
Kind regards,
Rudy

To solve this review your configuration on axis2.xml file, observe the element transportSender with name="https", and insert the config for customSSLProfiles.
The how-to, is at this documentation:
https://docs.wso2.com/display/EI660/HTTPS-NIO+Transport+

Jetty 9 cant work with self-signed certificate that generated by OpenSSL

I want to configure SSL on jetty-distribution-9.2.9.v20150224
I followed http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html to configure SSL and generate certificate
The problem is:
If I use the keystore generated by Keytool:
keytool -keystore keystore -alias jetty -genkey -keyalg RSA
and configure ssl and https modules to start.ini, Jetty works correctly.
However , the certificate extracted from keystore can’t be trusted by browser. So I want to create self-signed certificate using Openssl
My Openssl version is 0.9.8, and I generated keystore in following steps:
openssl genrsa -des3 -out server.key
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in mn-server.csr -signkey server.key -out server.crt
keytool -import -trustcacerts -alias server -file server.crt -keystore truststore.keystore
However, this truststore.keystore can't work. Http works correctly, but I’m not able to access to https. There's no special exception throw out, and when checking 8443 port, it's already initialized.
Am I missing some jetty configuration ? or the certificate generated is generated incorrect?
After debug, I see this no cipher suites in common exception
%%Initialized: [Session-1, SSL_NULL_WITH_NULL_NULL]
qtp1811075214-27, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated: [Session-1, SSL_NULL_WITH_NULL_NULL]
qtp1811075214-27, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
qtp1811075214-27, WRITE: TLSv1.2 Alert, length = 2
qtp1811075214-27, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
The Signature algorithm I'm using is SHA1withRSA , and my Java version is "1.8.0_25"

It was solved by upgrade spring-ws-core version to 2.2.x
And I also upgrade openssl to 1.0.1k

DataStax DSE Cassandra SSL - Unrecognized SSL message, plaintext connection?

I have been trying to enable client-to-node ssl communication in a single node cluster running Datastax (DSE) version 4.6 with Cassandra 2.0.11
After following the steps in the datastax documentation documentation
I keep on getting the following error message;
INFO [Thread-3] 2015-01-25 09:00:21,383 ThriftServer.java (line 135) Listening for thrift clients...
ERROR [Thrift:1] 2015-01-25 09:00:30,486 TNegotiatingServerTransport.java (line 523) Failed to open server transport.
org.apache.thrift.transport.TTransportException: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at org.apache.thrift.transport.TIOStreamTransport.read(TIOStreamTransport.java:129)
at com.datastax.bdp.transport.server.TPreviewableTransport.readUntilEof(TPreviewableTransport.java:79)
at com.datastax.bdp.transport.server.TPreviewableTransport.preview(TPreviewableTransport.java:55)
at com.datastax.bdp.transport.server.TNegotiatingServerTransport.open(TNegotiatingServerTransport.java:186)
at com.datastax.bdp.transport.server.TNegotiatingServerTransport$Factory.getTransport(TNegotiatingServerTransport.java:516)
at com.datastax.bdp.transport.server.TNegotiatingServerTransport$Factory.getTransport(TNegotiatingServerTransport.java:405)
at org.apache.cassandra.thrift.CustomTThreadPoolServer$WorkerProcess.run(CustomTThreadPoolServer.java:196)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:744)
Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at sun.security.ssl.InputRecord.handleUnknownRecord(InputRecord.java:671)
at sun.security.ssl.InputRecord.read(InputRecord.java:504)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:927)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:882)
at sun.security.ssl.AppInputStream.read(AppInputStream.java:102)
at java.io.BufferedInputStream.fill(BufferedInputStream.java:235)
at java.io.BufferedInputStream.read1(BufferedInputStream.java:275)
at java.io.BufferedInputStream.read(BufferedInputStream.java:334)
at org.apache.thrift.transport.TIOStreamTransport.read(TIOStreamTransport.java:127)
... 9 more
ERROR [Thrift:1] 2015-01-25 09:00:30,513 CustomTThreadPoolServer.java (line 222) Error occurred during processing of message.
java.lang.RuntimeException: Failed to open server transport: unknown
at com.datastax.bdp.transport.server.TNegotiatingServerTransport$Factory.getTransport(TNegotiatingServerTransport.java:524)
at com.datastax.bdp.transport.server.TNegotiatingServerTransport$Factory.getTransport(TNegotiatingServerTransport.java:405)
at org.apache.cassandra.thrift.CustomTThreadPoolServer$WorkerProcess.run(CustomTThreadPoolServer.java:196)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:744)
Here is my cassandra.yaml file
client_encryption_options:
enabled: true
keystore: /home/ubuntu/.keystore
keystore_password: ****
truststore: /home/ubuntu/.truststore
truststore_password: ****
protocol: ssl
store_type: JKS
cipher_suites:
[TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA]
Steps followed to create the keystore and truststore
keytool -genkey -keyalg RSA -alias node0 -keystore .keystore (used the hostname for first name & last name)
keytool -export -alias node0 -file node0.cer -keystore .keystore
keytool -import -v -trustcacerts -alias node0 -file node0.cer -keystore .truststore
I already fix the TLS_RSA_WITH_AES_256_CBC_SHA bug they have in their documentation by downloading the required jar files from the oracle website http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html

This message shows that a client is trying to open an unencrypted connection.
First thought is check if client certificate auth is enabled. Read this: http://www.datastax.com/documentation/datastax_enterprise/4.6/datastax_enterprise/sec/secRunCqlsh.html
Here is a walkthrough for enabling cqlsh ssl connection: https://github.com/PatrickCallaghan/datastax-ssl-example