We Keep Coding

JMeter JMS: Getting Error: Failed to connect via SSL to [ssl://<server-name>:7352]: Received fatal alert: protocol_version

I'm trying to publish message to a Tibco Queue on a SSL Tibco Server through JMeter 5.4.1 using JMS Point-to-Point Logic Controller.
JMS Point To Point Controller Config
But I'm getting the following error message:
2021-06-13 12:25:46,278 ERROR o.a.j.p.j.s.JMSSampler: Not permitted:
Failed to connect to any server at: ssl://[server-name]:7352,
ssl://[server-name]:7352 [Error: Failed to connect via SSL to
[ssl://[server-name]:7352]: Received fatal alert:
protocol_version: url that returned this exception =
SSL://[server-name]:7352 ]
javax.naming.AuthenticationException: Not permitted: Failed to connect
to any server at: ssl://[server-name]:7352,
ssl://[server-name]:7352 [Error: Failed to connect via SSL to
[ssl://[server-name]:7352]: Received fatal alert:
protocol_version: url that returned this exception =
SSL://[server-name] ] at
com.tibco.tibjms.naming.TibjmsContext.lookup(TibjmsContext.java:670)
~[tibjms.jar:8.0.0] at
com.tibco.tibjms.naming.TibjmsContext.lookup(TibjmsContext.java:491)
~[tibjms.jar:8.0.0] at
javax.naming.InitialContext.lookup(InitialContext.java:417)
~[?:1.8.0_291] at
org.apache.jmeter.protocol.jms.sampler.JMSSampler.threadStarted(JMSSampler.java:638)
[ApacheJMeter_jms.jar:5.4.1] at
org.apache.jmeter.threads.JMeterThread$ThreadListenerTraverser.addNode(JMeterThread.java:784)
[ApacheJMeter_core.jar:5.4.1] at
org.apache.jorphan.collections.HashTree.traverseInto(HashTree.java:993)
[jorphan.jar:5.4.1] at
org.apache.jorphan.collections.HashTree.traverse(HashTree.java:976)
[jorphan.jar:5.4.1] at
org.apache.jmeter.threads.JMeterThread.threadStarted(JMeterThread.java:752)
[ApacheJMeter_core.jar:5.4.1] at
org.apache.jmeter.threads.JMeterThread.initRun(JMeterThread.java:740)
[ApacheJMeter_core.jar:5.4.1] at
org.apache.jmeter.threads.JMeterThread.run(JMeterThread.java:252)
[ApacheJMeter_core.jar:5.4.1]
I tried:
openssl s_client -connect [server-name]:7352
It gave the following output:
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
Session-ID-ctx:
So added the following line in jmeter.properties file.
https.default.protocol=TLSv1.2
Also commented jdk.tls.disabledAlgorithms from java.security file for JDK (I'm using jdk1.8.0_291)
# jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
# DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
# include jdk.disabled.namedCurves
But still I'm getting the same error. Someone please help.

I think you're using the wrong property (not only the wrong property but the wrong place as well), you're setting default protocol for HTTPS, while you need to set it for TLS, i.e. add the next line to system.properties file
jdk.tls.client.protocols=TLSv1.2
JMeter restart will be required to apply this property.
If it won't help or you will get different errors - consider adding the next line there as well:
javax.net.debug=all
and then check jmeter.log file and stdout for any suspicious entries
More information:
Configuring JMeter
Apache JMeter Properties Customization Guide

I resolved it by using the latest tibjms.jar in the lib directory in JMeter as the Tibco server was upgraded some hours before I raised this issue.

Kerberos aes-256 encryption not working

Server is a RHEL7, Kerberos is AD (Windows). I'm only client of KDC.
Arcfour-hmac works fine but when I change encryption type to aes-256 and set up a new keytab, kinit still works, but not kvno. And even if the user seems to have a valid ticket (in klist) he is not able to start services anymore.
I don't have access to the Kerberos AD, but it seems properly configured to use aes-256, because end users (on Windows computers) already request tickets in this encryption type.
My krb5.conf :
[libdefaults]
default_realm = TOTO.NET
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_tkt_enctypes = aes256-cts aes128-cts des-cbc-md5 des-cbc-crc
default_tgs_enctypes = aes256-cts aes128-cts des-cbc-md5 des-cbc-crc
permitted_enctypes = aes256-cts aes128-cts des-cbc-md5 des-cbc-crc
[realms]
TOTO.NET = {
kdc = kdc1.toto.net
kdc = kdc2.toto.net
admin_server = kdc1.toto.net
}
[domain_realm]
.toto.net = TOTO.NET
toto.net = TOTO.NET
And here the errors I got when I try to acquire a ticket with kvno :
[2477332] 1493147723.961912: Getting credentials myuser#TOTO.NET -> nn/myserver#TOTO.NET using ccache FILE:/tmp/krb5cc_0
[2477332] 1493147723.962055: Retrieving myuser#TOTO.NET -> nn/myserver#TOTO.NET from FILE:/tmp/krb5cc_0 with result: -1765328243/Matching credential not found (filename: /tmp/krb5cc_0)
[2477332] 1493147723.962257: Retrieving myuser#TOTO.NET -> krbtgt/TOTO.NET#TOTO.NET from FILE:/tmp/krb5cc_0 with result: 0/Success
[2477332] 1493147723.962267: Starting with TGT for client realm: myuser#TOTO.NET -> krbtgt/TOTO.NET#TOTO.NET
[2477332] 1493147723.962274: Requesting tickets for nn/myserver#TOTO.NET, referrals on
[2477332] 1493147723.962309: Generated subkey for TGS request: aes256-cts/17DF
[2477332] 1493147723.962363: etypes requested in TGS request: aes256-cts, aes128-cts
[2477332] 1493147723.962504: Encoding request body and padata into FAST request
[2477332] 1493147723.962575: Sending request (1716 bytes) to TOTO.NET
[2477332] 1493147723.962725: Resolving hostname kdc1.TOTO.NET
[2477332] 1493147723.963054: Initiating TCP connection to stream ip_of_kdc1:88
[2477332] 1493147723.964205: Sending TCP request to stream ip_of_kdc1:88
[2477332] 1493147724.3751: Received answer (329 bytes) from stream ip_of_kdc1:88
[2477332] 1493147724.3765: Terminating TCP connection to stream ip_of_kdc1:88
[2477332] 1493147724.3846: Response was not from master KDC
[2477332] 1493147724.3879: Decoding FAST response
[2477332] 1493147724.3965: TGS request result: -1765328370/KDC has no support for encryption type
klist -ket mykeytab
Keytab name: FILE:nn.service.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
1 01/01/1970 01:00:00 nn/myserver01#TOTO.NET (aes256-cts-hmac-sha1-96)
1 03/22/2017 16:34:55 nn/myserver02#TOTO.NET (aes256-cts-hmac-sha1-96)
Thanks for your help

Ask your AD administrator to enable support for AES-256 encryption types on the AD account associated with the keytab. To find that account, run this command:
setspn -Q nn/myserver01#TOTO.NET
the output will tell you the name of the account. It will start with CN=xxx, where "xxx" is the name of the AD account. To enable support for AES-256 encryption types on the AD account, tell your AD admin that the checkbox "This account supports Kerberos AES 256 bit encryption" must be checked, and that is found under Account tab, all the way at the bottom.

I just recently encountered this problem and was able to solve it.
for us, it was that AD was using a different salt than what the Kerberos client used by default.
That is, when using ktutil:
addent -password -p servicepuppetnp#AMER.EXAMPLE.COM -k 4 -e arcfour-hmac
Password for admspike_white#AMER.EXAMPLE.COM:
produces a keytab file that I could use to kinit as that principal. Whereas:
ktutil: addent -password -p admspike_white#AMER.EXAMPLE.COM -k 1 -e aes256-cts-hmac-sha1-96
Password for admspike_white#AMER.EXAMPLE.COM:
did not produce a keytab file that would allow successful kinit. (pre-auth failure).
I had to do this:
ktutil: addent -password -p admspike_white#AMER.EXAMPLE.COM -k 1 -e aes256-cts-hmac-sha1-96 -f
Password for admspike_white#AMER.EXAMPLE.COM:
which tells ktutil to get the salt info from the AD DC. then it uses the correct salt. That produces a keytab file that allows successful kinit.

Synchronise and read Gmail offline, using isync OR offlineimap

My goal is to sync my emails from a Gmail account and index them to search and read within Emacs. The latter is not yet relevant as I cannot get the emails to sync to my laptop.
I am running Mavericks and so working in Mac Terminal.
I have followed SO accepted answer and the answer in the same thread trying to use offlineimap, as well as a second method in this (more promising) tutorial on using isync (and so mbsync). Both ways end up using mu and the interface for Emacs: mu4e.
The certificates are not being read/interpreted correctly. I do not know why as I do not understand the error messages. Here is the one from offlineimap :
> OfflineIMAP 6.5.7
Licensed under the GNU GPL v2 or any later version (with an OpenSSL exception)
Account sync Gmail:
*** Processing account Gmail
Establishing connection to imap.gmail.com:993
PLAIN authentication failed: [ALERT] Please log in via your web browser: https://support.google.com/mail/accounts/answer/78754 (Failure)
LOGIN authentication failed: [ALERT] Please log in via your web browser: https://support.google.com/mail/accounts/answer/78754 (Failure)
ERROR: All authentication types failed:
PLAIN: [ALERT] Please log in via your web browser: https://support.google.com/mail/accounts/answer/78754 (Failure)
LOGIN: [ALERT] Please log in via your web browser: https://support.google.com/mail/accounts/answer/78754 (Failure)
*** Finished account 'Gmail' in 0:01
ERROR: Exceptions occurred during the run!
ERROR: All authentication types failed:
PLAIN: [ALERT] Please log in via your web browser: https://support.google.com/mail/accounts/answer/78754 (Failure)
LOGIN: [ALERT] Please log in via your web browser: https://support.google.com/mail/accounts/answer/78754 (Failure)
>
> Traceback: File
> "/usr/local/Cellar/offline-imap/6.5.7/libexec/offlineimap/accounts.py",
> line 263, in syncrunner
> self.__sync() File "/usr/local/Cellar/offline-imap/6.5.7/libexec/offlineimap/accounts.py",
> line 326, in __sync
> remoterepos.getfolders() File "/usr/local/Cellar/offline-imap/6.5.7/libexec/offlineimap/repository/IMAP.py",
> line 351, in getfolders
> imapobj = self.imapserver.acquireconnection() File "/usr/local/Cellar/offline-imap/6.5.7/libexec/offlineimap/imapserver.py",
> line 451, in acquireconnection
> self.__authn_helper(imapobj) File "/usr/local/Cellar/offline-imap/6.5.7/libexec/offlineimap/imapserver.py",
> line 366, in __authn_helper
> "failed:\n\t%s"% msg, OfflineImapError.ERROR.REPO)
Here is the one from mbsync:
> C: 0/3 B: 0/2 M: +0/0 *0/0 #0/0 S: +0/0 *0/0 #0/0
Error while loading certificate file '/usr/local/etc/openssl/certs/Equifax.crt': error:00000000:lib(0):func(0):reason(0)
C: 3/3 B: 0/2 M: +0/0 *0/0 #0/0 S: +0/0 *0/0 #0/0
I have installed everything with Homebrew and am using the folders as per the tutorials. The problem is coming from the certificates, but I don't know what the problem could be. I have the setting within Gmail to allow IMAP and also allowed connection for less secure apps.
How might I deal with the certificates differently?

For the offlineimap error, Google is complaining that you aren't using Oauth2. I got past the same offlineimap issue following the explanation here: https://github.com/OfflineIMAP/offlineimap/issues/228
You need to configure your .offlineimaprc to use Oauth2 instead of specifying a username/password. Here's the template and instructions on how to generate the tokens:
https://github.com/OfflineIMAP/offlineimap/blob/master/offlineimap.conf#L764
Here's the important settings:
auth_mechanisms = GSSAPI, CRAM-MD5, XOAUTH2, PLAIN, LOGIN
oauth2_client_secret = ...
oauth2_client_id = ...
oauth2_refresh_token = ...

the trustAnchors parameter must be non-empty while invoking the procedure using HTTP adapter

I am receiving the following error while trying to connect my REST webservice using HTTP adapter in IBM Mobile First:
"errors": [
"Runtime: Http request failed: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty"
I am passing the user id and password in a base64 encoded format in the headers section of my input.
How do I resolve this error?

Yoel's answer got me on track: your adapter is doing an SSL request to a server that is not trusted by the keystore in your MobileFirst server.
You need to import in your server's keystore the certificate chain of the server that you are trying to reach. What I did was
From Firefox, export the certificate chain in PEM format (.crt extension).
In the server/conf folder of your project, import the certificate chain file. If you are using the defaults form the worklight.properties file, this will do it:
keytool --import -keystore default.keystore -storepass worklight -file remoteServer.crt

This bizarre message means that the truststore you specified was not
found, or couldn't be opened due to access permissions for example.
Quote from: Error - trustAnchors parameter must be non-empty
Author: #EJP
Similar question:
got java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty when using cas

SSL certificate validation for a proxy connection using python requests

I'm trying to connect to a site, e.g www.yahoo.com via proxy using python requests library. So, I define proxy settings as:
HOST = 'host'
PORT = 1234 # random port I have used here
USER = 'user'
PASS = 'password'
PROXY = "%s:%s#%s:%d" % (USER, PASS, HOST, PORT)
PROXY_DICT = {
"http" : 'http://' + PROXY,
"https" : 'https://' + PROXY,
}
I use the following line of code:
requests.get('http://www.yahoo.com', proxies=proxy_dict)
This doesn't raise an exception but the response text is an error page from the proxy saying "Ensure you have installed the certificate". I have a certificate "certificate.crt", which runs fine when used with chrome browser. And the certificate is self-signed. I have tried a couple of things which raise errors.
When used the crt file as a verify param, following error:
SSLError: [Errno bad ca_certs: 'certificate.crt'] []
When used the crt file as a cert param, following error:
Error: [('PEM routines', 'PEM_read_bio', 'no start line'), ('SSL routines', 'SSL_CTX_use_certificate_file', 'PEM lib')]
I managed to get a .pem file(I'm not sure but, it might have been generated using a key and a crt file) as well. When using it with cert param, it doesn't throw error, but the response text is again having the text "...Ensure that the certificate is installed..."
When used .pem file with verify param, following error:
SSLError: [Errno bad handshake] [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')]
Now when I refer to requests docs, I see I can use two parameters verify and cert. What shall I use here? And how?