You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by Travis T <tr...@hp.com> on 2011/03/08 00:24:06 UTC
SSL Mutual Authentication Code worked in 4.0.1 but fails in 4.1
I have a server with a self signed certificate. I've created a java key
store (trustStore) which includes that server in the trust store. I have a
keystore which includes my certificate and private key. My certificate was
signed by the server. I've used the API to create a SSLSocketFactory that
registers my keystore and truststore.
Using Apache HTTPClient 4.0.1 it all worked. I upgraded to 4.1 and other
than having to reorder the arguments in the Scheme constructor the code is
the same. However, now I get a javax.net.ssl.SSLPeerUnverifiedException:
peer not authenticated
Help, please?
Below is the code:
String doGet(URI uri, String acceptType) throws Exception
{
// To be replaced by common module.
String result = null;
DefaultHttpClient httpclient = new DefaultHttpClient();
try
{
SSLSocketFactory socketFactory = new SSLSocketFactory(keyStore,
String.valueOf(keyStorePassword), trustStore);
Scheme sch = new Scheme("https", 443, socketFactory);
httpclient.getConnectionManager().getSchemeRegistry().register(sch);
HttpGet httpget = new HttpGet(uri.toASCIIString());
httpget.addHeader("Accept", acceptType);
HttpResponse response = httpclient.execute(httpget);
HttpEntity entity = response.getEntity();
result = IOUtils.getContent(entity.getContent());
} finally
{
httpclient.getConnectionManager().shutdown();
}
return result;
}
Below is the exception I get in 4.1:
Exception in thread "main" javax.net.ssl.SSLPeerUnverifiedException: peer
not authenticated
at
com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)
at
org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:390)
at
org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148)
at
org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:149)
at
org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121)
at
org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:562)
at
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:415)
at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820)
at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:754)
at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:732)
--
View this message in context: http://old.nabble.com/SSL-Mutual-Authentication-Code-worked-in-4.0.1-but-fails-in-4.1-tp31092864p31092864.html
Sent from the HttpClient-User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: SSL Mutual Authentication Code worked in 4.0.1 but fails in 4.1
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Tue, 2011-04-26 at 01:04 -0700, harikris wrote:
> It worked only when we did the scheme register like this
> Scheme sch = new Scheme("https", 443, socketFactory);
> SchemeRegistryFactory.createDefault().register(sch);
>
This code has no effect, as the instance created by
SchemeRegistryFactory.createDefault() is not static. Take a look at the
source code.
You can simply remove these two lines.
Oleg
> We were using as below that does not seem to be working
>
> Scheme sch = new Scheme("https", 443, socketFactory);
>
> httpClient.getConnectionManager().getSchemeRegistry().register(sch);
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: SSL Mutual Authentication Code worked in 4.0.1 but fails in 4.1
Posted by harikris <bh...@gmail.com>.
It worked only when we did the scheme register like this
Scheme sch = new Scheme("https", 443, socketFactory);
SchemeRegistryFactory.createDefault().register(sch);
We were using as below that does not seem to be working
Scheme sch = new Scheme("https", 443, socketFactory);
httpClient.getConnectionManager().getSchemeRegistry().register(sch);
olegk wrote:
>
> On Tue, 2011-04-26 at 00:43 -0700, harikris wrote:
>> Is this fixed yet. I believe we are seeing similar issue with 4.1.1 as
>> well
>>
>
> Yes, this issue has been resolved in 4.1.1.
>
> Oleg
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>
>
--
View this message in context: http://old.nabble.com/SSL-Mutual-Authentication-Code-worked-in-4.0.1-but-fails-in-4.1-tp31092864p31476364.html
Sent from the HttpClient-User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: SSL Mutual Authentication Code worked in 4.0.1 but fails in 4.1
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Tue, 2011-04-26 at 00:43 -0700, harikris wrote:
> Is this fixed yet. I believe we are seeing similar issue with 4.1.1 as well
>
Yes, this issue has been resolved in 4.1.1.
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: SSL Mutual Authentication Code worked in 4.0.1 but fails in 4.1
Posted by harikris <bh...@gmail.com>.
Is this fixed yet. I believe we are seeing similar issue with 4.1.1 as well
olegk wrote:
>
> On Thu, 2011-03-10 at 16:05 -0800, Travis T wrote:
>>
>
> ...
>
>>
>> Ok, I download that branch and built it (had troubles with a memcache
>> dependency so commented out the httpcache project). I manually put that
>> jar
>> ahead of my maven dependencies in my project classpath and the issue I
>> originally reported is now gone. Looks like the fix on the 4.1.1 branch
>> addresses this issue. Do you think the 4.1.1 jar will still be released
>> next week?
>>
>
> It is still possible. I'll probably start building release packages this
> Sunday.
>
> Oleg
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>
>
--
View this message in context: http://old.nabble.com/SSL-Mutual-Authentication-Code-worked-in-4.0.1-but-fails-in-4.1-tp31092864p31476214.html
Sent from the HttpClient-User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: SSL Mutual Authentication Code worked in 4.0.1 but fails in 4.1
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Thu, 2011-03-10 at 16:05 -0800, Travis T wrote:
>
...
>
> Ok, I download that branch and built it (had troubles with a memcache
> dependency so commented out the httpcache project). I manually put that jar
> ahead of my maven dependencies in my project classpath and the issue I
> originally reported is now gone. Looks like the fix on the 4.1.1 branch
> addresses this issue. Do you think the 4.1.1 jar will still be released
> next week?
>
It is still possible. I'll probably start building release packages this
Sunday.
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: SSL Mutual Authentication Code worked in 4.0.1 but fails in 4.1
Posted by Travis T <tr...@hp.com>.
olegk wrote:
>
> On Thu, 2011-03-10 at 07:56 -0800, Travis T wrote:
>>
>> olegk wrote:
>> >
>> > Ideally you should test the fix _before_ it gets officially released.
>> >
>> > The fix is now available in both trunk and 4.1.x branch.
>> >
>> > Oleg
>> >
>> >
>>
>> Sure. Is there a nightly build that you can point me to just to be sure I
>> don't mess something up locally?
>
> There are snapshots built by the CI server but quite often they do not
> get correctly deployed to the snapshot repository, because the server
> often runs out of disk space.
>
> Building HttpClient locally with Maven should be all right.
>
> Oleg
>
>
Ok, I download that branch and built it (had troubles with a memcache
dependency so commented out the httpcache project). I manually put that jar
ahead of my maven dependencies in my project classpath and the issue I
originally reported is now gone. Looks like the fix on the 4.1.1 branch
addresses this issue. Do you think the 4.1.1 jar will still be released
next week?
--
View this message in context: http://old.nabble.com/SSL-Mutual-Authentication-Code-worked-in-4.0.1-but-fails-in-4.1-tp31092864p31121086.html
Sent from the HttpClient-User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: SSL Mutual Authentication Code worked in 4.0.1 but fails in 4.1
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Thu, 2011-03-10 at 07:56 -0800, Travis T wrote:
>
> olegk wrote:
> >
> > Ideally you should test the fix _before_ it gets officially released.
> >
> > The fix is now available in both trunk and 4.1.x branch.
> >
> > Oleg
> >
> >
>
> Sure. Is there a nightly build that you can point me to just to be sure I
> don't mess something up locally?
There are snapshots built by the CI server but quite often they do not
get correctly deployed to the snapshot repository, because the server
often runs out of disk space.
Building HttpClient locally with Maven should be all right.
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: SSL Mutual Authentication Code worked in 4.0.1 but fails in 4.1
Posted by Travis T <tr...@hp.com>.
olegk wrote:
>
> Ideally you should test the fix _before_ it gets officially released.
>
> The fix is now available in both trunk and 4.1.x branch.
>
> Oleg
>
>
Sure. Is there a nightly build that you can point me to just to be sure I
don't mess something up locally?
--
View this message in context: http://old.nabble.com/SSL-Mutual-Authentication-Code-worked-in-4.0.1-but-fails-in-4.1-tp31092864p31116965.html
Sent from the HttpClient-User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: SSL Mutual Authentication Code worked in 4.0.1 but fails in 4.1
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Wed, 2011-03-09 at 14:05 -0800, Travis T wrote:
>
>
> olegk wrote:
> >
> > On Wed, 2011-03-09 at 10:16 -0800, Travis T wrote:
> >>
> >
> > 4.1.1 can be expected next week.
> >
> > Oleg
> >
> >
>
> Excellent. Thank you! I will look for that and try it when it becomes
> available.
Ideally you should test the fix _before_ it gets officially released.
The fix is now available in both trunk and 4.1.x branch.
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: SSL Mutual Authentication Code worked in 4.0.1 but fails in 4.1
Posted by Travis T <tr...@hp.com>.
olegk wrote:
>
> On Wed, 2011-03-09 at 10:16 -0800, Travis T wrote:
>>
>
> 4.1.1 can be expected next week.
>
> Oleg
>
>
Excellent. Thank you! I will look for that and try it when it becomes
available.
--
View this message in context: http://old.nabble.com/SSL-Mutual-Authentication-Code-worked-in-4.0.1-but-fails-in-4.1-tp31092864p31110889.html
Sent from the HttpClient-User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: SSL Mutual Authentication Code worked in 4.0.1 but fails in 4.1
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Wed, 2011-03-09 at 10:16 -0800, Travis T wrote:
>
> olegk wrote:
> >
> > Travis,
> >
> > It looks like the remote server once of a sudden drops the connection in
> > the middle of the SSL handshake on the unsuspecting client. Looks very
> > bizarre.
> >
> > I reviewed code of both versions and I found out there were some subtle
> > differences in the algorithm used by SSLSocketFactory in HC 4.0.1 and HC
> > 4.1 to create SSLSocket instances and to connect them to a remote
> > endpoint.
> >
> > Could you please try out two things?
> >
> > (1) Please check the socket timeout value configured for the request and
> > make sure it is not too aggressive (low)
> >
> > (2) Make a copy of SSLSocketFactory,
> >
> > http://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/SSLSocketFactory.java
> >
> > replace #createSocket method with this one
> >
> > ---
> > public Socket createSocket(final HttpParams params) throws IOException {
> > return this.socketfactory.createSocket();
> > }
> > ---
> >
> > and configure HttpClient to use your implementation of SSLSocketFactory
> > instead of the stock one.
> >
> > Oleg
> >
> >
>
> Oleg,
>
> Your new code fixed the issue! Thank you!
>
> So, it appears that the existing 4.1 code wasn't using the socket factory to
> create the socket.
There is nothing wrong with the behavior of SSLSocketFactory in HC 4.1.
Initially it creates a plain socket but then it uses SSL socket factory
to put the SSL/TLS encryption layer on top of it.
> I'll provide some details below, but my question is when
> would I expect to get this fix in an official build? I want to move past
> 4.0.1, but I don't want to use my own patched build.
>
4.1.1 can be expected next week.
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: SSL Mutual Authentication Code worked in 4.0.1 but fails in 4.1
Posted by Travis T <tr...@hp.com>.
olegk wrote:
>
> Travis,
>
> It looks like the remote server once of a sudden drops the connection in
> the middle of the SSL handshake on the unsuspecting client. Looks very
> bizarre.
>
> I reviewed code of both versions and I found out there were some subtle
> differences in the algorithm used by SSLSocketFactory in HC 4.0.1 and HC
> 4.1 to create SSLSocket instances and to connect them to a remote
> endpoint.
>
> Could you please try out two things?
>
> (1) Please check the socket timeout value configured for the request and
> make sure it is not too aggressive (low)
>
> (2) Make a copy of SSLSocketFactory,
>
> http://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/SSLSocketFactory.java
>
> replace #createSocket method with this one
>
> ---
> public Socket createSocket(final HttpParams params) throws IOException {
> return this.socketfactory.createSocket();
> }
> ---
>
> and configure HttpClient to use your implementation of SSLSocketFactory
> instead of the stock one.
>
> Oleg
>
>
Oleg,
Your new code fixed the issue! Thank you!
So, it appears that the existing 4.1 code wasn't using the socket factory to
create the socket. I'll provide some details below, but my question is when
would I expect to get this fix in an official build? I want to move past
4.0.1, but I don't want to use my own patched build.
Some info on what I did:
The socket timeout was showing as being set to 0. Which I traced through the
httpclient code to meaning an infinite timeout per the below:
/**
* Defines the socket timeout (<code>SO_TIMEOUT</code>) in milliseconds,
* which is the timeout for waiting for data or, put differently,
* a maximum period inactivity between two consecutive data packets).
* A timeout value of zero is interpreted as an infinite timeout.
* <p>
* This parameter expects a value of type {@link Integer}.
* </p>
* @see java.net.SocketOptions#SO_TIMEOUT
*/
public static final String SO_TIMEOUT = "http.socket.timeout";
However, I went ahead and tried to change that timeout using the below and I
still got failures:
HttpParams params = httpget.getParams();
int soTimeout = HttpConnectionParams.getSoTimeout(params);
HttpConnectionParams.setSoTimeout(params, 100000);
httpget.setParams(params);
I took the svn URL you gave for the new code and I could not use it, because
SSL Socket Factory has already been changed from 4.1. It referenced
org.apache.http.conn.HttpInetSocketAddress which I traced to being @since
4.2. Since I wanted to use the 4.1 dependency and only hot replace the
SSLSocketFactory method you mentioned above I went and pulled the
SSLSocketFactory in the 4.1 tag (I hope that was the right tag).
http://svn.apache.org/repos/asf/httpcomponents/httpclient/tags/4.1/httpclient/src/main/java/org/apache/http/conn/ssl/SSLSocketFactory.java
The method in that code showed the following, which I see means that the 4.1
code wasn't actually using the socket factory to create the socket.
public Socket createSocket(final HttpParams params) throws IOException {
return new Socket();
}
--
View this message in context: http://old.nabble.com/SSL-Mutual-Authentication-Code-worked-in-4.0.1-but-fails-in-4.1-tp31092864p31108967.html
Sent from the HttpClient-User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: SSL Mutual Authentication Code worked in 4.0.1 but fails in 4.1
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Tue, 2011-03-08 at 09:22 -0800, Travis T wrote:
>
> olegk wrote:
> >
> > Try running you code with the SSL debug enabled to get more details
> > about the trust material sent by the server during the SSL handshake.
> >
> > Oleg
> >
>
> Below is the debug output of the handshake from the 4.0.1 (which succeeds)
> and the 4.1 (that fails). If you need more, please let me know. I really
> appreciate any help.
>
> 4.0.1 Success
>
> DEBUG [2011-03-08 10:11:39]
> [org.apache.http.impl.conn.SingleClientConnManager] Get connection for route
> HttpRoute[{s}->https://SCRUBBED:8140]
> main, setSoTimeout(0) called
> %% No cached client session
> *** ClientHello, TLSv1
> RandomCookie: GMT: 1299604300 bytes = { 56, 69, 171, 192, 81, 150, 1,
> 51, 148, 122, 219, 92, 104, 240, 83, 119, 239, 134, 243, 194, 25, 4, 204,
> 78, 207, 154, 158, 109 }
> Session ID: {}
> Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
> TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA,
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
> TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
> SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA,
> SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA,
> SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
> SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
> SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
> Compression Methods: { 0 }
> ***
> [write] MD5 and SHA1 hashes: len = 79
> 0000: 01 00 00 4B 03 01 4D 76 63 4C 38 45 AB C0 51 96
> ...K..MvcL8E..Q.
> 0010: 01 33 94 7A DB 5C 68 F0 53 77 EF 86 F3 C2 19 04
> .3.z.\h.Sw......
> 0020: CC 4E CF 9A 9E 6D 00 00 24 00 04 00 05 00 2F 00
> .N...m..$...../.
> 0030: 35 00 33 00 39 00 32 00 38 00 0A 00 16 00 13 00
> 5.3.9.2.8.......
> 0040: 09 00 15 00 12 00 03 00 08 00 14 00 11 01 00 ...............
> main, WRITE: TLSv1 Handshake, length = 79
> [write] MD5 and SHA1 hashes: len = 107
> 0000: 01 03 01 00 42 00 00 00 20 00 00 04 01 00 80 00 ....B...
> .......
> 0010: 00 05 00 00 2F 00 00 35 00 00 33 00 00 39 00 00
> ..../..5..3..9..
> 0020: 32 00 00 38 00 00 0A 07 00 C0 00 00 16 00 00 13
> 2..8............
> 0030: 00 00 09 06 00 40 00 00 15 00 00 12 00 00 03 02
> .....@..........
> 0040: 00 80 00 00 08 00 00 14 00 00 11 4D 76 63 4C 38
> ...........MvcL8
> 0050: 45 AB C0 51 96 01 33 94 7A DB 5C 68 F0 53 77 EF
> E..Q..3.z.\h.Sw.
> 0060: 86 F3 C2 19 04 CC 4E CF 9A 9E 6D ......N...m
> main, WRITE: SSLv2 client hello message, length = 107
> [Raw write]: length = 109
> 0000: 80 6B 01 03 01 00 42 00 00 00 20 00 00 04 01 00 .k....B...
> .....
> 0010: 80 00 00 05 00 00 2F 00 00 35 00 00 33 00 00 39
> ....../..5..3..9
> 0020: 00 00 32 00 00 38 00 00 0A 07 00 C0 00 00 16 00
> ..2..8..........
> 0030: 00 13 00 00 09 06 00 40 00 00 15 00 00 12 00 00
> .......@........
> 0040: 03 02 00 80 00 00 08 00 00 14 00 00 11 4D 76 63
> .............Mvc
> 0050: 4C 38 45 AB C0 51 96 01 33 94 7A DB 5C 68 F0 53
> L8E..Q..3.z.\h.S
> 0060: 77 EF 86 F3 C2 19 04 CC 4E CF 9A 9E 6D w.......N...m
> [Raw read]: length = 5
> 0000: 16 03 01 00 4A ....J
> [Raw read]: length = 74
> 0000: 02 00 00 46 03 01 4D 76 62 42 57 B1 AF A4 0E 69
> ...F..MvbBW....i
> 0010: F4 C6 3B B3 1B EB 16 CF AE 01 DD E1 74 1A 1A 27
> ..;.........t..'
> 0020: 03 C3 C9 EB D3 87 20 38 B4 66 57 D4 3D 95 14 B6 ......
> 8.fW.=...
> 0030: 02 92 A3 9A D2 BB EE A4 3F 90 C6 3B 4C B1 94 F5
> ........?..;L...
> 0040: DF 34 8F 53 B3 84 F5 00 04 00 .4.S......
> main, READ: TLSv1 Handshake, length = 74
> *** ServerHello, TLSv1
> RandomCookie: GMT: 1299604034 bytes = { 87, 177, 175, 164, 14, 105,
> 244, 198, 59, 179, 27, 235, 22, 207, 174, 1, 221, 225, 116, 26, 26, 39, 3,
> 195, 201, 235, 211, 135 }
> Session ID: {56, 180, 102, 87, 212, 61, 149, 20, 182, 2, 146, 163, 154,
> 210, 187, 238, 164, 63, 144, 198, 59, 76, 177, 148, 245, 223, 52, 143, 83,
> 179, 132, 245}
> Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
> Compression Method: 0
> ***
> %% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
>
> 4.1 Failure
>
> DEBUG [2011-03-08 10:09:33]
> [org.apache.http.impl.conn.SingleClientConnManager] Get connection for route
> HttpRoute[{s}->https://SCRUBBED:8140]
> DEBUG [2011-03-08 10:09:33]
> [org.apache.http.impl.conn.DefaultClientConnectionOperator] Connecting to
> SCRUBBED/IPADDRSCRUBBED:8140
> %% No cached client session
> *** ClientHello, TLSv1
> RandomCookie: GMT: 1299603917 bytes = { 223, 239, 55, 100, 246, 87, 34,
> 54, 117, 35, 249, 56, 223, 119, 72, 23, 219, 220, 23, 74, 131, 189, 167, 80,
> 105, 234, 59, 207 }
> Session ID: {}
> Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
> TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA,
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
> TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
> SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA,
> SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA,
> SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
> SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
> SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
> Compression Methods: { 0 }
> ***
> [write] MD5 and SHA1 hashes: len = 79
> 0000: 01 00 00 4B 03 01 4D 76 62 CD DF EF 37 64 F6 57
> ...K..Mvb...7d.W
> 0010: 22 36 75 23 F9 38 DF 77 48 17 DB DC 17 4A 83 BD
> "6u#.8.wH....J..
> 0020: A7 50 69 EA 3B CF 00 00 24 00 04 00 05 00 2F 00
> .Pi.;...$...../.
> 0030: 35 00 33 00 39 00 32 00 38 00 0A 00 16 00 13 00
> 5.3.9.2.8.......
> 0040: 09 00 15 00 12 00 03 00 08 00 14 00 11 01 00 ...............
> main, WRITE: TLSv1 Handshake, length = 79
> [write] MD5 and SHA1 hashes: len = 107
> 0000: 01 03 01 00 42 00 00 00 20 00 00 04 01 00 80 00 ....B...
> .......
> 0010: 00 05 00 00 2F 00 00 35 00 00 33 00 00 39 00 00
> ..../..5..3..9..
> 0020: 32 00 00 38 00 00 0A 07 00 C0 00 00 16 00 00 13
> 2..8............
> 0030: 00 00 09 06 00 40 00 00 15 00 00 12 00 00 03 02
> .....@..........
> 0040: 00 80 00 00 08 00 00 14 00 00 11 4D 76 62 CD DF
> ...........Mvb..
> 0050: EF 37 64 F6 57 22 36 75 23 F9 38 DF 77 48 17 DB
> .7d.W"6u#.8.wH..
> 0060: DC 17 4A 83 BD A7 50 69 EA 3B CF ..J...Pi.;.
> main, WRITE: SSLv2 client hello message, length = 107
> [Raw write]: length = 109
> 0000: 80 6B 01 03 01 00 42 00 00 00 20 00 00 04 01 00 .k....B...
> .....
> 0010: 80 00 00 05 00 00 2F 00 00 35 00 00 33 00 00 39
> ....../..5..3..9
> 0020: 00 00 32 00 00 38 00 00 0A 07 00 C0 00 00 16 00
> ..2..8..........
> 0030: 00 13 00 00 09 06 00 40 00 00 15 00 00 12 00 00
> .......@........
> 0040: 03 02 00 80 00 00 08 00 00 14 00 00 11 4D 76 62
> .............Mvb
> 0050: CD DF EF 37 64 F6 57 22 36 75 23 F9 38 DF 77 48
> ...7d.W"6u#.8.wH
> 0060: 17 DB DC 17 4A 83 BD A7 50 69 EA 3B CF ....J...Pi.;.
> main, handling exception: java.net.SocketException: Software caused
> connection abort: recv failed
> main, SEND TLSv1 ALERT: fatal, description = unexpected_message
> main, WRITE: TLSv1 Alert, length = 2
> main, Exception sending alert: java.net.SocketException: Software caused
> connection abort: socket write error
> main, called closeSocket()
> main, IOException in getSession(): java.net.SocketException: Software
> caused connection abort: recv failed
> main, called close()
> main, called closeInternal(true)
> DEBUG [2011-03-08 10:09:33]
> [org.apache.http.impl.conn.DefaultClientConnection] Connection closed
> DEBUG [2011-03-08 10:09:33]
> [org.apache.http.impl.conn.DefaultClientConnection] Connection shut down
> DEBUG [2011-03-08 10:09:33]
> [org.apache.http.impl.conn.SingleClientConnManager] Releasing connection
> org.apache.http.impl.conn.SingleClientConnManager$ConnAdapter@d0a5d9
> Exception in thread "main" javax.net.ssl.SSLPeerUnverifiedException:
> peer not authenticated
> at
> com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)
...
Travis,
It looks like the remote server once of a sudden drops the connection in
the middle of the SSL handshake on the unsuspecting client. Looks very
bizarre.
I reviewed code of both versions and I found out there were some subtle
differences in the algorithm used by SSLSocketFactory in HC 4.0.1 and HC
4.1 to create SSLSocket instances and to connect them to a remote
endpoint.
Could you please try out two things?
(1) Please check the socket timeout value configured for the request and
make sure it is not too aggressive (low)
(2) Make a copy of SSLSocketFactory,
http://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/SSLSocketFactory.java
replace #createSocket method with this one
---
public Socket createSocket(final HttpParams params) throws IOException {
return this.socketfactory.createSocket();
}
---
and configure HttpClient to use your implementation of SSLSocketFactory
instead of the stock one.
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: SSL Mutual Authentication Code worked in 4.0.1 but fails in 4.1
Posted by Travis T <tr...@hp.com>.
olegk wrote:
>
> Try running you code with the SSL debug enabled to get more details
> about the trust material sent by the server during the SSL handshake.
>
> Oleg
>
Below is the debug output of the handshake from the 4.0.1 (which succeeds)
and the 4.1 (that fails). If you need more, please let me know. I really
appreciate any help.
4.0.1 Success
DEBUG [2011-03-08 10:11:39]
[org.apache.http.impl.conn.SingleClientConnManager] Get connection for route
HttpRoute[{s}->https://SCRUBBED:8140]
main, setSoTimeout(0) called
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1299604300 bytes = { 56, 69, 171, 192, 81, 150, 1,
51, 148, 122, 219, 92, 104, 240, 83, 119, 239, 134, 243, 194, 25, 4, 204,
78, 207, 154, 158, 109 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA,
SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA,
SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
***
[write] MD5 and SHA1 hashes: len = 79
0000: 01 00 00 4B 03 01 4D 76 63 4C 38 45 AB C0 51 96
...K..MvcL8E..Q.
0010: 01 33 94 7A DB 5C 68 F0 53 77 EF 86 F3 C2 19 04
.3.z.\h.Sw......
0020: CC 4E CF 9A 9E 6D 00 00 24 00 04 00 05 00 2F 00
.N...m..$...../.
0030: 35 00 33 00 39 00 32 00 38 00 0A 00 16 00 13 00
5.3.9.2.8.......
0040: 09 00 15 00 12 00 03 00 08 00 14 00 11 01 00 ...............
main, WRITE: TLSv1 Handshake, length = 79
[write] MD5 and SHA1 hashes: len = 107
0000: 01 03 01 00 42 00 00 00 20 00 00 04 01 00 80 00 ....B...
.......
0010: 00 05 00 00 2F 00 00 35 00 00 33 00 00 39 00 00
..../..5..3..9..
0020: 32 00 00 38 00 00 0A 07 00 C0 00 00 16 00 00 13
2..8............
0030: 00 00 09 06 00 40 00 00 15 00 00 12 00 00 03 02
.....@..........
0040: 00 80 00 00 08 00 00 14 00 00 11 4D 76 63 4C 38
...........MvcL8
0050: 45 AB C0 51 96 01 33 94 7A DB 5C 68 F0 53 77 EF
E..Q..3.z.\h.Sw.
0060: 86 F3 C2 19 04 CC 4E CF 9A 9E 6D ......N...m
main, WRITE: SSLv2 client hello message, length = 107
[Raw write]: length = 109
0000: 80 6B 01 03 01 00 42 00 00 00 20 00 00 04 01 00 .k....B...
.....
0010: 80 00 00 05 00 00 2F 00 00 35 00 00 33 00 00 39
....../..5..3..9
0020: 00 00 32 00 00 38 00 00 0A 07 00 C0 00 00 16 00
..2..8..........
0030: 00 13 00 00 09 06 00 40 00 00 15 00 00 12 00 00
.......@........
0040: 03 02 00 80 00 00 08 00 00 14 00 00 11 4D 76 63
.............Mvc
0050: 4C 38 45 AB C0 51 96 01 33 94 7A DB 5C 68 F0 53
L8E..Q..3.z.\h.S
0060: 77 EF 86 F3 C2 19 04 CC 4E CF 9A 9E 6D w.......N...m
[Raw read]: length = 5
0000: 16 03 01 00 4A ....J
[Raw read]: length = 74
0000: 02 00 00 46 03 01 4D 76 62 42 57 B1 AF A4 0E 69
...F..MvbBW....i
0010: F4 C6 3B B3 1B EB 16 CF AE 01 DD E1 74 1A 1A 27
..;.........t..'
0020: 03 C3 C9 EB D3 87 20 38 B4 66 57 D4 3D 95 14 B6 ......
8.fW.=...
0030: 02 92 A3 9A D2 BB EE A4 3F 90 C6 3B 4C B1 94 F5
........?..;L...
0040: DF 34 8F 53 B3 84 F5 00 04 00 .4.S......
main, READ: TLSv1 Handshake, length = 74
*** ServerHello, TLSv1
RandomCookie: GMT: 1299604034 bytes = { 87, 177, 175, 164, 14, 105,
244, 198, 59, 179, 27, 235, 22, 207, 174, 1, 221, 225, 116, 26, 26, 39, 3,
195, 201, 235, 211, 135 }
Session ID: {56, 180, 102, 87, 212, 61, 149, 20, 182, 2, 146, 163, 154,
210, 187, 238, 164, 63, 144, 198, 59, 76, 177, 148, 245, 223, 52, 143, 83,
179, 132, 245}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
***
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
4.1 Failure
DEBUG [2011-03-08 10:09:33]
[org.apache.http.impl.conn.SingleClientConnManager] Get connection for route
HttpRoute[{s}->https://SCRUBBED:8140]
DEBUG [2011-03-08 10:09:33]
[org.apache.http.impl.conn.DefaultClientConnectionOperator] Connecting to
SCRUBBED/IPADDRSCRUBBED:8140
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1299603917 bytes = { 223, 239, 55, 100, 246, 87, 34,
54, 117, 35, 249, 56, 223, 119, 72, 23, 219, 220, 23, 74, 131, 189, 167, 80,
105, 234, 59, 207 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA,
SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA,
SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
***
[write] MD5 and SHA1 hashes: len = 79
0000: 01 00 00 4B 03 01 4D 76 62 CD DF EF 37 64 F6 57
...K..Mvb...7d.W
0010: 22 36 75 23 F9 38 DF 77 48 17 DB DC 17 4A 83 BD
"6u#.8.wH....J..
0020: A7 50 69 EA 3B CF 00 00 24 00 04 00 05 00 2F 00
.Pi.;...$...../.
0030: 35 00 33 00 39 00 32 00 38 00 0A 00 16 00 13 00
5.3.9.2.8.......
0040: 09 00 15 00 12 00 03 00 08 00 14 00 11 01 00 ...............
main, WRITE: TLSv1 Handshake, length = 79
[write] MD5 and SHA1 hashes: len = 107
0000: 01 03 01 00 42 00 00 00 20 00 00 04 01 00 80 00 ....B...
.......
0010: 00 05 00 00 2F 00 00 35 00 00 33 00 00 39 00 00
..../..5..3..9..
0020: 32 00 00 38 00 00 0A 07 00 C0 00 00 16 00 00 13
2..8............
0030: 00 00 09 06 00 40 00 00 15 00 00 12 00 00 03 02
.....@..........
0040: 00 80 00 00 08 00 00 14 00 00 11 4D 76 62 CD DF
...........Mvb..
0050: EF 37 64 F6 57 22 36 75 23 F9 38 DF 77 48 17 DB
.7d.W"6u#.8.wH..
0060: DC 17 4A 83 BD A7 50 69 EA 3B CF ..J...Pi.;.
main, WRITE: SSLv2 client hello message, length = 107
[Raw write]: length = 109
0000: 80 6B 01 03 01 00 42 00 00 00 20 00 00 04 01 00 .k....B...
.....
0010: 80 00 00 05 00 00 2F 00 00 35 00 00 33 00 00 39
....../..5..3..9
0020: 00 00 32 00 00 38 00 00 0A 07 00 C0 00 00 16 00
..2..8..........
0030: 00 13 00 00 09 06 00 40 00 00 15 00 00 12 00 00
.......@........
0040: 03 02 00 80 00 00 08 00 00 14 00 00 11 4D 76 62
.............Mvb
0050: CD DF EF 37 64 F6 57 22 36 75 23 F9 38 DF 77 48
...7d.W"6u#.8.wH
0060: 17 DB DC 17 4A 83 BD A7 50 69 EA 3B CF ....J...Pi.;.
main, handling exception: java.net.SocketException: Software caused
connection abort: recv failed
main, SEND TLSv1 ALERT: fatal, description = unexpected_message
main, WRITE: TLSv1 Alert, length = 2
main, Exception sending alert: java.net.SocketException: Software caused
connection abort: socket write error
main, called closeSocket()
main, IOException in getSession(): java.net.SocketException: Software
caused connection abort: recv failed
main, called close()
main, called closeInternal(true)
DEBUG [2011-03-08 10:09:33]
[org.apache.http.impl.conn.DefaultClientConnection] Connection closed
DEBUG [2011-03-08 10:09:33]
[org.apache.http.impl.conn.DefaultClientConnection] Connection shut down
DEBUG [2011-03-08 10:09:33]
[org.apache.http.impl.conn.SingleClientConnManager] Releasing connection
org.apache.http.impl.conn.SingleClientConnManager$ConnAdapter@d0a5d9
Exception in thread "main" javax.net.ssl.SSLPeerUnverifiedException:
peer not authenticated
at
com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)
at
org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:390)
at
org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148)
at
org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:149)
at
org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121)
at
org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:562)
at
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:415)
at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820)
at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:754)
at
org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:732)
at
com.hp.arm.intg.deployer.puppet.prototype.AbstractPuppetRestClient.doGet(AbstractPuppetRestClient.java:88)
at
com.hp.arm.intg.deployer.puppet.prototype.PuppetMasterRestClient.getCatalog(PuppetMasterRestClient.java:36)
at
com.hp.arm.intg.deployer.puppet.prototype.PuppetMasterRestClient.main(PuppetMasterRestClient.java:19)
--
View this message in context: http://old.nabble.com/SSL-Mutual-Authentication-Code-worked-in-4.0.1-but-fails-in-4.1-tp31092864p31099177.html
Sent from the HttpClient-User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: SSL Mutual Authentication Code worked in 4.0.1 but fails in 4.1
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Mon, 2011-03-07 at 15:24 -0800, Travis T wrote:
> I have a server with a self signed certificate. I've created a java key
> store (trustStore) which includes that server in the trust store. I have a
> keystore which includes my certificate and private key. My certificate was
> signed by the server. I've used the API to create a SSLSocketFactory that
> registers my keystore and truststore.
>
> Using Apache HTTPClient 4.0.1 it all worked. I upgraded to 4.1 and other
> than having to reorder the arguments in the Scheme constructor the code is
> the same. However, now I get a javax.net.ssl.SSLPeerUnverifiedException:
> peer not authenticated
>
> Help, please?
>
I can't think of any changes in 4.1 that could lead to a different
behavior with regards to SSL authentication compared to 4.0.1. Both
versions essentially use the same JSSE API to get the job done.
Try running you code with the SSL debug enabled to get more details
about the trust material sent by the server during the SSL handshake.
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org