Java8, JBoss AS5, SSLException: "Received fatal alert: handshake_failure" - ssl

My java application is running by JBoss AS 5. I'm trying to connect by URL to download image, but I receive the next exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
I've configurated trust-managet as "all-trusting trust manager":
TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
#Override
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
#Override
public void checkClientTrusted(
java.security.cert.X509Certificate[] certs, String authType) {
}
#Override
public void checkServerTrusted(
java.security.cert.X509Certificate[] certs, String authType) {
}
}
};
// Install the all-trusting trust manager
try {
SSLContext sc = SSLContext.getInstance("TLSv1.2");
sc.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
} catch (Exception e) {
}
HostnameVerifier hv = new HostnameVerifier() {
#Override
public boolean verify(String urlHostName, SSLSession session) {
return true;
}
};
HttpsURLConnection.setDefaultHostnameVerifier(hv);
My simple java code:
URL url = new URL("https://cdn.hotelbeds.com/giata/62/623081/623081a_hb_ro_007.jpg");
url.openConnection().connect();
I've activated ssl debug mode (-Djavax.net.debug=ssl) and received the following logs:
`18:20:23,030 INFO [STDOUT] Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
18:20:23,031 INFO [STDOUT] WorkerThread#1[10.0.0.38:52361], setSoTimeout(0) called
18:20:23,032 INFO [STDOUT] Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
18:20:23,032 INFO [STDOUT] Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
18:20:23,032 INFO [STDOUT] Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
18:20:23,032 INFO [STDOUT] Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
18:20:23,032 INFO [STDOUT] Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
18:20:23,032 INFO [STDOUT] Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
18:20:23,032 INFO [STDOUT] Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
18:20:23,032 INFO [STDOUT] Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
18:20:23,032 INFO [STDOUT] Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
18:20:23,032 INFO [STDOUT] Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
18:20:23,032 INFO [STDOUT] Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
18:20:23,032 INFO [STDOUT] Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
18:20:23,032 INFO [STDOUT] Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
18:20:23,032 INFO [STDOUT] Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1
.......................
18:20:23,036 INFO [STDOUT] Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
18:20:23,036 INFO [STDOUT] Compression Methods: {0}
18:20:23,036 INFO [STDOUT] Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
18:20:23,036 INFO [STDOUT] Extension ec_point_formats, formats: [uncompressed]
18:20:23,036 INFO [STDOUT] Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
18:20:23,037 INFO [STDOUT] WorkerThread#1[10.0.0.38:52361], WRITE: TLSv1.2 Handshake, length = 161
18:20:23,065 INFO [STDOUT] WorkerThread#1[10.0.0.38:52361], READ: TLSv1.2 Alert, length = 2
18:20:23,066 INFO [STDOUT] WorkerThread#1[10.0.0.38:52361]
18:20:23,066 INFO [STDOUT] RECV TLSv1.2 ALERT: fatal, handshake_failure
18:20:23,066 INFO [STDOUT] WorkerThread#1[10.0.0.38:52361], called closeSocket()
18:20:23,066 INFO [STDOUT] WorkerThread#1[10.0.0.38:52361], handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Also I've tried to use property the following 'solutions':
https.protocols=TLSv1.2,TLSv1.1,TLSv1
crypto.policy=unlimited
The java version is 1.8.0_131. What should I do to connect with this website and download this image?
Thanks in advance.

It very looks like a duplicate from what I see when checking your site against SSLLabs and from the Extension name being absent in the debug output. See here for my answer and the solution (upgrading Java).

Related

Zookeeper TLS error: Unsuccessful handshake with session 0x0 (org.apache.zookeeper.server.NettyServerCnxnFactory)

Can't start Zookeeper with TSL, help me please!
Zookeeper version: 3.5.8-f439ca583e70862c3068a1f2a7d4d068eec33315, built on 05/04/2020 15:53 GMT
zookeeper.properties:
###################[ MAIN ]###################
dataDir=~/zookeeper_ssl/data/zookeeper-data
clientPort=2185
secureClientPort=2186
maxClientCnxns=0
##############[ AUTHENTICATION ]##############
authProvider.sasl=org.apache.zookeeper.server.auth.SASLAuthenticationProvider # (tried change to authProvider.1 but no success)
jaasLoginRenew=3600000
requireClientAuthScheme=sasl
#############[ SSL ]############ authProvider.x509=org.apache.zookeeper.server.auth.X509AuthenticationProvider # (tried to remove - but no success)
serverCnxnFactory=org.apache.zookeeper.server.NettyServerCnxnFactory
ssl.keyStore.location=~/zookeeper_ssl/ssl/broker1.jks
ssl.keyStore.password=xxx
ssl.trustStore.location=~/zookeeper_ssl/ssl/broker1.jks
ssl.trustStore.password=xxx
clientAuth=none
tickTime=3000
initLimit=10
syncLimit=5
##############[ OTHER CONFIGS ]#############
4lw.commands.whitelist=*
admin.enableServer=true
admin.serverPort=8181
It is starting well. Then try to connect:
./bin/kafka-run-class \
> -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty \
> -Dzookeeper.ssl.client.enable=true \
> -Dzookeeper.ssl.keyStore.location=~/zookeeper_ssl/ssl/dev1.jks \
> -Dzookeeper.ssl.keyStore.password=xxx \
> -Dzookeeper.ssl.trustStore.location=~/zookeeper_ssl/ssl/dev1.jks \
> -Dzookeeper.ssl.trustStore.password=xxx \
> org.apache.zookeeper.ZooKeeperMain -server localhost:2186
Have got:
Connecting to localhost:2186
Welcome to ZooKeeper!
JLine support is disabled
ACTUALLY NOTHING HAPPENS HERE - SO PRESSED CTRL+C
^C
zookeeper.log:
[2020-08-17 18:02:07,667] DEBUG Using Java8 optimized cipher suites for Java version 1.8 (org.apache.zookeeper.common.X509Util)
[2020-08-17 18:02:07,981] DEBUG Default protocols (JDK): [TLSv1.2, TLSv1.1, TLSv1] (io.netty.handler.ssl.JdkSslContext)
[2020-08-17 18:02:07,981] DEBUG Default cipher suites (JDK): [TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA] (io.netty.handler.ssl.JdkSslContext)
[2020-08-17 18:02:08,104] DEBUG SSL handler added for channel: [id: 0x6bcbf86b, L:/x.x.x.x:2186 - R:/x.x.x.x:56620] (org.apache.zookeeper.server.NettyServerCnxnFactory)
[2020-08-17 18:02:08,123] DEBUG -Dio.netty.recycler.maxCapacityPerThread: 4096 (io.netty.util.Recycler)
[2020-08-17 18:02:08,123] DEBUG -Dio.netty.recycler.maxSharedCapacityFactor: 2 (io.netty.util.Recycler)
[2020-08-17 18:02:08,123] DEBUG -Dio.netty.recycler.linkCapacity: 16 (io.netty.util.Recycler)
[2020-08-17 18:02:08,123] DEBUG -Dio.netty.recycler.ratio: 8 (io.netty.util.Recycler)
[2020-08-17 18:02:08,133] DEBUG -Dio.netty.buffer.checkAccessible: true (io.netty.buffer.AbstractByteBuf)
[2020-08-17 18:02:08,133] DEBUG -Dio.netty.buffer.checkBounds: true (io.netty.buffer.AbstractByteBuf)
[2020-08-17 18:02:08,134] DEBUG Loaded default ResourceLeakDetector: io.netty.util.ResourceLeakDetector#3021f880 (io.netty.util.ResourceLeakDetectorFactory)
[2020-08-17 18:02:08,149] ERROR Unsuccessful handshake with session 0x0 (org.apache.zookeeper.server.NettyServerCnxnFactory)
[2020-08-17 18:02:08,149] DEBUG close called for sessionid:0x0 (org.apache.zookeeper.server.NettyServerCnxn)
[2020-08-17 18:02:08,149] DEBUG cnxns size:0 (org.apache.zookeeper.server.NettyServerCnxn)
[2020-08-17 18:02:08,153] WARN Exception caught (org.apache.zookeeper.server.NettyServerCnxnFactory)
io.netty.handler.codec.DecoderException: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 0000002d000000000000000000000000000075300000000000000000000000100000000000000000000000000000000000
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.lang.Thread.run(Thread.java:745)
Caused by: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 0000002d000000000000000000000000000075300000000000000000000000100000000000000000000000000000000000
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1214)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1282)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:498)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:437)
... 17 more
[2020-08-17 18:02:08,153] DEBUG Closing /x.x.x.x:56620[0](queued=0,recved=0,sent=0) (org.apache.zookeeper.server.NettyServerCnxnFactory)
[2020-08-17 18:02:08,153] DEBUG close called for sessionid:0x0 (org.apache.zookeeper.server.NettyServerCnxn)
[2020-08-17 18:02:08,153] DEBUG cnxns size:0 (org.apache.zookeeper.server.NettyServerCnxn)
Inside jks
keystore broker1.jks
Alias name: zserver
Entry type: PrivateKeyEntry
Owner: CN=zserver, C=RU
Alias name: dev1
Entry type: trustedCertEntry
Owner: CN=dev1, C=RU
keystore dev1.jks
Alias name: zserver
Entry type: trustedCertEntry
Owner: CN=zserver, C=RU
Alias name: dev1
Entry type: PrivateKeyEntry
Owner: CN=dev1, C=RU
Have found the problem - correct parameter is:
-Dzookeeper.client.secure=true
(Dzookeeper.ssl.client.enable=true is wrong)

JDK7 SSL conenction Issue Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

I am making a SSL connection (as client) and according to this Oracle article the following two cypher suits are supported in JDK7 if you use TLSv1.2 and enable the Strong version of the jurisdiction policy.
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
However the two cypher algorithms are ignored when making secure connection.
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
**Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384**
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
**Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256**
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1496192143 bytes = { 166, 200, 78, 178, 69, 10, 17, 174, 212, 142, 188, 108, 136, 152, 242, 222, 94, 231, 4, 86, 2, 99, 202, 4, 204, 130, 236, 120 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [host_name: api.sms.optus.com.au]
***
main, WRITE: **TLSv1.2** Handshake, length = 222
main, READ: TLSv1.2 Alert, length = 2
main, RECV TLSv1 ALERT: fatal, handshake_failure
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
ERROR [main] (TestRest.java:42) - Error :
I have set the TLSv1.2
-Dhttps.protocols=TLSv1.2
I have installed the "JCE Unlimited Strength Jurisdiction Policy Files" and I can confirm its successfully installed by running the following code
try {
int maxAllowedKeyLength = Cipher.getMaxAllowedKeyLength("AES");
System.out.println("AES: " + maxAllowedKeyLength);
return maxAllowedKeyLength >= 256;
} catch (NoSuchAlgorithmException e) {
return false;
}
I think the two cypher algorithms are not supported in JDK7 but mistakenly mentioned in the Oracle article?
Notes:
There is no problem if I run the c0ode in JDK8.
I am behind firewal and had to setup proxy. but I dont think its related as I can connect in JDK8 with no issue.
The initial setting of the 'enabled' ciphers list is computed in SSLContextImpl.init before any tailoring is done, and in Java7 client the initial protocol list is only SSLv3 and TLSv1 (and in recent versions java.security configures jdk.tls.disabledAlgorithms to remove SSLv3 because of POODLE) so this disables all TLSv1.2-only ciphers, which are the only ones this server will agree to. This is the source of the Ignoring unsupported messages in your trace before the actual handshake starts.
If using HttpsURLConnection you need to set both https.protocols and https.cipherSuites (note capital S) sysprops. If directly using SSLSocket you need to call both .setEnabledProtocols including (at least) TLSv1.2 and .setEnabledCipherSuites including (at least) one of the ciphersuites you highlighted in your Q, or substitute/wrap the factory to do the equivalent.
Java8 does not have the problem because its default protocol list for both client and server is SSLv3,TLSv1,TLSv1.1,TLSv1.2, again with SSLv3 removed by jdk.tls.disabledAlgorithms

Java SSL: Invalid service principal name

On my game's Java server I ran 'sudo yum update' and now I am getting the following error when trying to connect via my game client:
[2015-07-26 01:58:12] [Thread-2] INFO - Socket class: class sun.security.ssl.SSLSocketImpl
[2015-07-26 01:58:12] [Thread-2] INFO - Remote address = /54.165.60.189
[2015-07-26 01:58:12] [Thread-2] INFO - Remote port = 34215
[2015-07-26 01:58:12] [Thread-2] INFO - Local socket address = /192.168.1.4:59805
[2015-07-26 01:58:12] [Thread-2] INFO - Local address = /192.168.1.4
[2015-07-26 01:58:12] [Thread-2] INFO - Local port = 59805
[2015-07-26 01:58:12] [Thread-2] INFO - Need client authentication = false
[2015-07-26 01:58:17] [Thread-2] INFO - Cipher suite = SSL_NULL_WITH_NULL_NULL
[2015-07-26 01:58:17] [Thread-2] INFO - Protocol = NONE
[2015-07-26 01:58:17] [Thread-2] FATAL - (SSLSocket) factory.createSocket
javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException: java.io.IOException: Invalid service principal name: host/54.165.60.189
at sun.security.ssl.SSLSocketImpl.checkEOF(Unknown Source)
at sun.security.ssl.SSLSocketImpl.checkWrite(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at com.jayavon.game.client.an.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLException: java.io.IOException: Invalid service principal name: host/54.165.60.189
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.SSLSocketImpl.handleException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.getSession(Unknown Source)
at com.jayavon.game.client.KisnardOnline.a(Unknown Source)
... 2 more
Caused by: java.io.IOException: Invalid service principal name: host/54.165.60.189
at sun.security.ssl.krb5.KerberosClientKeyExchangeImpl.getServiceTicket(Unknown Source)
at sun.security.ssl.krb5.KerberosClientKeyExchangeImpl.init(Unknown Source)
at sun.security.ssl.KerberosClientKeyExchange.init(Unknown Source)
at sun.security.ssl.KerberosClientKeyExchange.<init>(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverHelloDone(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
... 5 more
Caused by: KrbException: KrbException: Cannot locate default realm
at sun.security.krb5.Realm.getDefault(Unknown Source)
at sun.security.krb5.PrincipalName.<init>(Unknown Source)
at sun.security.krb5.PrincipalName.<init>(Unknown Source)
... 15 more
Caused by: KrbException: Cannot locate default realm
at sun.security.krb5.Config.getDefaultRealm(Unknown Source)
... 18 more
Caused by: KrbException: Generic error (description in e-text) (60) - Unable to locate Kerberos realm
at sun.security.krb5.Config.getRealmFromDNS(Unknown Source)
... 19 more
5 days ago this is what I saw when connecting to my game server from my client:
[2015-07-21 00:07:34] [Thread-2] INFO - Socket class: class sun.security.ssl.SSLSocketImpl
[2015-07-21 00:07:34] [Thread-2] INFO - Remote address = /54.165.60.189
[2015-07-21 00:07:34] [Thread-2] INFO - Remote port = 34215
[2015-07-21 00:07:34] [Thread-2] INFO - Local socket address = /192.168.1.4:61480
[2015-07-21 00:07:34] [Thread-2] INFO - Local address = /192.168.1.4
[2015-07-21 00:07:34] [Thread-2] INFO - Local port = 61480
[2015-07-21 00:07:34] [Thread-2] INFO - Need client authentication = false
[2015-07-21 00:07:34] [Thread-2] INFO - Cipher suite = TLS_DH_anon_WITH_AES_128_CBC_SHA256
[2015-07-21 00:07:34] [Thread-2] INFO - Protocol = TLSv1.2
I thought it was that my keystore.jks file's certificate had expired, but I even tried to update with the certificate I just updated with startssl to no avail. Any help would be so appreciated.
Ideally I would like to fix this (so I can continue to update my EC2 server).
EDIT
I found the following java update in the list of my last updates with the following command:
rpm -qa --last
java-1.7.0-openjdk-1.7.0.85-2.6.1.3.61.amzn1.x86_64 Sun 26 Jul 2015 12:23:17 AM EDT
EDIT2
Client:
[2015-08-04 08:32:16] 15 [main] INFO - java.version: 1.8.0_20
[2015-08-04 08:32:17] 1028 [AWT-EventQueue-0] DEBUG - conf/
[2015-08-04 08:32:17] 1185 [main] INFO - Contacting Download Server...
...
[2015-08-04 08:32:57] 40786 [main] INFO - Finished updating game files!
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_WITH_RC4_128_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_RSA_WITH_RC4_128_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_RSA_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_WITH_RC4_128_MD5
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DH_anon_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_anon_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_anon_WITH_RC4_128_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DH_anon_WITH_RC4_128_MD5
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_RSA_WITH_NULL_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_ECDSA_WITH_NULL_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_RSA_WITH_NULL_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_WITH_NULL_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_ECDSA_WITH_NULL_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_RSA_WITH_NULL_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_anon_WITH_NULL_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_WITH_NULL_MD5
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_WITH_DES_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DHE_RSA_WITH_DES_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DHE_DSS_WITH_DES_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DH_anon_WITH_DES_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_WITH_RC4_128_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_WITH_RC4_128_MD5
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_MD5
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_WITH_DES_CBC_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_WITH_DES_CBC_MD5
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_MD5
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - Socket class: class sun.security.ssl.SSLSocketImpl
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - Remote address = /54.165.60.189
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - Remote port = 34215
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - Local socket address = /192.168.1.8:56729
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - Local address = /192.168.1.8
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - Local port = 56729
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - Need client authentication = false
[2015-08-04 08:33:12] 55873 [Thread-2] INFO - Cipher suite = SSL_NULL_WITH_NULL_NULL
[2015-08-04 08:33:12] 55873 [Thread-2] INFO - Protocol = NONE
[2015-08-04 08:33:12] 55889 [Thread-2] FATAL - (SSLSocket) factory.createSocket
javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException: java.io.IOException: Invalid service principal name: host/54.165.60.189
at sun.security.ssl.SSLSocketImpl.checkEOF(Unknown Source)
at sun.security.ssl.SSLSocketImpl.checkWrite(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at com.jayavon.game.client.an.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLException: java.io.IOException: Invalid service principal name: host/54.165.60.189
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.SSLSocketImpl.handleException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.getSession(Unknown Source)
at com.jayavon.game.client.KisnardOnline.a(Unknown Source)
... 2 more
Caused by: java.io.IOException: Invalid service principal name: host/54.165.60.189
at sun.security.ssl.krb5.KerberosClientKeyExchangeImpl.getServiceTicket(Unknown Source)
at sun.security.ssl.krb5.KerberosClientKeyExchangeImpl.init(Unknown Source)
at sun.security.ssl.KerberosClientKeyExchange.init(Unknown Source)
at sun.security.ssl.KerberosClientKeyExchange.<init>(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverHelloDone(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
... 5 more
Caused by: KrbException: KrbException: Cannot locate default realm
at sun.security.krb5.Realm.getDefault(Unknown Source)
at sun.security.krb5.PrincipalName.<init>(Unknown Source)
at sun.security.krb5.PrincipalName.<init>(Unknown Source)
... 15 more
Caused by: KrbException: Cannot locate default realm
at sun.security.krb5.Config.getDefaultRealm(Unknown Source)
... 18 more
Caused by: KrbException: Generic error (description in e-text) (60) - Unable to locate Kerberos realm
at sun.security.krb5.Config.getRealmFromDNS(Unknown Source)
... 19 more
Server:
65795 [main] DEBUG - handleConnections thread started
65795 [main] DEBUG - Server is running on port 34215
124540 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_256_CBC_SHA256
124541 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
124541 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
124541 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_256_CBC_SHA
124541 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
124541 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
124541 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA256
124541 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
124541 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
124542 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA
124542 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
124542 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
124542 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
124542 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
124542 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
124542 [connectionHandlerThread] INFO - suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
124542 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256
124542 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_256_CBC_SHA
124542 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA256
124543 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA
124543 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
124543 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_RC4_128_SHA
124543 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_RC4_128_MD5
124543 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_RC4_128_MD5
124543 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_DES_CBC_SHA
124543 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_WITH_DES_CBC_SHA
124543 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_WITH_DES_CBC_SHA
124543 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_DES_CBC_SHA
124543 [connectionHandlerThread] INFO - suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
124544 [connectionHandlerThread] INFO - suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
124544 [connectionHandlerThread] INFO - suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
124544 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
124544 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
124545 [connectionHandlerThread] INFO - suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
124545 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_NULL_SHA256
124545 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_NULL_SHA
124545 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_NULL_MD5
124545 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_SHA
124545 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_MD5
124545 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_RC4_128_SHA
124548 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_RC4_128_MD5
124548 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_DES_CBC_SHA
124548 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_DES_CBC_MD5
124549 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
124549 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
124549 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_SHA
124549 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_MD5
125142 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_256_CBC_SHA256
125152 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
125153 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
125153 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_256_CBC_SHA
125153 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
125153 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
125153 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA256
125153 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
125153 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
125153 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA
125153 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
125154 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
125154 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
125154 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
125154 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
125154 [connectionHandlerThread] INFO - suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
125154 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256
125154 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_256_CBC_SHA
125154 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA256
125154 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA
125154 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
125155 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_RC4_128_SHA
125155 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_RC4_128_MD5
125155 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_RC4_128_MD5
125155 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_DES_CBC_SHA
125155 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_WITH_DES_CBC_SHA
125155 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_WITH_DES_CBC_SHA
125155 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_DES_CBC_SHA
125155 [connectionHandlerThread] INFO - suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
125155 [connectionHandlerThread] INFO - suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
125155 [connectionHandlerThread] INFO - suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
125155 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
125156 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
125156 [connectionHandlerThread] INFO - suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
125156 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_NULL_SHA256
125156 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_NULL_SHA
125156 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_NULL_MD5
125156 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_SHA
125156 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_MD5
125156 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_RC4_128_SHA
125156 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_RC4_128_MD5
125156 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_DES_CBC_SHA
125157 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_DES_CBC_MD5
125157 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
125157 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
125157 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_SHA
125157 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_MD5
126102 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_256_CBC_SHA256
126103 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
126103 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
126103 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_256_CBC_SHA
126103 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
126103 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
126103 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA256
126103 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
126103 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
126104 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA
126104 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
126104 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
126104 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
126104 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
126104 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
126104 [connectionHandlerThread] INFO - suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
126104 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256
126104 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_256_CBC_SHA
126104 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA256
126105 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA
126105 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
126105 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_RC4_128_SHA
126105 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_RC4_128_MD5
126105 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_RC4_128_MD5
126105 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_DES_CBC_SHA
126105 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_WITH_DES_CBC_SHA
126105 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_WITH_DES_CBC_SHA
126105 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_DES_CBC_SHA
126105 [connectionHandlerThread] INFO - suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
126106 [connectionHandlerThread] INFO - suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
126106 [connectionHandlerThread] INFO - suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
126106 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
126106 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
126106 [connectionHandlerThread] INFO - suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
126106 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_NULL_SHA256
126106 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_NULL_SHA
126106 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_NULL_MD5
126106 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_SHA
126106 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_MD5
126106 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_RC4_128_SHA
126107 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_RC4_128_MD5
126107 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_DES_CBC_SHA
126107 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_DES_CBC_MD5
126107 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
126107 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
126107 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_SHA
126107 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_MD5
126107 [connectionHandlerThread] INFO - Server socket class: class sun.security.ssl.SSLServerSocketImpl
126107 [connectionHandlerThread] INFO - Socket address = 0.0.0.0/0.0.0.0
126107 [connectionHandlerThread] INFO - Socket port = 34215
126108 [connectionHandlerThread] INFO - Need client authentication = false
126108 [connectionHandlerThread] INFO - Want client authentication = false
126108 [connectionHandlerThread] INFO - Use client mode = false
126108 [connectionHandlerThread] INFO - Socket class: class sun.security.ssl.SSLSocketImpl
126108 [connectionHandlerThread] INFO - Remote address = /173.54.54.76
126108 [connectionHandlerThread] INFO - Remote port = 56729
126108 [connectionHandlerThread] INFO - Local socket address = /172.31.25.254:34215
126108 [connectionHandlerThread] INFO - Local address = /172.31.25.254
126108 [connectionHandlerThread] INFO - Local port = 34215
126109 [connectionHandlerThread] INFO - Need client authentication = false
131889 [connectionHandlerThread] INFO - Cipher suite = SSL_NULL_WITH_NULL_NULL
131889 [connectionHandlerThread] INFO - Protocol = NONE
131890 [connectionHandlerThread] FATAL - Socket connection could not be made!!
131890 [connectionHandlerThread] ERROR - client bad connection
javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
at sun.security.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1508)
at sun.security.ssl.SSLSocketImpl.checkWrite(SSLSocketImpl.java:1520)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1367)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355)
at com.jayavon.game.server.MyServer.handleConnections(MyServer.java:4770)
at com.jayavon.game.server.MyServer.access$0(MyServer.java:4739)
at com.jayavon.game.server.MyServer$1.run(MyServer.java:435)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1991)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1098)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1344)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1371)
at sun.security.ssl.SSLSocketImpl.getSession(SSLSocketImpl.java:2233)
at com.jayavon.game.server.MyServer.printSocketInfo(MyServer.java:4725)
at com.jayavon.game.server.MyServer.handleConnections(MyServer.java:4758)
... 3 more
Originally (i.e. before you updated your system via rpm), you used the Cipher suite TLS_DH_anon_WITH_AES_128_CBC_SHA256 which has no Diffie-Hellman Key-Exchange authentication in place. (Note: A protocol that is susceptible to Man-in-the-Middle attacks)
According to the Red Hat Customer Portal and to Amazon Linux AMI Security Center) a critical java-1.7.0-openjdk security update was released recently. You most certainly are experiencing the above problems due to this issue, described here:
A flaw was found in the way the TLS protocol composed the Diffie-Hellman
(DH) key exchange. A man-in-the-middle attacker could use this flaw to
force the use of weak 512 bit export-grade keys during the key exchange,
allowing them do decrypt all traffic. (CVE-2015-4000)
Note: This update forces the TLS/SSL client implementation in OpenJDK to
reject DH key sizes below 768 bits, which prevents sessions to be
downgraded to export-grade keys. Refer to Red Hat Bugzilla bug 1223211,
linked to in the References section, for additional details about this
change.
This explains - at least to some extent - why you're now getting Cipher suite = SSL_NULL_WITH_NULL_NULL since it seems that the original cipher suite is no longer available on your system (or it has been disabled now). This is also supported by: Protocol = NONE in the output you provided.
The 'Java Cryptography Architecture Oracle Providers Documentation for Java Platform Standard Edition 7' overview document has your original cipher suite also in the Default Disabled Cipher Suites list. So I think that the OpenJDK implementation did fix this security issue accordingly (see above URL references).
In general, this security fix for Java relates to the so called Logjam attack and the recommendation is:
Make sure any TLS libraries you use are up-to-date, that servers you maintain use 2048-bit or larger primes, and that clients you maintain reject Diffie-Hellman primes smaller than 1024-bit
As a solution idea, maybe you could just change the SSL/Encryption settings of your Game-application (client and/or server) to use a non-DH-anon cipher suite?
Have a look at the Default Enabled Cipher Suites in the documentation provided by Oracle or have a look at the simple yet effective tool to detect Enabled ciphers on Ubuntu OpenJDK 7 provided by #dolmen.
Edit 1:
Have a look at this StackOverflow post and the answer by #EJP It looks very similar to your StackTrace (*hooray!). It seems that you better...
Don't mess with the enabled cipher suites. Take that code out and retest. You've enabled the anonymous suites, via which there is no authentication at all in either direction.
So you might change your code to not use setEnabledCipherSuites(..) explicitly as it enables cipher-suites not enabled by default ("DH-anon"...). Try to check what is the result if you take out these lines of code, as described.
Maybe go for TLS_ECDH_anon_WITH_AES_128_CBC_SHA as cipher suite (no classic DH parameters here). But, therefore you should update to OpenJDK 8 or Oracle JRE/JDK 8 on your server side, as this is not available in OpenJDK 7 (see your server debug log output).
Hope, it helps.

CAS server and CAS service on same server/container

I'm trying to get the CAS service management app working with CAS server (4.0) on the same instance of Tomcat on the same server. The problem lies with authenticating to the CAS management app via the CAS server. Everything works ok until the management app tries to validate the service ticket with the CAS server and a javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection? error is thrown:
DEBUG [org.springframework.security.cas.web.CasAuthenticationFilter] - <serviceTicketRequest = true>
DEBUG [org.springframework.security.cas.web.CasAuthenticationFilter] - <requiresAuthentication = true>
DEBUG [org.springframework.security.cas.web.CasAuthenticationFilter] - <Request is to process authentication>
DEBUG [org.springframework.security.cas.web.CasAuthenticationFilter] - <proxyReceptorConfigured = false>
DEBUG [org.springframework.security.cas.web.CasAuthenticationFilter] - <proxyReceptorRequest = false>
DEBUG [org.springframework.security.cas.web.CasAuthenticationFilter] - <serviceTicketRequest = true>
DEBUG [org.springframework.security.authentication.ProviderManager] - <Authentication attempt using org.springframework.security.cas.authentication.CasAuthenticationProvider>
DEBUG [org.springframework.security.cas.authentication.CasAuthenticationProvider] - <serviceUrl = https://myserver.com/cas-management/j_spring_cas_security_check>
DEBUG [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] - <Placing URL parameters in map.>
DEBUG [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] - <Calling template URL attribute map.>
DEBUG [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] - <Loading custom parameters from configuration.>
DEBUG [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] - <Constructing validation url: https://myserver.com/cas/serviceValidate?ticket=ST-56-mzPIDWgA0QMVj2ofdW1C-cas.myserver.com&service=https%3A%2F%2Fmyserver.com%2Fcas-management%2Fj_spring_cas_security_check>
DEBUG [org.jasig.cas.client.validation.Cas20ServiceTicketValidator] - <Retrieving response from server.>
ERROR [org.jasig.cas.client.util.CommonUtils] - <Unrecognized SSL message, plaintext connection?>
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
Both the service url and validation url are over https, so I'm not sure why this error is occurring. I know that the CAS server is configured correctly because everything works fine for services that are not on the same server as CAS.
The documentation says that the management app can be deployed along side CAS so I'm assuming that this can be done successfully.
Or is there a better way to authenticate that I'm missing? It seems like a waste to use https when both apps are on the same server.
Any thoughts? Thanks!
Edit
Here's the full stacktrace:
ERROR [org.jasig.cas.client.util.CommonUtils] - <Unrecognized SSL message, plaintext connection?>
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at sun.security.ssl.InputRecord.handleUnknownRecord(InputRecord.java:671)
at sun.security.ssl.InputRecord.read(InputRecord.java:504)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:927)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1300)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:326)
at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:305)
at org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:50)
at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:207)
at org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticateNow(CasAuthenticationProvider.java:140)
at org.springframework.security.cas.authentication.CasAuthenticationProvider.authenticate(CasAuthenticationProvider.java:126)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
at org.springframework.security.cas.web.CasAuthenticationFilter.attemptAuthentication(CasAuthenticationFilter.java:242)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:211)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.github.inspektr.common.web.ClientInfoThreadLocalFilter.doFilter(ClientInfoThreadLocalFilter.java:63)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:503)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
and the SSL debug when trying to validate:
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
http-bio-127.0.0.1-8021-exec-25, setSoTimeout(0) called
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1406390052 bytes = { 23, 201, 54, 229, 136, 4, 6, 166, 108, 226, 115, 79, 184, 27, 36, 163, 16, 248, 52, 47, 96, 149, 40, 24, 198, 81, 76, 10 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension server_name, server_name: [host_name: myserver.com]
***
http-bio-127.0.0.1-8021-exec-25, WRITE: TLSv1 Handshake, length = 181
http-bio-127.0.0.1-8021-exec-25, handling exception: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
http-bio-127.0.0.1-8021-exec-25, SEND TLSv1 ALERT: fatal, description = unexpected_message
http-bio-127.0.0.1-8021-exec-25, WRITE: TLSv1 Alert, length = 2
http-bio-127.0.0.1-8021-exec-25, called closeSocket()
Seems like you have not enabled a Connector in Tomcat's configuration file $CATALINA_BASE/conf/server.xml that terminates HTTPs. You'd do that by adding for your specific port (8443 in this sample):
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
protocol="HTTP/1.1"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>
See: http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html

SSLHandshakeException: Received fatal alert: handshake_failure when setting ciphers on tomcat 7 server

I have a Tomcat7 web-server which I tried to configure to accept secure connections by adding this connector to the server.xml file:
<Connector SSLEnabled="true"
acceptCount="100"
connectionTimeout="20000"
executor="tomcatThreadPool"
keyAlias="server"
keystoreFile="c:\opt\engine\conf\tc.keystore"
keystorePass="o39UI12z"
maxKeepAliveRequests="15"
port="8443"
protocol="HTTP/1.1"
redirectPort="8443"
scheme="https"
secure="true"
sslProtocol="TLS"/>
I'm using a self-signed certificate generated using this command:
%JAVA_HOME%/bin/keytool -genkeypair -keystore c:\opt\engine\conf\tc.keystore -storepass o39UI12z-keypass o39UI12z-dname "cn=Company, ou=Company, o=Com, c=US" -alias server -validity 36500
On the client side I have a spring application that connects with the server using RestTemplate. On application context startup I initalize the restTemplate instance this way:
final ClientHttpRequestFactory clientHttpRequestFactory =
new MyCustomClientHttpRequestFactory(new NullHostNameVerifier(), serverInfo);
restTemplate.setRequestFactory(clientHttpRequestFactory);
The class MyCustomClientHttpRequestFactory looks like this:
public class MyCustomClientHttpRequestFactory extends SimpleClientHttpRequestFactory {
private static final Logger LOGGER = LoggerFactory
.getLogger(MyCustomClientHttpRequestFactory.class);
private final HostnameVerifier hostNameVerifier;
private final ServerInfo serverInfo;
public MyCustomClientHttpRequestFactory (final HostnameVerifier hostNameVerifier,
final ServerInfo serverInfo) {
this.hostNameVerifier = hostNameVerifier;
this.serverInfo = serverInfo;
}
#Override
protected void prepareConnection(final HttpURLConnection connection, final String httpMethod)
throws IOException {
if (connection instanceof HttpsURLConnection) {
((HttpsURLConnection) connection).setHostnameVerifier(hostNameVerifier);
((HttpsURLConnection) connection).setSSLSocketFactory(initSSLContext()
.getSocketFactory());
}
super.prepareConnection(connection, httpMethod);
}
private SSLContext initSSLContext() {
try {
System.setProperty("https.protocols", "TLSv1");
// Set ssl trust manager. Verify against our server thumbprint
final SSLContext ctx = SSLContext.getInstance("TLSv1");
final SslThumbprintVerifier verifier = new SslThumbprintVerifier(serverInfo);
final ThumbprintTrustManager thumbPrintTrustManager =
new ThumbprintTrustManager(null, verifier);
ctx.init(null, new TrustManager[] { thumbPrintTrustManager }, null);
return ctx;
} catch (final Exception ex) {
LOGGER.error(
"An exception was thrown while trying to initialize HTTP security manager.", ex);
return null;
}
}
Up until here everything worked fine. When I put a break point in the SslThumbprintVerifier class, the code reached to this point and also to the NullHostNameVerifier class. This was tested in production and worked great.
Now I wanted to extend security by limiting the cipher suites and I added this property to the Connector I presented at the beginning:
ciphers="TLS_KRB5_WITH_RC4_128_SHA,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_AES_256_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_KRB5_WITH_3DES_EDE_CBC_SHA"
Now when I'm running the client code I get this exception:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
This happens in the restTemplate.doExecute() method. The code doesn't reach to the thumbprint verifier class nor to the host name verifier class as it did before adding the ciphers.
In debug I checked the ctx.getSocketFactory().getSupportedCipherSuites() which showed:
[SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, SSL_RSA_WITH_NULL_MD5, SSL_RSA_WITH_NULL_SHA, SSL_DH_anon_WITH_RC4_128_MD5, TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_256_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_WITH_RC4_128_SHA, TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5]
and also checked ctx.getSocketFactory().getDefaultCipherSuites():
[SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
and lastly the ctx.getSupportedSSLParameters().getCipherSuites():
[SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, SSL_RSA_WITH_NULL_MD5, SSL_RSA_WITH_NULL_SHA, SSL_DH_anon_WITH_RC4_128_MD5, TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_256_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_WITH_RC4_128_SHA, TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5]
As far as I understand, if there's an intersection between the client's supported/enabled cipher suites and the server's supported cipher suites it should work (we have such intersection with SSL_RSA_WITH_RC4_128_SHA for example). And yet I'm getting this error.
In the next step I added this java parameter:
-Djavax.net.debug=ssl,handshake,failure
The log showed only the client-hello, with no server-hello response:
[2013-03-20 15:29:51.315] [INFO ] data-service-pool-37 System.out trigger seeding of SecureRandom
[2013-03-20 15:29:51.315] [INFO ] data-service-pool-37 System.out done seeding SecureRandom
[2013-03-20 15:30:38.894] [INFO ] data-service-pool-37 System.out Allow unsafe renegotiation: false
[2013-03-20 15:30:38.894] [INFO ] data-service-pool-37 System.out Allow legacy hello messages: true
[2013-03-20 15:30:38.894] [INFO ] data-service-pool-37 System.out Is initial handshake: true
[2013-03-20 15:30:38.894] [INFO ] data-service-pool-37 System.out Is secure renegotiation: false
[2013-03-20 15:30:38.894] [INFO ] data-service-pool-37 System.out %% No cached client session
[2013-03-20 15:30:38.894] [INFO ] data-service-pool-37 System.out *** ClientHello, TLSv1
[2013-03-20 15:30:38.941] [INFO ] data-service-pool-37 System.out RandomCookie: GMT: 1363720446 bytes = { 99, 249, 173, 214, 110, 82, 58, 52, 189, 92, 74, 169, 133, 128, 250, 109, 160, 64, 112, 253, 50, 160, 255, 196, 85, 93, 33, 172 }
[2013-03-20 15:30:38.941] [INFO ] data-service-pool-37 System.out Session ID: {}
[2013-03-20 15:30:38.941] [INFO ] data-service-pool-37 System.out Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
[2013-03-20 15:30:38.956] [INFO ] data-service-pool-37 System.out Compression Methods: { 0 }
[2013-03-20 15:30:38.956] [INFO ] data-service-pool-37 System.out ***
[2013-03-20 15:30:38.956] [INFO ] data-service-pool-37 System.out data-service-pool-37, WRITE: TLSv1 Handshake, length = 81
[2013-03-20 15:30:38.956] [INFO ] data-service-pool-37 System.out data-service-pool-37, READ: TLSv1 Alert, length = 2
[2013-03-20 15:30:38.956] [INFO ] data-service-pool-37 System.out data-service-pool-37, RECV TLSv1 ALERT: fatal, handshake_failure
[2013-03-20 15:30:38.972] [INFO ] data-service-pool-37 System.out data-service-pool-37, called closeSocket()
[2013-03-20 15:30:38.972] [INFO ] data-service-pool-37 System.out data-service-pool-37, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
When removing the ciphers from the server.xml it works again.
Also I will mention that I'm testing both the server and the client on the same machine. I tried setting the server's ip in the client request to 'localhost' and to the actual machine ip and it didn't work in both cases. Also, I had this server running on a different linux machine (the keystore was generated on the linux machine with a linux path of course) and still - it works without the ciphers and stops working with the ciphers.
Well, I got this issue solved. It appears that by creating a self-signed certificate, using keytool, without providing -keyalg parameter makes the key-pair algorithm default to DSA. None of my ciphers suite included DSA algorithm. In that case, although the client and the server had intersection between their cipher-suites, neither was suitable for the key algoritm.
Adding -keyalg RSA when generating the keystore, solved the problem.