I have a simple client application that downloads data from a site via HttpUrlConnection. The server uses cert auth. The app (outside of Weblogic) works proper. In standalone mode I set the cert via SSLSocketFactory.
But the app have to work inside a WebLogic app server.
I've added the cert to the cacerts (and even into the identity store of the WebLogic). In the log I see WL finds it. But I've got an RECV TLSv1 ALERT: fatal, handshake_failure error.
What have I do in a different way? Thanx!
<2013.08.21. 10:14:30 CEST> <Debug> <SecuritySSL> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: SSLEngine.setEnabledCipherSuites(String[]): value=SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_DES_CBC_SHA,SSL_DHE_RSA_WITH_DES_CBC_SHA,SSL_DHE_DSS_WITH_DES_CBC_SHA,SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSV.>
<2013.08.21. 10:14:30 CEST> <Debug> <SecuritySSL> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: SSLEngine.setEnabledProtocols(String[]): value=SSLv2Hello,SSLv3,TLSv1.>
<2013.08.21. 10:14:30 CEST> <Debug> <SecuritySSL> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: SSLEngine.setEnableSessionCreation(boolean):value=true.>
<2013.08.21. 10:14:30 CEST> <Debug> <SecuritySSL> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: SSLEngine.setUseClientMode(boolean): value=true.>
<2013.08.21. 10:14:30 CEST> <Debug> <SecuritySSL> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: SSLEngine.setWantClientAuth(boolean): value=false.>
<2013.08.21. 10:14:30 CEST> <Debug> <SecuritySSL> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: SSLEngine.setNeedClientAuth(boolean): value=false.>
<2013.08.21. 10:14:30 CEST> <Debug> <SecuritySSL> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: SSLEngine.setNeedClientAuth(boolean): value=false.>
<2013.08.21. 10:14:30 CEST> <Debug> <SecuritySSL> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: SSLEngine.setUseClientMode(boolean): value=true.>
<2013.08.21. 10:14:30 CEST> <Debug> <SecuritySSL> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: SSLEngine.setUseClientMode(boolean): value=true.>
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1377072614 bytes = { 22, 18, 8, 150, 85, 185, 67, 160, 51, 252, 172, 191, 141, 100, 201, 254, 187, 63, 235, 175, 246, 17, 165, 128, 216, 209, 228, 102 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
***
[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)', WRITE: TLSv1 Handshake, length = 75
[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)', WRITE: SSLv2 client hello message, length = 101
<2013.08.21. 10:14:30 CEST> <Debug> <SecuritySSL> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: SSLEngine.wrap(ByteBuffer,ByteBuffer) called: result=Status = OK HandshakeStatus = NEED_UNWRAP bytesConsumed = 0 bytesProduced = 103.>
<2013.08.21. 10:14:30 CEST> <Debug> <SecuritySSL> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: SSLEngine.unwrap(ByteBuffer,ByteBuffer[]) called: result=Status = BUFFER_UNDERFLOW HandshakeStatus = NEED_UNWRAP bytesConsumed = 0 bytesProduced = 0.>
[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)', READ: TLSv1 Handshake, length = 74
<2013.08.21. 10:14:30 CEST> <Debug> <SecuritySSL> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: SSLEngine.unwrap(ByteBuffer,ByteBuffer[]) called: result=Status = OK HandshakeStatus = NEED_TASK bytesConsumed = 79 bytesProduced = 0.>
*** ServerHello, TLSv1
RandomCookie: GMT: 1377072630 bytes = { 90, 186, 22, 195, 56, 131, 89, 24, 40, 175, 153, 6, 104, 172, 220, 160, 93, 105, 251, 97, 118, 101, 103, 72, 243, 179, 201, 87 }
Session ID: {146, 153, 76, 87, 103, 112, 44, 239, 163, 85, 147, 205, 99, 91, 81, 62, 74, 79, 82, 96, 106, 103, 78, 165, 35, 242, 44, 71, 227, 192, 111, 253}
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
***
Warning: No renegotiation indication extension in ServerHello
%% Created: [Session-3, TLS_RSA_WITH_AES_128_CBC_SHA]
** TLS_RSA_WITH_AES_128_CBC_SHA
<2013.08.21. 10:14:30 CEST> <Debug> <SecuritySSL> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: SSLEngine.unwrap(ByteBuffer,ByteBuffer[]) called: result=Status = BUFFER_UNDERFLOW HandshakeStatus = NEED_UNWRAP
bytesConsumed = 0 bytesProduced = 0.>
[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)', READ: TLSv1 Handshake, length = 1667
<2013.08.21. 10:14:30 CEST> <Debug> <SecuritySSL> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: SSLEngine.unwrap(ByteBuffer,ByteBuffer[]) called: result=Status = OK HandshakeStatus = NEED_TASK
bytesConsumed = 1672 bytesProduced = 0.>
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: EMAILADDRESS=fomi#takarnet.hu, CN=*.takarnet.hu, O=Foldhivatal, L=Budapest, ST=Hungary, C=HU
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: Sun RSA public key, 1024 bits
modulus: ************
public exponent: 65537
Validity: [From: Tue Sep 14 15:01:48 CEST 2010,
To: Fri Dec 11 14:01:48 CET 2037]
Issuer: EMAILADDRESS=fomi#fomigate.fomi.com, CN=TAKARNET CA, O=FOLDHIVATAL, L=Budapest, ST=Hungary, C=HU
SerialNumber: [ 341c]
Certificate Extensions: 4
[1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ****************
[2]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL client
SSL server
S/MIME
Object Signing
]
[3]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
]
[4]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
]
Algorithm: [MD5withRSA]
Signature:
0000: ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ****************
]
chain [1] = [
[
Version: V3
Subject: EMAILADDRESS=fomi#fomigate.fomi.com, CN=TAKARNET CA, O=FOLDHIVATAL, L=Budapest, ST=Hungary, C=HU
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: Sun RSA public key, 1024 bits
modulus: ************
public exponent: 65537
Validity: [From: Tue Feb 12 11:25:51 CET 2002,
To: Sat Jun 30 12:25:51 CEST 2029]
Issuer: EMAILADDRESS=fomi#fomigate.fomi.com, CN=TAKARNET CA, O=FOLDHIVATAL, L=Budapest, ST=Hungary, C=HU
SerialNumber: [ 00]
Certificate Extensions: 4
[1]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL server
SSL CA
S/MIME CA
]
[2]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ****************
]
]
[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ****************
]
[EMAILADDRESS=fomi#fomigate.fomi.com, CN=TAKARNET CA, O=FOLDHIVATAL, L=Budapest, ST=Hungary, C=HU]
SerialNumber: [ 00]
]
[4]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
]
Algorithm: [MD5withRSA]
Signature:
0000: ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ****************
]
***
Found trusted certificate:
[
[
Version: V3
Subject: EMAILADDRESS=fomi#takarnet.hu, CN=*.takarnet.hu, O=Foldhivatal, L=Budapest, ST=Hungary, C=HU
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: Sun RSA public key, 1024 bits
modulus: **************
public exponent: 65537
Validity: [From: Tue Sep 14 15:01:48 CEST 2010,
To: Fri Dec 11 14:01:48 CET 2037]
Issuer: EMAILADDRESS=fomi#fomigate.fomi.com, CN=TAKARNET CA, O=FOLDHIVATAL, L=Budapest, ST=Hungary, C=HU
SerialNumber: [ 341c]
Certificate Extensions: 4
[1]: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 32 16 30 54 68 69 73 20 43 65 72 74 69 66 69 .2.0This Certifi
0010: 63 61 74 65 20 77 61 73 20 47 65 6E 65 72 61 74 cate was Generat
0020: 65 64 20 62 79 20 46 6F 6C 64 68 69 76 61 74 61 ed by Foldhivata
0030: 6C 20 43 41 l CA
[2]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL client
SSL server
S/MIME
Object Signing
]
[3]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
]
[4]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
]
Algorithm: [MD5withRSA]
Signature:
0000: ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ****************
]
[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)', READ: TLSv1 Handshake, length = 152
<2013.08.21. 10:14:30 CEST> <Debug> <SecuritySSL> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: SSLEngine.unwrap(ByteBuffer,ByteBuffer[]) called: result=Status = OK HandshakeStatus = NEED_TASK bytesConsumed = 157 bytesProduced = 0.>
*** CertificateRequest
Cert Types: RSA, DSS, Ephemeral DH (RSA sig)
Cert Authorities:
<EMAILADDRESS=***, CN=TAKARNET CA, O=FOLDHIVATAL, L=Budapest, ST=Hungary, C=HU>
*** ServerHelloDone
*** Certificate chain
***
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)', WRITE: TLSv1 Handshake, length = 141
SESSION KEYGEN:
PreMaster Secret:
0000: ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ****************
CONNECTION KEYGEN:
Client Nonce:
0000: ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ****************
Server Nonce:
0000: ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ****************
Master Secret:
0000: ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ****************
Client MAC write Secret:
0000: ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ****************
Server MAC write Secret:
0000: ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ****************
Client write key:
0000: ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ****************
Server write key:
0000: ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ****************
Client write IV:
0000: ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ****************
Server write IV:
0000: ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ****************
[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)', WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data: { 60, 110, 8, 97, 250, 71, 53, 6, 54, 184, 165, 165 }
***
[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)', WRITE: TLSv1 Handshake, length = 48
<2013.08.21. 10:14:31 CEST> <Debug> <SecuritySSL> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: SSLEngine.wrap(ByteBuffer,ByteBuffer) called: result=Status = OK HandshakeStatus = NEED_WRAP bytesConsumed = 0 bytesProduced = 146.>
<2013.08.21. 10:14:31 CEST> <Debug> <SecuritySSL> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: SSLEngine.wrap(ByteBuffer,ByteBuffer) called: result=Status = OK HandshakeStatus = NEED_WRAP bytesConsumed = 0 bytesProduced = 6.>
<2013.08.21. 10:14:31 CEST> <Debug> <SecuritySSL> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: SSLEngine.wrap(ByteBuffer,ByteBuffer) called: result=Status = OK HandshakeStatus = NEED_UNWRAP bytesConsumed = 0 bytesProduced = 53.>
<2013.08.21. 10:14:31 CEST> <Debug> <SecuritySSL> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: SSLEngine.unwrap(ByteBuffer,ByteBuffer[]) called: result=Status = BUFFER_UNDERFLOW HandshakeStatus = NEED_UNWRAP bytesConsumed = 0 bytesProduced = 0.>
[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)', READ: TLSv1 Alert, length = 2
[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)', RECV TLSv1 ALERT: fatal, handshake_failure
[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)', fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: handshake_failure
[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)', fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: handshake_failure
<2013.08.21. 10:14:31 CEST> <Debug> <SecuritySSL> <BEA-000000> <[Thread[[ACTIVE] ExecuteThread: '1' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]]weblogic.security.SSL.jsseadapter: SSLENGINE: Exception occurred during SSLEngine.unwrap(ByteBuffer,ByteBuffer[]).
javax.net.ssl.SSLException: Received fatal alert: handshake_failure
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1467)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1435)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1601)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1031)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:845)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:721)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:647)
at weblogic.security.SSL.jsseadapter.JaSSLEngine$5.run(JaSSLEngine.java:134)
at weblogic.security.SSL.jsseadapter.JaSSLEngine.doAction(JaSSLEngine.java:732)
at weblogic.security.SSL.jsseadapter.JaSSLEngine.unwrap(JaSSLEngine.java:132)
at weblogic.socket.JSSEFilterImpl.unwrap(JSSEFilterImpl.java:585)
at weblogic.socket.JSSEFilterImpl.unwrapAndHandleResults(JSSEFilterImpl.java:490)
at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:93)
at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:71)
at weblogic.socket.JSSEFilterImpl.write(JSSEFilterImpl.java:434)
at weblogic.socket.JSSESocket$JSSEOutputStream.write(JSSESocket.java:78)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at java.io.FilterOutputStream.flush(FilterOutputStream.java:123)
at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:186)
at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:400)
at weblogic.net.http.SOAPHttpsURLConnection.getInputStream(SOAPHttpsURLConnection.java:37)
Did you try to ignore SSL certification verification on weblogic? Just put "-Dweblogic.security.SSL.ignoreHostnameVerification=true" in weblogic's JAVA_OPTIONS and try again.
Related
Weblogic managed serber fails after start with issue:
DEADLOCK DETECTED:
[deadlocked thread] [ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)':
Thread '[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)'' is waiting to acquire lock 'weblogic.store.gxa.internal.GXATransactionImpl#6d75d9c2' that is held by thread '[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)''
Stack trace:
weblogic.store.gxa.internal.GXAResourceImpl.rollback(GXAResourceImpl.java:1506)
weblogic.transaction.internal.XAServerResourceInfo.rollback(XAServerResourceInfo.java:1482)
weblogic.transaction.internal.XAServerResourceInfo.rollback(XAServerResourceInfo.java:807)
weblogic.transaction.internal.ServerSCInfo.startRollback(ServerSCInfo.java:880)
weblogic.transaction.internal.ServerTransactionImpl.localRollback(ServerTransactionImpl.java:2090)
weblogic.transaction.internal.ServerTransactionImpl.globalRetryRollback(ServerTransactionImpl.java:3170)
weblogic.transaction.internal.ServerTransactionImpl.globalRollback(ServerTransactionImpl.java:2919)
weblogic.transaction.internal.ServerTransactionImpl.internalRollback(ServerTransactionImpl.java:442)
weblogic.transaction.internal.ServerTransactionImpl.rollback(ServerTransactionImpl.java:420)
weblogic.ejb.container.internal.BaseLocalObject.postInvoke1(BaseLocalObject.java:570)
weblogic.ejb.container.internal.BaseLocalObject.postInvoke(BaseLocalObject.java:766)
weblogic.ejb.container.internal.TimerDrivenLocalObject.postInvoke(TimerDrivenLocalObject.java:79)
weblogic.ejb.container.timer.TimerImpl.timerExpired(TimerImpl.java:403)
weblogic.timers.internal.TimerImpl.run(TimerImpl.java:284)
weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:550)
weblogic.work.ExecuteThread.execute(ExecuteThread.java:263)
weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
[deadlocked thread] [ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)':
Thread '[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'' is waiting to acquire lock 'weblogic.ejb.container.timer.TimerImpl#7706b14b' that is held by thread '[ACTIVE] ExecuteThread: '12' for queue: 'weblogic.kernel.Default (self-tuning)''
Stack trace:
weblogic.ejb.container.timer.TimerImpl.handleTimeoutFailure(TimerImpl.java:508)
weblogic.ejb.container.timer.EJBTimerManager$TimerExpirationOperation.onRollback(EJBTimerManager.java:1128)
weblogic.store.gxa.internal.GXAOperationWrapperImpl.onRollback(GXAOperationWrapperImpl.java:180)
weblogic.store.gxa.internal.GXAAbstractTransaction.loopOperationCallbacks(GXAAbstractTransaction.java:254)
weblogic.store.gxa.internal.GXATransactionImpl.doOperationCallbacks(GXATransactionImpl.java:183)
weblogic.store.gxa.internal.GXAResourceImpl.rollback(GXAResourceImpl.java:1555)
weblogic.store.gxa.internal.GXAResourceImpl$RollbackRequest.run(GXAResourceImpl.java:1761)
weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:550)
weblogic.work.ExecuteThread.execute(ExecuteThread.java:263)
weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
>
Anybody help
Seems strange: there is "blocking chains" changed by places - now is weblogic.ejb.container.timer.TimerImpl blockcer for weblogic.store.gxa.internal.GXATransactionImpl
DEADLOCK DETECTED:
[deadlocked thread] [ACTIVE] ExecuteThread: '31' for queue: 'weblogic.kernel.Default (self-tuning)':
Thread '[ACTIVE] ExecuteThread: '31' for queue: 'weblogic.kernel.Default (self-tuning)'' is waiting to acquire lock 'weblogic.ejb.container.timer.TimerImpl#1aba871c' that is held by thread '[ACTIVE] ExecuteThread: '29' for queue: 'weblogic.kernel.Default (self-tuning)''
Stack trace:
weblogic.ejb.container.timer.TimerImpl.handleTimeoutFailure(TimerImpl.java:508)
weblogic.ejb.container.timer.EJBTimerManager$TimerExpirationOperation.onRollback(EJBTimerManager.java:1128)
weblogic.store.gxa.internal.GXAOperationWrapperImpl.onRollback(GXAOperationWrapperImpl.java:180)
weblogic.store.gxa.internal.GXAAbstractTransaction.loopOperationCallbacks(GXAAbstractTransaction.java:254)
weblogic.store.gxa.internal.GXATransactionImpl.doOperationCallbacks(GXATransactionImpl.java:183)
weblogic.store.gxa.internal.GXAResourceImpl.rollback(GXAResourceImpl.java:1555)
weblogic.store.gxa.internal.GXAResourceImpl$RollbackRequest.run(GXAResourceImpl.java:1761)
weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:550)
weblogic.work.ExecuteThread.execute(ExecuteThread.java:263)
weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
[deadlocked thread] [ACTIVE] ExecuteThread: '29' for queue: 'weblogic.kernel.Default (self-tuning)':
Thread '[ACTIVE] ExecuteThread: '29' for queue: 'weblogic.kernel.Default (self-tuning)'' is waiting to acquire lock 'weblogic.store.gxa.internal.GXATransactionImpl#5279549f' that is held by thread '[ACTIVE] ExecuteThread: '31' for queue: 'weblogic.kernel.Default (self-tuning)''
Stack trace:
weblogic.store.gxa.internal.GXAResourceImpl.rollback(GXAResourceImpl.java:1506)
weblogic.transaction.internal.XAServerResourceInfo.rollback(XAServerResourceInfo.java:1482)
weblogic.transaction.internal.XAServerResourceInfo.rollback(XAServerResourceInfo.java:807)
weblogic.transaction.internal.ServerSCInfo.startRollback(ServerSCInfo.java:880)
weblogic.transaction.internal.ServerTransactionImpl.localRollback(ServerTransactionImpl.java:2090)
weblogic.transaction.internal.ServerTransactionImpl.globalRetryRollback(ServerTransactionImpl.java:3170)
weblogic.transaction.internal.ServerTransactionImpl.globalRollback(ServerTransactionImpl.java:2919)
weblogic.transaction.internal.ServerTransactionImpl.internalRollback(ServerTransactionImpl.java:442)
weblogic.transaction.internal.ServerTransactionImpl.rollback(ServerTransactionImpl.java:420)
weblogic.ejb.container.internal.BaseLocalObject.postInvoke1(BaseLocalObject.java:570)
weblogic.ejb.container.internal.BaseLocalObject.postInvoke(BaseLocalObject.java:766)
weblogic.ejb.container.internal.TimerDrivenLocalObject.postInvoke(TimerDrivenLocalObject.java:79)
weblogic.ejb.container.timer.TimerImpl.timerExpired(TimerImpl.java:403)
weblogic.timers.internal.TimerImpl.run(TimerImpl.java:284)
weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:550)
weblogic.work.ExecuteThread.execute(ExecuteThread.java:263)
weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
SUBSYSTEM = WebLogicServer USERID = SEVERITY = Critical THREAD = [ACTIVE] ExecuteThread: '28' for queue: 'weblogic.kernel.Default (self-tuning)' MSGID = BEA-000394 MACHINE = vs-szp-app-t2 TXID = CONTEXTID = TIMESTAMP = 1574697355831
WatchAlarmType: AutomaticReset
WatchAlarmResetPeriod: 30000
>
I have a the following exception :
com.sun.xml.internal.ws.client.ClientTransportException: HTTP
transport error: javax.net.ssl.SSLHandshakeException: Received fatal
alert: handshake_failure
when I try to send a soap request to a customer's web service
I use jre1.8.0_66 and I get UnlimitedJCEPolicyJDK8 jars in "Java\jre1.8.0_66\lib\security" folder
and I get Cipher.getMaxAllowedKeyLength("AES") = 2147483647
and for some reason I can't communicate with the customer to get the protocol in use or the cipher suite in the server side.
and here my javax.net.debug related logs :
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
http-nio-9700-exec-1, setSoTimeout(0) called
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1515623991 bytes = { 212, 12, 195, 65, 98, 206, 121, 198, 232, 203, 220, 162, 207, 122, 217, 87, 121, 168, 220, 246, 60, 50, 9, 61, 214, 181, 16, 190 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
***
[write] MD5 and SHA1 hashes: len = 237
http-nio-9700-exec-1, WRITE: TLSv1.2 Handshake, length = 237
[Raw write]: length = 242
[Raw read]: length = 5
0000: 15 03 01 00 02 .....
[Raw read]: length = 2
0000: 02 28 .(
http-nio-9700-exec-1, READ: TLSv1 Alert, length = 2
http-nio-9700-exec-1, RECV TLSv1.2 ALERT: fatal, handshake_failure
http-nio-9700-exec-1, called closeSocket()
http-nio-9700-exec-1, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
http-nio-9700-exec-1, called close()
http-nio-9700-exec-1, called closeInternal(true)
Try adding these parameters to your project configuration:
-Dhttps.cipherSuites=SSL_RSA_WITH_RC4_128_MD5
and comment the parameter for disabled algorithms in the java.security file in the jre folder:
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
Can you check if this (Diagnosing TLS, SSL and HTTPS from blogs.oracle.com) helps you?
I'm using nifi and I started to configure it for https in order to enable users. Nifi does not work, jetty Web server fails saying there are not ciphers. No idea how to debug this, any hint?
The same certificates have been tested on my computers and they work.
Any help appreciated
Update
Well... I enabled the SSL logging.
The biggest difference is about the Java environment, on the production server is java-1.8.0-openjdk, on my local machine is java-8-oracle.
There are still some important differences between the logs.
As ssl negotiation reference see this POST about how the protocol is supposed to work and the sessions involved.
The most dramatic differences are
no *** ECDH ServerKeyExchange session on production host.
Log starting from ClientHello is much different between the two machines:
Local ( I truncated too long lines and reported only little log session )
*** ClientHello, TLSv1.2
RandomCookie: GMT: 2028150611 bytes = { 31, 20, 137, 167, 52, 224, 12, 129, 113, 59, 113, 45, 161, 54, 164, 147, 115, 148
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_2
cc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, T
TH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RS
Compression Methods: { 0 }
Extension renegotiation_info, renegotiated_connection: <empty>
Unsupported extension type_23, data:
Unsupported extension type_35, data:
Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, SHA2
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data:
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension type_30032, data:
Extension ec_point_formats, formats: [uncompressed]
Extension elliptic_curves, curve names: {unknown curve 29, secp256r1, secp384r1}
***
%% Initialized: [Session-1, SSL_NULL_WITH_NULL_NULL]
%% Initialized: [Session-2, SSL_NULL_WITH_NULL_NULL]
matching alias: 1
matching alias: 1
matching alias: 1
matching alias: 1
%% Negotiating: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
%% Negotiating: [Session-2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
*** ServerHello, TLSv1.2
*** ServerHello, TLSv1.2
RandomCookie: RandomCookie: GMT: 1459404759 bytes = { GMT: 1459404759 bytes = { 196, 84, 148, 21, 202, 175, 156, 35, 50,
2 }
Session ID: {87, 253, 192, 215, 210, 220, 163, 93, 88, 20, 237, 50, 37, 61, 50, 192, 225, 180, 252, 8, 19, 154, 0, 18, 13
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
*** Certificate chain
47, 15, 107, 214, 199, 60, 245, 207, 215, 148, 102, 224, 0, 41, 172, 70, 101, 85, 85, 173, 79, 238, 15, 167, 136, 20, 14,
Session ID: {87, 253, 192, 215, 117, 67, 238, 169, 141, 93, 171, 129, 181, 146, 239, 178, 242, 31, 104, 115, 209, 119, 20
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=*.buongiorno.com, OU=PTY-SYS, O=BUONGIORNO SPA, L=Parma, ST=Parma, C=IT
***
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 256 bits
public x coord: 75079925706380992652797512247021193282035431148032843217618352685456618206389
public y coord: 43896241059818662260698096293954076915685388487376127769285950062051599700758
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA,
Cert Authorities:
<CN=thawte SSL CA - G2, O="thawte, Inc.", C=US>
*** ServerHelloDone
NiFi Web Server-21, WRITE: TLSv1.2 Handshake, length = 1753
NiFi Web Server-21, called closeInbound()
NiFi Web Server-21, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?
javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
%% Invalidated: [Session-2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
NiFi Web Server-21, SEND TLSv1.2 ALERT: fatal, description = internal_error
NiFi Web Server-21, WRITE: TLSv1.2 Alert, length = 2
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 256 bits
public x coord: 115351230770955196648507742599468345245507684591583302635044967727219906604428
public y coord: 93087459299146270258246635135187638789539141095594448725666354447366218509864
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA,
....
On production things are differents:
( I truncated too long lines and reported only little log session )
*** ClientHello, TLSv1.2
RandomCookie: GMT: -1695295875 bytes = { 197, 207, 66, 60, 4, 242, 21, 101, 190, 160, 124, 185, 72, 238, 141, 237, 251
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_12
ES_256_GCM_SHA384, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, TLS_ECDHE_ECDSA_WITH_AES
CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TL
H_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods: { 0 }
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name: [type=host_name (0), value=nifi-dev.buongiorno.com]
Unsupported extension type_23, data:
Unsupported extension type_35, data:
Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, S
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data:
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension type_30032, data:
Extension ec_point_formats, formats: [uncompressed]
Extension elliptic_curves, curve names: {unknown curve 29, java.security.spec.ECParameterSpec#7862cc21, java.security.s
***
%% Initialized: [Session-4, SSL_NULL_WITH_NULL_NULL]
matching alias: 1
%% Negotiating: [Session-4, TLS_RSA_WITH_AES_256_GCM_SHA384]
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1459415539 bytes = { 67, 58, 139, 150, 47, 53, 247, 222, 255, 192, 141, 66, 114, 19, 171, 52, 6, 18
Session ID: {87, 253, 234, 243, 97, 92, 182, 14, 121, 224, 54, 149, 111, 196, 87, 79, 36, 149, 33, 51, 182, 47, 184, 6
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name:
***
Cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=*.buongiorno.com, OU=PTY-SYS, O=BUONGIORNO SPA, L=Parma, ST=Parma, C=IT
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
:
.
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDS
withECDSA, SHA1withRSA, SHA1withDSA
Cert Authorities:
<CN=thawte SSL CA - G2, O="thawte, Inc.", C=US>
*** ServerHelloDone
NiFi Web Server-16, WRITE: TLSv1.2 Handshake, length = 1428
NiFi Web Server-21, READ: TLSv1.2 Handshake, length = 7
*** Certificate chain
<Empty>
***
UPDATE 2
I asked to install Java 8 and now keyexchange works, at this point my problems are going go vanish.
If you can provide the output (sanitized, if necessary) of your $NIFI_HOME/logs/nifi-app.log and $NIFI_HOME/logs/nifi-bootstrap.log, as well as the hardware, OS, JRE, and NiFi version you are using, that will help diagnose. Here are a couple common causes:
The certificate in the keystore is invalid (expired, not yet valid, can't validate the chain) and thus the available cipher suites that depend on an RSA/DSA key for signature or encryption are skipped by Jetty. You can check this by adding a new argument in $NIFI_HOME/conf/bootstrap.conf: java.arg.15=-Djavax.net.debug=ssl,handshake (where the argument number is updated to ensure it does not conflict with an existing argument). This will add substantial output to your log file covering the truststore configuration and every TLS handshake negotiation, including which cipher suites Jetty sees as available.
There was a minor issue where dynamically-generated certificates loaded into a keystore could not be used to provide TLSv1.1 cipher suites in test cases. See NIFI-1688 PR 624
The JRE running NiFi does not make any cipher suites available that the browser will accept. This is less common, but JRE 7 makes TLSv1.0 the default, and some browsers (nightly builds, etc.) may restrict TLS to TLSv1.1 or TLSv1.2 only. You can verify this by running the following command: $ openssl s_client -connect <host:port> -debug -state -cert <path_to_your_cert.pem> -key <path_to_your_key.pem> -CAfile <path_to_your_CA_cert.pem>. NiFi 0.x can run on Java 7, but NiFi 1.x requires Java 8+. If you are restricted to Java 7, you can explicitly enable these protocols via another Java argument: java.arg.16=-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2.
My Java (1.7) client seems to be failing at the very end of the handshake process with the below exception.
I guess there is some issue with the client set up. How should I go about debugging this?
...
main, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data: { 29, 85, 244, 219, 41, 146, 203, 174, 235, 86, 47, 92 }
***
main, WRITE: TLSv1 Handshake, length = 40
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT: fatal, handshake_failure
%% Invalidated: [Session-1, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Exception in thread "main" AxisFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
faultSubcode:
faultString: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
faultActor:
faultNode:
faultDetail:
I try to connect to office365 mail server with javaMail v1.5.3 (application is deployed on tomcat 6). Im running a thread on startup that is checking for new emails in a loop with one minute sleep. In most cases connection is successfully estabilished and everything works just fine but sometimes I get
"Remote host closed connection during handshake" error.
The error is caused by
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at sun.security.ssl.InputRecord.read(InputRecord.java:482)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:934)
I have tried sulutions from:
How to make Java 6, which fails SSL connection with "SSL peer shut down incorrectly", succeed like Java 7?
and javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake :
adding -Dhttps.protocols=TLSv1,SSLv3 and -Dsun.security.ssl.allowUnsafeRenegotiation=true to my tomcat environment
but I didn't get any result. Still - randomly exception occurs.
I enabled debug mode on javax.net and on IMAP connection and get results:
when connection is not estabilishing correctly log looks like this :
DEBUG: setDebug: JavaMail version 1.5.3
DEBUG: getProvider() returning javax.mail.Provider[STORE,imap,com.sun.mail.imap.IMAPStore,Oracle]
DEBUG IMAP: mail.imap.fetchsize: 16384
DEBUG IMAP: mail.imap.ignorebodystructuresize: false
DEBUG IMAP: mail.imap.statuscachetimeout: 1000
DEBUG IMAP: mail.imap.appendbuffersize: -1
DEBUG IMAP: mail.imap.minidletime: 10
DEBUG IMAP: closeFoldersOnStoreFailure
DEBUG IMAP: trying to connect to host "outlook.office365.com", port 993, isSSL true
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% Client cached [Session-4, TLS_RSA_WITH_AES_128_CBC_SHA]
%% Try resuming [Session-4, TLS_RSA_WITH_AES_128_CBC_SHA] from port 51400
*** ClientHello, TLSv1
RandomCookie:
GMT: 1435130635
bytes = { , , , , , , , , , , , , , , , , , , , , , , , , , , }
Session ID: {66, 20, 0, 0, 123, 9, 142, 72, 150, 39, 215, 34, 63, 169, 129, 23, 25, 182, 88, 196, 86, 27, 216, 191, 117, 196, 37, 118, 229, 8, 9, 64}-
Cipher Suites: [TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]-
Compression Methods: { }
Extension server_name, server_name: [host_name: outlook.office365.com]
***-
[write] MD5 and SHA1 hashes: len = 125
46#CheckMailThread, WRITE: TLSv1 Handshake, length = 125
[Raw write]: length = 130
46#CheckMailThread, received EOFException: error
46#CheckMailThread, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
46#CheckMailThread, SEND TLSv1 ALERT: fatal, description = handshake_failure
46#CheckMailThread, WRITE: TLSv1 Alert, length = 2
[Raw write]: length = 7
46#CheckMailThread, called closeSocket()
and then exception occurs
javax.mail.MessagingException: Remote host closed connection during handshake;
nested exception is:
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:733)
at javax.mail.Service.connect(Service.java:364)
at javax.mail.Service.connect(Service.java:245)
(...)
Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:953)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343)
at com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:574)
at com.sun.mail.util.SocketFetcher.createSocket(SocketFetcher.java:369)
at com.sun.mail.util.SocketFetcher.getSocket(SocketFetcher.java:236)
at com.sun.mail.iap.Protocol.<init>(Protocol.java:117)
at com.sun.mail.imap.protocol.IMAPProtocol.<init>(IMAPProtocol.java:120)
at com.sun.mail.imap.IMAPStore.newIMAPProtocol(IMAPStore.java:753)
at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:696)
... 6 more
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at sun.security.ssl.InputRecord.read(InputRecord.java:482)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:934)
... 16 more
In other hand in most cases thread is doing ok and the log looks like this:
DEBUG: setDebug: JavaMail version 1.5.3
DEBUG: getProvider() returning javax.mail.Provider[STORE,imap,com.sun.mail.imap.IMAPStore,Oracle]
DEBUG IMAP: mail.imap.fetchsize: 16384
DEBUG IMAP: mail.imap.ignorebodystructuresize: false
DEBUG IMAP: mail.imap.statuscachetimeout: 1000
DEBUG IMAP: mail.imap.appendbuffersize: -1
DEBUG IMAP: mail.imap.minidletime: 10
DEBUG IMAP: closeFoldersOnStoreFailure
DEBUG IMAP: trying to connect to host "outlook.office365.com", port 993, isSSL true
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% Client cached [Session-150, TLS_RSA_WITH_AES_128_CBC_SHA]
%% Try resuming [Session-150, TLS_RSA_WITH_AES_128_CBC_SHA] from port 59183
*** ClientHello, TLSv1
RandomCookie:
GMT: 1435076193
bytes = { , , , , , , , , , , , , , , , , , , , , , , , , , , , }
Session ID:
{241, 61, 0, 0, 224, 114, 43, 139, 255, 64, 232, 7, 209, 90, 5, 63, 63, 117, 33, 66, 215, 35, 48, 83, 131, 211, 38, 151, 73, 232, 6, 120}
Cipher Suites: [TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: {
}
Extension server_name, server_name: [host_name: outlook.office365.com]
***
[write] MD5 and SHA1 hashes: len = 125
46#CheckMailThread, WRITE: TLSv1 Handshake, length = 125
[Raw write]: length = 130
[Raw read]: length = 5
[Raw read]: length = 3532
46#CheckMailThread, READ: TLSv1 Handshake, length = 3532
*** ServerHello, TLSv1
RandomCookie:
GMT: 1435076194
Bytes = { , , , , , , , , , , , , , , , , , , , , , , , , , , , }
Session ID:
{112, 39, 0, 0, 59, 34, 200, 120, 31, 23, 110, 30, 10, 37, 236, 213, 46, 233, 201, 3, 253, 223, 81, 109, 188, 218, 33, 164, 33, 127, 27, 55}
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized: [Session-151, TLS_RSA_WITH_AES_128_CBC_SHA]
** TLS_RSA_WITH_AES_128_CBC_SHA
[read] MD5 and SHA1 hashes: len = 81
*** Certificate chain (...)
And then goes the certificate etc
So I was wonderig what can cause such inconsistent behaviour.