WSO2 ESB SSL handshake failure - ssl
I'm getting this error when trying to access a secure external service:
TID: [0] [ESB] [2016-01-07 11:08:52,310] ERROR - I/O error: General SSLEngine problem {org.apache.synapse.transport.passthru.TargetHandler}
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1364)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1197)
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1169)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
at org.apache.http.impl.nio.reactor.SSLIOSession.doHandshake(SSLIOSession.java:154)
at org.apache.http.impl.nio.reactor.SSLIOSession.isAppInputReady(SSLIOSession.java:273)
at org.apache.http.impl.nio.ssl.SSLClientIOEventDispatch.inputReady(SSLClientIOEventDispatch.java:241)
at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:158)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:340)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:318)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:278)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:542)
at java.lang.Thread.run(Thread.java:722)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1703)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:278)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1338)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:154)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:808)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:806)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1301)
at org.apache.http.impl.nio.reactor.SSLIOSession.doHandshake(SSLIOSession.java:171)
... 9 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:283)
at org.apache.synapse.mediators.builtin.LogMediator.getFullLogMessage(LogMediator.java:184)
at org.apache.synapse.mediators.builtin.LogMediator.getLogMessage(LogMediator.java:123)
at org.apache.synapse.mediators.builtin.LogMediator.mediate(LogMediator.java:91)
at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:71)
at org.apache.synapse.mediators.base.SequenceMediator.mediate(SequenceMediator.java:114)
at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:230)
at org.apache.synapse.core.axis2.SynapseCallbackReceiver.handleMessage(SynapseCallbackReceiver.java:443)
at org.apache.synapse.core.axis2.SynapseCallbackReceiver.receive(SynapseCallbackReceiver.java:166)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
at org.apache.synapse.transport.passthru.ClientWorker.run(ClientWorker.java:218)
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:722)
Caused by: com.ctc.wstx.exc.WstxEOFException: Unexpected end of input block; expected an identifier
at [row,col {unknown-source}]: [5,13]
at com.ctc.wstx.sr.StreamScanner.throwUnexpectedEOB(StreamScanner.java:691)
at com.ctc.wstx.sr.StreamScanner.loadMoreFromCurrent(StreamScanner.java:1057)
at com.ctc.wstx.sr.StreamScanner.getNextCharFromCurrent(StreamScanner.java:802)
at com.ctc.wstx.sr.BasicStreamReader.handleStartElem(BasicStreamReader.java:2917)
at com.ctc.wstx.sr.BasicStreamReader.nextFromTree(BasicStreamReader.java:2814)
at com.ctc.wstx.sr.BasicStreamReader.next(BasicStreamReader.java:1062)
at org.apache.axiom.util.stax.wrapper.XMLStreamReaderWrapper.next(XMLStreamReaderWrapper.java:225)
at org.apache.axiom.util.stax.dialect.DisallowDoctypeDeclStreamReaderWrapper.next(DisallowDoctypeDeclStreamReaderWrapper.java:34)
at org.apache.axiom.util.stax.wrapper.XMLStreamReaderWrapper.next(XMLStreamReaderWrapper.java:225)
at org.apache.axiom.om.impl.builder.StAXOMBuilder.parserNext(StAXOMBuilder.java:681)
at org.apache.axiom.om.impl.builder.StAXOMBuilder.next(StAXOMBuilder.java:214)
... 30 more
The certificate was successfully imported by keytool and it appears on "Available Certificates" list.
The supported protocols and ciphers of the endpoint service are:
Supported versions: TLSv1.0 TLSv1.1 TLSv1.2
Deflate compression: no
Supported cipher suites (ORDER IS NOT SIGNIFICANT):
TLSv1.0
RSA_WITH_3DES_EDE_CBC_SHA
RSA_WITH_AES_128_CBC_SHA
DHE_RSA_WITH_AES_128_CBC_SHA
RSA_WITH_AES_256_CBC_SHA
DHE_RSA_WITH_AES_256_CBC_SHA
RSA_WITH_CAMELLIA_128_CBC_SHA
DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
RSA_WITH_CAMELLIA_256_CBC_SHA
DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
(TLSv1.1: idem)
TLSv1.2
RSA_WITH_3DES_EDE_CBC_SHA
RSA_WITH_AES_128_CBC_SHA
DHE_RSA_WITH_AES_128_CBC_SHA
RSA_WITH_AES_256_CBC_SHA
DHE_RSA_WITH_AES_256_CBC_SHA
RSA_WITH_AES_128_CBC_SHA256
RSA_WITH_AES_256_CBC_SHA256
RSA_WITH_CAMELLIA_128_CBC_SHA
DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
DHE_RSA_WITH_AES_128_CBC_SHA256
DHE_RSA_WITH_AES_256_CBC_SHA256
RSA_WITH_CAMELLIA_256_CBC_SHA
DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
----------------------
[...]
----------------------
Minimal encryption strength: strong encryption (96-bit or more)
Achievable encryption strength: strong encryption (96-bit or more)
BEAST status: vulnerable
CRIME status: protected
Seems like it's a bug on ESB when trying to perform the handshake.
I'm using the ESB-4.6.0
UPDATE
The certificate was imported by:
keytool -import -trustcacerts -alias MyService -file /tmp/myservice.crt -keystore wso2carbon.jks
According Tharik's suggestion, the SSL handshake trace prints the following error:
[...]
***
HTTPS-Sender I/O dispatcher-1, fatal error: 46: General SSLEngine problem
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
%% Invalidated: [Session-8, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
HTTPS-Sender I/O dispatcher-1, SEND TLSv1 ALERT: fatal, description = certificate_unknown
HTTPS-Sender I/O dispatcher-1, WRITE: TLSv1 Alert, length = 2
HTTPS-Sender I/O dispatcher-1, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: General SSLEngine problem
[2016-01-08 17:13:47,921] ERROR - TargetHandler I/O error: General SSLEngine problem
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1364)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1197)
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1169)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
Problem solved.
In this case is that the ESB has a particularity which is a separated keystore for client-side operations. The correct import command is:
keytool -importcert -file <CERTIFICATE_FILE> -keystore <ESB_HOME>/repository/resources/security/client-truststore.jks -alias "SomeAlias"
In other words, the correct keystore is client-truststore.jks instead wso2carbon.jks.
Related
WSO2 EI: Expired certificate error when connecting from embedded MI to EI analytics server
Downloaded wso2ei-analytics-7.1.0 and started the server and dashboard. Then I enabled statistics for the APIs and endpoints and added the following config into the embedded MI of the Integration studio:
[mediation]
flow.statistics.enable=true
stat.tracer.collect_payloads=true
stat.tracer.collect_mediation_properties=true
flow.statistics.capture_all=true
When starting the embedded MI I get the following error saying some certificate has expired:
[2022-06-23 09:47:40,001] ERROR {DataEndpointConnectionWorker} - Error while trying to connect to the endpoint. Cannot borrow client for ssl://localhost:7712. org.wso2.carbon.databridge.agent.exception.DataEndpointLoginException: Cannot borrow client for ssl://localhost:7712.
at org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker.connect(DataEndpointConnectionWorker.java:145)
at org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker.run(DataEndpointConnectionWorker.java:59)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: org.wso2.carbon.databridge.agent.exception.DataEndpointLoginException: Error while trying to login to the data receiver.
at org.wso2.carbon.databridge.agent.endpoint.thrift.ThriftDataEndpoint.login(ThriftDataEndpoint.java:54)
at org.wso2.carbon.databridge.agent.endpoint.DataEndpointConnectionWorker.connect(DataEndpointConnectionWorker.java:139)
... 6 more
Caused by: org.apache.thrift.transport.TTransportException: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
at org.apache.thrift.transport.TIOStreamTransport.flush(TIOStreamTransport.java:161)
at org.apache.thrift.TServiceClient.sendBase(TServiceClient.java:65)
at org.wso2.carbon.databridge.commons.thrift.service.secure.ThriftSecureEventTransmissionService$Client.send_connect(ThriftSecureEventTransmissionService.java:104)
at org.wso2.carbon.databridge.commons.thrift.service.secure.ThriftSecureEventTransmissionService$Client.connect(ThriftSecureEventTransmissionService.java:95)
at org.wso2.carbon.databridge.agent.endpoint.thrift.ThriftDataEndpoint.login(ThriftDataEndpoint.java:47)
... 7 more
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:269)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1339)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1214)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1157)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:183)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1403)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1309)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440)
at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:814)
at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1184)
at java.base/java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:81)
at java.base/java.io.BufferedOutputStream.flush(BufferedOutputStream.java:142)
at org.apache.thrift.transport.TIOStreamTransport.flush(TIOStreamTransport.java:159)
... 11 more
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
at java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:369)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:275)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1323)
... 26 more
Caused by: java.security.cert.CertPathValidatorException: validity check failed
at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:237)
at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:145)
at java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:84)
at java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309)
at java.base/sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:364)
... 32 more
Caused by: java.security.cert.CertificateExpiredException: NotAfter: Tue Jan 25 13:00:43 IST 2022
at java.base/sun.security.x509.CertificateValidity.valid(CertificateValidity.java:277)
at java.base/sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:675)
at java.base/sun.security.provider.certpath.BasicChecker.verifyValidity(BasicChecker.java:190)
at java.base/sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144)
at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
I am assuming the MI trust store does not have the correct certificate. But how do I resolve this?
Go to your Analytics server and then export the public key from the Keytore with the following command. The default password is wso2carbon keytool -export -alias wso2carbon -keystore wso2carbon.jks -file <public key name>.pem Then in your MI server, import the public key that you extracted to the client-trustore. keytool -import -alias analyticskey -file <public key name>.pem -keystore client-truststore.jks -storepass wso2carbon
RabbitMq TLS/SSL connection error with Type not compatible with table constraint
I am setting up TLS for RabbitMQ and running in to issues handshake issues.
RabbitMq on establishing a connections shows
error on AMQP connection <0.1019.0>: {ssl_upgrade_failure,
{{{badmatch,
{error,
{asn1,
{'Type not compatible with table constraint',
{{component,'Type'},
{value,{5,<<>>}},
{unique_name_and_value,id,
{1,2,840,113549,1,1,11}}}}}}},
[{public_key,pkix_decode_cert,2},
{ssl_cipher,filter,2},
{ssl_handshake,select_session,8},
{ssl_handshake,hello,4},
{ssl_connection,hello,2},
{ssl_connection,next_state,3},
{gen_fsm,handle_msg,7},
{proc_lib,init_p_do_apply,3}]},
{gen_fsm,sync_send_all_state_event,
[<0.1020.0>,start,5000]}}} (unknown POSIX error)
Question
1) Is it an erlang issue. I run a pretty old erlang version. (Erlang R14B04 (erts-5.8.5)) ?
2) Is it an issue with TLS version?
Extra info:
ssl:versions().
[{ssl_app,"4.1.6"},
{supported,[tlsv1,sslv3]},
{available,[tlsv1,sslv3]}]
rabbitMq Config:
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile,"/etc/rabbitmq/certs/dev/ca_certificate.pem"},
{certfile, "/etc/rabbitmq/certs/dev/server_certificate.pem"},
{keyfile, "/etc/rabbitmq/certs/dev/server_key.pem"},
{verify, verify_none},
{depth, 3},
{versions, ['tlsv1.1', 'tlsv1']},
{fail_if_no_peer_cert, false}]}
Also, on running
openssl s_client -connect localhost:5672 -cert client_certificate.pem -key client_key.pem -CAfile ca_certificate.pem
CONNECTED(00000003)
139969158874952:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 247 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE`enter code here`
Expansion: NONE
---
All help appreciated!
Upgrading to latest version of Erlang fixed the TLS issues.
DataStax DSE Cassandra SSL - Unrecognized SSL message, plaintext connection?
I have been trying to enable client-to-node ssl communication in a single node cluster running Datastax (DSE) version 4.6 with Cassandra 2.0.11 After following the steps in the datastax documentation documentation I keep on getting the following error message; INFO [Thread-3] 2015-01-25 09:00:21,383 ThriftServer.java (line 135) Listening for thrift clients... ERROR [Thrift:1] 2015-01-25 09:00:30,486 TNegotiatingServerTransport.java (line 523) Failed to open server transport. org.apache.thrift.transport.TTransportException: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection? at org.apache.thrift.transport.TIOStreamTransport.read(TIOStreamTransport.java:129) at com.datastax.bdp.transport.server.TPreviewableTransport.readUntilEof(TPreviewableTransport.java:79) at com.datastax.bdp.transport.server.TPreviewableTransport.preview(TPreviewableTransport.java:55) at com.datastax.bdp.transport.server.TNegotiatingServerTransport.open(TNegotiatingServerTransport.java:186) at com.datastax.bdp.transport.server.TNegotiatingServerTransport$Factory.getTransport(TNegotiatingServerTransport.java:516) at com.datastax.bdp.transport.server.TNegotiatingServerTransport$Factory.getTransport(TNegotiatingServerTransport.java:405) at org.apache.cassandra.thrift.CustomTThreadPoolServer$WorkerProcess.run(CustomTThreadPoolServer.java:196) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection? at sun.security.ssl.InputRecord.handleUnknownRecord(InputRecord.java:671) at sun.security.ssl.InputRecord.read(InputRecord.java:504) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:927) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:882) at sun.security.ssl.AppInputStream.read(AppInputStream.java:102) at java.io.BufferedInputStream.fill(BufferedInputStream.java:235) at java.io.BufferedInputStream.read1(BufferedInputStream.java:275) at java.io.BufferedInputStream.read(BufferedInputStream.java:334) at org.apache.thrift.transport.TIOStreamTransport.read(TIOStreamTransport.java:127) ... 9 more ERROR [Thrift:1] 2015-01-25 09:00:30,513 CustomTThreadPoolServer.java (line 222) Error occurred during processing of message. java.lang.RuntimeException: Failed to open server transport: unknown at com.datastax.bdp.transport.server.TNegotiatingServerTransport$Factory.getTransport(TNegotiatingServerTransport.java:524) at com.datastax.bdp.transport.server.TNegotiatingServerTransport$Factory.getTransport(TNegotiatingServerTransport.java:405) at org.apache.cassandra.thrift.CustomTThreadPoolServer$WorkerProcess.run(CustomTThreadPoolServer.java:196) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) Here is my cassandra.yaml file client_encryption_options: enabled: true keystore: /home/ubuntu/.keystore keystore_password: **** truststore: /home/ubuntu/.truststore truststore_password: **** protocol: ssl store_type: JKS cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA] Steps followed to create the keystore and truststore keytool -genkey -keyalg RSA -alias node0 -keystore .keystore (used the hostname for first name & last name) keytool -export -alias node0 -file node0.cer -keystore .keystore keytool -import -v -trustcacerts -alias node0 -file node0.cer -keystore .truststore I already fix the TLS_RSA_WITH_AES_256_CBC_SHA bug they have in their documentation by downloading the required jar files from the oracle website http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
This message shows that a client is trying to open an unencrypted connection. First thought is check if client certificate auth is enabled. Read this: http://www.datastax.com/documentation/datastax_enterprise/4.6/datastax_enterprise/sec/secRunCqlsh.html Here is a walkthrough for enabling cqlsh ssl connection: https://github.com/PatrickCallaghan/datastax-ssl-example
Netty HTTPS server using Comodo certificate
I'm using Java 8, Netty 5 Alpha. I added the certificates from Comodo to the keystore, and according to a test website suggested by my certificate provider they are installed correctly. But if I try to connect using Firefox, Chrome, or curl, I get errors. From curl -v I see that it gets the correct header, but then SSLv3, TLS alert, Server hello (2):. This seems to correspond with debug messages from Java: SEND TLSv1.2 ALERT: warning, description = close_notify WRITE: TLSv1.2 Alert, length = 32 fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack? Firefox: SSL received a record that exceeded the maximum permissible length. From openssl s_client -connect ...: New, TLSv1/SSLv3, Cipher is ECDHE-RSA-DES-CBC3-SHA verify error:num=19:self signed certificate in certificate chain SSL handshake has read 5982 bytes and written 531 bytes I've read elsewhere about NullPointerExceptions somewhere causing internal Java security stuff to fail. But there's no clear solutions.
Red5 and RTMPS self-signed certificate
I am trying to configure rtmps using self-signed certificate, but when I try to connect via red5pfone I get an error: *** ServerHelloDone NioProcessor-2, WRITE: TLSv1 Handshake, length = 890 NioProcessor-2, READ: TLSv1 Alert, length = 2 NioProcessor-2, RECV TLSv1 ALERT: fatal, unknown_ca NioProcessor-2, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: unknown_ca NioProcessor-2, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: unknown_ca [WARN] [NioProcessor-2] org.red5.server.net.rtmps.RTMPSMinaIoHandler - Exception caught SSL handshake failed. Red5-0.9.1 Red5Phone-R47 I tried to follow the directions from here: http://gregoire.org/2008/05/26/rtmps-in-red5/ and http://www.cb1inc.com/2007/05/12/creating-self-signed-certs-on-apache-tomcat-5-5/ but it did not give results. Please help.
Self-signed certs are really difficult to use with Flash and should be avoided. I would assume that you are using "localhost", but if you are trying to access this from an external location I would suggest getting a real CA-signed certificate (there are free ones out there) and testing with that on your domain. Versions of Red5, 1.0 or greater have better support for certs, crossdomain, and ip binding; I suggest you start with one of them.