HTML5/WebRTComm.js==>MMS on WSS: SSLException: Received fatal alert: protocol_version - webrtc

Given the new requirement that browsers no longer support voice/video over insecure origine(which is taking us we the developers to redo/undo/goback since none of the test environment workarounds is practical in A distributed environment),I have tried to switch to https and wss and I have configured MMS connector with the following.I am running a converged app with two tomcat instances:
1-Apache Tomcat v8.0 at localhost for the app embeding WebRTComm framework( WebRTComm.js and jain-sip.js etc..).https is working perfect in browser and in code for the app.
2-Mobicent Apache Tomcat v7.0 at localhost for the sipservlet for signalling and other need pre-session requirements.WSS is causing trouble at the server with no return from handshake.
this is the connector in Mobicent Apache Tomcat v7.0.
URIEncoding="UTF-8"
acceptCount="200"
clientAuth="false"
compressableMimeType="text/html,text/xml,text/plain"
compression="off"
compressionMinSize="2048"
connectionUploadTimeout="120000"
disableUploadTimeout="true"
enableLookups="false"
keystoreFile=":\Developement\.....\ServerKeyStore\server.jks" // wonder why relative path(conf/ServerTrustStore\truststore.jks) is resolved but throw FileNoFoundExc in particular case.Any idea?
keystorePass="xxxxxx"
keyAlias="clientselfsigned"
maxKeepAliveRequests="200"
maxThreads="250"
maxSpareThreads="75"
minSpareThreads="25"
maxHttpHeaderSize="8192"
port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
scheme="https"
secure="true"
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv3,SSLv2Hello"
sslProtocol="TLS"
truststorePass="xxxxxx"
truststoreType="jks"
truststorefile="D:\Developement\.....\ServerKeyStore\server.jks" // wonder why relative path(conf/ServerTrustStore\truststore.jks) is resolved but throw FileNoFoundExc in particular case.Any idea?
/>
and this is the connector in Apache Tomcat v8.0 for the web app:
URIEncoding="UTF-8"
acceptCount="200"
clientAuth="false"
compressableMimeType="text/html,text/xml,text/plain"
compression="off"
connectionUploadTimeout="120000"
disableUploadTimeout="true"
enableLookups="false"
keystoreFile="D:\Developement\....\ServerTrustStore\truststore.jks"
keystorePass="xxxxx"
keyAlias="clientselfsigned"
maxKeepAliveRequests="200"
maxThreads="250"
maxSpareThreads="75"
minSpareThreads="25"
maxHttpHeaderSize="8192"
port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
scheme="https"
secure="true"
sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1,SSLv3,SSLv2Hello"
sslProtocol="TLS"
truststorePass="xxxxxx"
truststoreType="jks"
truststorefile="D:\Developement\....\ServerTrustStore\truststore.jks"
/>
Both configured my sip-stack and eclipse lunch configuration(run/debug) with :
gov.nist.javax.sip.TLS_CLIENT_AUTH_TYPE=Disabled
javax.net.ssl.keyStore="D:\Developement\Projects\Sources\Pending\security\ServerKeyStore\server.jks"
javax.net.ssl.trustStore="D:\Developement\Projects\Sources\Pending\security\ServerKeyStore\server.jks"
javax.net.ssl.trustStorePassword=xxx
javax.net.ssl.keyStorePassword=xxx
javax.net.ssl.trustStoreType=JKS
gov.nist.javax.sip.TLS_CLIENT_PROTOCOLS=TLSv1.2,TLSv1.1,TLSv1,SSLv3,SSLv2Hello
gov.nist.javax.sip.MAX_MESSAGE_SIZE=1048576
javax.net.debug=ssl
.
I have also created the necessary keystore and clien truststore as can be seen above.
I have tried a variation of TLSv1.2,TLSv1.1,TLSv1 and see that the client(jain-sip.js) and MMS are both hapy with TLSv1.2. see ClientHello, TLSv1.2 and
ServerHello, TLSv1.2 as below:
%% Initialized: [Session-13, SSL_NULL_WITH_NULL_NULL]
%% Negotiating: [Session-13, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
*** ServerHello, TLSv1.2
and the TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 was selected.
So when I click client.hml=>>TelScaleRTMController.js(onClickConnectButtonViewEventHandler)==>>this.webRTCommClient.open(this.webRTCommClientConfiguration);==>RegistrarSIPServlet.java, TLS handshakes succeeds as I can get to my RegistrarSIPServlet.doRegister():
It is here that things go bad:As soon as it executes SipServletResponse.send();,it says:
NioSelector-WSS-172.62.2.10/5082, RECV TLSv1.2 ALERT: fatal, protocol_version
NioSelector-WSS-172.62.2.10/5082, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: protocol_version
NioSelector-WSS-172.62.2.10/5082, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: protocol_version
javax.net.ssl.SSLException: Received fatal alert: protocol_version
.....
Caused by: java.lang.NullPointerException
at gov.nist.javax.sip.stack.SSLStateMachine.unwrap(SSLStateMachine.java:263)
at gov.nist.javax.sip.stack.SSLStateMachine.unwrap(SSLStateMachine.java:198)
at gov.nist.javax.sip.stack.NioTlsWebSocketMessageChannel.addBytes(NioTlsWebSocketMessageChannel.java:215)
at gov.nist.javax.sip.stack.NioTcpMessageChannel.readChannel(NioTcpMessageChannel.java:117)
.....
the sip msg generated and received by the registrar is:
SIP message sent: REGISTER sip:pbx.server.com SIP/2.0
Call-ID: 1451477183409
CSeq: 1 REGISTER
From: sip:admin#pbx.server.com;tag=1451477183429
To: sip:admin#pbx.server.com
Via: SIP/2.0/WSS XNCrSBbscUch.invalid;branch=z9hG4bK-333430-45dd017fdcbb8f884bf0a78789902ae7;rport
Max-Forwards: 70
User-Agent: RoooterUAv1.0[admin-MOHAMMAD-125-1]-0
Expires: 3600
Allow: INVITE,ACK,BYE,CANCEL,UPDATE,INFO,SUBSCRIBE,NOTIFY,REFER,MESSAGE,OPTIONS
Contact: sip:admin#XNCrSBbscUch.invalid;transport=wss
Content-Length: 0
As you can see no SDP is generated as now and this is where we stop.
The client waits to timeout ....
One more,I have restriced to the same domain of my PBX, in my dar as:
INVITE=("project","DAR:From","ORIGINATING","","NO_ROUTE","0","REGEX=From:.sip:.#pbx.domain.com"),("project","DAR:From","TERMINATING","","NO_ROUTE","0","REGEX=From:.sip:.#pbx.domain.com")
MESSAGE=("project","DAR:From","ORIGINATING","","NO_ROUTE","0")
PUBLISH=("project","DAR:From","ORIGINATING","","NO_ROUTE","0")
NOTIFY=("project","DAR:From","ORIGINATING","","NO_ROUTE","0")
REGISTER=("project","DAR:From","ORIGINATING","","NO_ROUTE","0","REGEX=From:.sip:.#pbx.domain.com",("project","DAR:From","TERMINATING","","NO_ROUTE","0","REGEX=From:.sip:.#pbx.domain.com")
REFER=("project","DAR:From","ORIGINATING","","NO_ROUTE","0")
SUBSCRIBE=("project","DAR:From","ORIGINATING","","NO_ROUTE","0")
OPTIONS=("project","DAR:From","ORIGINATING","","NO_ROUTE","0")
I will very much applreciate your ideas on understanding the problem and the solution.
Thank you !!

Related

tomcat ssl configuration in port 443

I am trying to configure ssl into my web app. Generated the .jks file from .cer file using java keytool and configured it in server.xml
But Tomcat refuses to start in port 443 or port 8443 after this configuration.
server.xml
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" connectionTimeout="20000" SSLEnabled="true" scheme="https" secure="true" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="/home/file.jks" keystorePass="****" />
and
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" connectionTimeout="20000" SSLEnabled="true" scheme="https" secure="true" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" keystoreFile="/home/file.jks" keystorePass="****" />
URL used in browser:
https://10.111.77.66/MY-APP
and https://10.111.77.66:8443/MY-APP
Both URL not working.
Error message in Browser:
This site can’t provide a secure connection
10.111.77.66 uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Before SSL configuration, Application was running fine in port 8082. ( http://10.111.77.66:8082/MY-APP )
What is wrong here? Stuck up badly. Please help.
Server is Linux.
Tomcat Logs:
java.net.SocketException: Permission denied
at java.base/sun.nio.ch.Net.bind0(Native Method)
at java.base/sun.nio.ch.Net.bind(Net.java:455)
at java.base/sun.nio.ch.Net.bind(Net.java:447)
org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-443]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:568)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)

How to resolve Sweet32 vulnerability on Apache Tomcat?

I am having some trouble getting rid of a server vulnerability. The Sweet32 vulnerability deals with medium strength cipher suites on my web server. The scanner output reads as follows, "The remote host supports the use of SSL ciphers that offer medium strength encryption. Nessus regards medium strength as any encryption that uses key lengths at least 64 bits and less than 112 bits, or else that uses the 3DES encryption suite."
The following medium strength ciphers were found on the server:
EDH-RSA-DES-CBC3-SHA;
ECDHE-RSA-DES-CBC3-SHA;
DES-CBC3-SHA
I tried editing the server.xml file for Apache Tomcat. There is a SSL connector portion of the server.xml file that I have been editing. It reads as follows, but the vulnerability is still getting flagged. I've also played around with disabling certain ciphers suits in the registry, such as 3DES. Any ideas on how to fix this vulnerability would be so helpful.
<Connector URIEncoding="UTF-8"
clientAuth="false"
port="443"
scheme="https"
minSpareThreads="5"
enableLookups="true"
acceptCount="100"
maxThreads="200"
secure="true"
SSLEnabled="true"
keystoreFile="**********"
keystorePass="*********"
sslProtocol="TLSv1.2"
algorithm="IbmX509"
compression="on"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/css,text/plain,text /javascript,application/javascript,application/x-javascript"
SSLCipherSuite="TLS_EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!3DES:!ECDHE-RSA-DES-CBC3-SHA"
/>

Removing the Ciphers you listed from the server.xml file should fix this.
Like this:
SSLCipherSuite="TLS_EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!3DES"

symmetricDS two way ssl handshake(clientAuth=false)

Problem summary:
I am trying to run symmetric ds on tomcat with ssl. Setup details
1). MasterNode M1: running on tomcat.
2). Cleint node C1: running on tomcat.
I am able to run symmetricds on tomcat without ssl. This setup works fine all sync happens.
Now when I am trying to run tomcat with following setting for ssl, it gives bad_certificate error on client node:
connection setting on Master node:
<Connector SSLEnabled="true" acceptCount="10"
algorithm="PKIX" allowTrace="false"
ciphers=""
clientAuth="true"
enableLookups="true"
keystoreFile="/root/symmetric-server-3.8.28/security/keystore.p12"
keystorePass="changeit#1"
keystoreType="pkcs12"
port="31415"
redirectPort="-1"
scheme="https"
secure="true"
sslEnabledProtocols="TLSv1.2"
sslProtocol="TLSv1.2"
truststoreFile="/root/symmetric-server-3.8.28/security/keystore.p12"
truststorePass="changeit#1"
truststoreType="pkcs12"/>
connector setting on Client node:
<Connector SSLEnabled="true" acceptCount="10"
algorithm="PKIX" allowTrace="false"
ciphers=""
clientAuth="true"
enableLookups="true"
keystoreFile="/root/symmetric-server-3.8.28/security/keystore2.p12"
keystorePass="changeit#1"
keystoreType="pkcs12"
port="31415"
redirectPort="-1"
scheme="https"
secure="true"
sslEnabledProtocols="TLSv1.2"
sslProtocol="TLSv1.2"
truststoreFile="/root/symmetric-server-3.8.28/security/keystore2.p12"
truststorePass="changeit#1"
truststoreType="pkcs12"/>
Note: If I run Master node tomcat with clientAuth=false then everything works fine. On further debugging I found that client is not providing its certificate during TLS handshake. Following is error: Experts please help what config I need to do so that client provide certificate:
Error:
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate

Upgrade to SymmetricDS 3.8.31. There was an issue that was fixed that allows for client TLS authentication now:
http://www.symmetricds.org/issues/view.php?id=2886

Turn off SSLv3 on JBoss AS 7.1.1

I have Spring MVC App running on JBoss AS 7.1.1. I need to turn off SSLv3 to protect against Poodle vulnerability. JBoss documentation at https://access.redhat.com/solutions/1232233 suggests I need to make sure that SSLv3 is not listed in the SSL Protocol attributes.
I have tried that but I can still connect to my website after only enabling SSL in Internet explorer options displayed below. Below is my standalone.xml configuration:
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl name="foo-ssl" key-alias="foo" password="secret" certificate-key-file="C:\Dev\Java\jdk1.6.0_34\bin\foo.keystore" protocol="TLSv1"/>
</connector>
Can someone suggest what I'm missing here?

I finally figured a way to fix it. If you change 'protocol' to 'protocols' in the above mentioned configuration and make sure sslv3 is not in the protocol list then it disables SSLv3.
Notice the protocols attribute in the config below
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl name="foo-ssl" key-alias="foo" password="secret" certificate-key-file="C:\Dev\Java\jdk1.6.0_34\bin\foo.keystore" protocol="TLSv1,TLSv1.1,TLSv1.2"/>
</connector>
After making this change, if you open IE and disable all other protocols except SSL 3.0 - and then try to access the web page, you should not be able see the web page.
More details available here: http://abhirampal.com/2015/07/23/disable-ssl-v3-on-jboss-as-7-1-1/

wildcard certificate clientAuth=true

I'm having issues with a web service I'm trying to host.
Running on CentOS 6.5 amd64 / linux x86_64, Tomcat 8.0.9, Java 1.7.0_60, CXF 3.0.
When I setup my Connector as such:
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="${catalina.base}/conf/server.jks"
keyAlias="salesproxy.<domain>.com"
keystorePass="<password>"
clientAuth="false" sslProtocol="TLS" />
I can pull the WSDL via HTTPS and view the certificate and all is good.
But, if I set clientAuth="true" and add truststoreFile, truststoreType and truststorePass attributes to the Connector, I can't even access the WSDL via HTTPS. I receive a "Error code: ERR_SSL_PROTOCOL_ERROR" message from Chrome.
In my log with javax.net.debug=ssl set, below are the last few lines:
*** ServerHelloDone
http-nio-443-exec-4, WRITE: SSLv3 Handshake, length = 13028
http-nio-443-exec-6, READ: SSLv3 Alert, length = 2
http-nio-443-exec-6, RECV SSLv3 ALERT: warning, no_certificate
SSL -- handshake alert: no_certificate
http-nio-443-exec-6, fatal error: 80: problem unwrapping net record
javax.net.ssl.SSLProtocolException: handshake alert: no_certificate
%% Invalidated: [Session-67, TLS_DHE_RSA_WITH_AES_128_CBC_SHA]
http-nio-443-exec-6, SEND SSLv3 ALERT: fatal, description = internal_error
http-nio-443-exec-6, WRITE: SSLv3 Alert, length = 2
http-nio-443-exec-6, called closeOutbound()
http-nio-443-exec-6, closeOutboundInternal()
In Chrome and Windows 8 certmgr, I've installed the Client Cert in every place that makes any sense to me without change in behavior. One point to note is that the server is using a GoDaddy wildcard SSL certificate. I've used wildcard certs before, but not with 2-way SSL auth.
Any help/suggestions/recommendations would be greatly appreciated!