You are viewing a plain text version of this content. The canonical link for it is here.

Posted to httpclient-users@hc.apache.org by "Welty, Richard" <rw...@ltionline.com> on 2012/09/25 17:39:18 UTC

how to work around javax.net.ssl.SSLKeyException: RSA premaster

I'm working on a project which is switching to httpclient 4 from the old commons-httpclient 3, and I'm working through certificate issues.



The environment is FuseESBEnterprise-7.0.1, a packaging of apache servicenow, and I obtained httpclient 4 via the camel-http4 feature. The OS is CentO= S 6 with openjdk 1.6.0



The remote site I'm accessing is demo04.service-now.com, which is using some sort of wildcarded certificate. I used code found here (http://javaskelet=

on.blogspot.com/2010/07/avoiding-peer-not-authenticated-with.html) to work around the wildcard problem.



I can access the site via curl easily enough:



curl -u admin:admin https://demo04.service-now.com/cmdb_ci_list.do?XML&sysparm_query=name=123.123.123.198



and it returns the expected result



having worked through the wildcard issue, I'm now looking at this, with no clear understanding of how to go forward. Does anyone have any suggestions?



javax.net.ssl.SSLKeyException: RSA premaster secret error

        at sun.security.ssl.RSAClientKeyExchange.<init>(RSAClientKeyExchange.java:114)[:1.6.0_24]

        at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:703)[:1.6.0_24]

        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:228)[:1.6.0_24]

        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:609)[:1.6.0_24]

        at sun.security.ssl.Handshaker.process_record(Handshaker.java:545)[:1.6.0_24]

        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:945)[:1.6.0_24]

        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1190)[:1.6.0_24]

        at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:657)[:1.6.0_24]

        at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:108)[:1.6.0_24]

...

RE: how to work around javax.net.ssl.SSLKeyException: RSA premaster

Posted by "Welty, Richard" <rw...@ltionline.com>.

Oleg Kalnichevski [mailto:olegk@apache.org] writes:

>This looks like an SSL protocol issue unrelated to HttpClient. All I can think of is upgrading the JRE to something newer.

I tried openjdk 1.7, no change. Will try the suggestion of the unlimited strength JCE files next.

Richard


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org

RE: how to work around javax.net.ssl.SSLKeyException: RSA premaster

Posted by "Welty, Richard" <rw...@ltionline.com>.

I finally worked out how to get the wirelog out of a Fuse ESB application, it's attached.

From: Susanta Mohapatra [mailto:mohapatra.susanta@gmail.com]
Sent: Thursday, October 04, 2012 10:18 AM
To: Welty, Richard
Cc: HttpClient User Discussion
Subject: Re: how to work around javax.net.ssl.SSLKeyException: RSA premaster


This is strange...  can you provide more info?

- what is the jdk version ?
- which server are you trying to connect? apache httpd or any thing else?
- are you using any authentication scheme with ssl ? like basic/digest/ntlm etc

try to start jvm with following flag: -Djavax.net.debug=all
This will generate wire log output in console. Send the wire log result.

-Susanta

On Thu, Oct 4, 2012 at 7:03 PM, Welty, Richard <rw...@ltionline.com>> wrote:
Welty, Richard [mailto:rwelty@ltionline.com<ma...@ltionline.com>]  wrote:

>Susanta Mohapatra [mailto:mohapatra.susanta@gmail.com<ma...@gmail.com>] writes:
>> You need to add the unlimited strength JCE files. Google it, you can find the download link easily.

>I saw discussion of that in the context of Oracle/Sun environments, and IBM environments. It wasn't clear it applied to >openjdk, but I'll try it and see.
I have ended up switching from openjdk to an oracle/sun jdk, 6u35, and have installed the unlimited JCE policy files as specified. I am still getting the error:

javax.net.ssl.SSLKeyException: RSA premaster secret error
        at com.sun.net.ssl.internal.ssl.RSAClientKeyExchange.<init>(RSAClientKe\
yExchange.java:97)[:1.6]
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(Client\
Handshaker.java:744)[:1.6]
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientH\
andshaker.java:238)[:1.6]

any suggestions on how to diagnose this?

Richard

RE: how to work around javax.net.ssl.SSLKeyException: RSA premaster

Posted by "Welty, Richard" <rw...@ltionline.com>.

The jdk is sun/oracle 6u35 (the most recent 1.6)

The server I'm trying to talk to is a demo server for the service now product, the url is

https://demo04.service-now.com/cmdb_ci_list.do?XML&sysparm_query=name=

with username/password of admin/admin

I can access it fine with curl on the linux box, specifying the username/password on the command line (the service now server won't do interactive prompting for username/password.)

The authentication scheme at servicenow is basic

I'll try the wirelog output momentarily.

Thanks,
   richard

From: Susanta Mohapatra [mailto:mohapatra.susanta@gmail.com]
Sent: Thursday, October 04, 2012 10:18 AM
To: Welty, Richard
Cc: HttpClient User Discussion
Subject: Re: how to work around javax.net.ssl.SSLKeyException: RSA premaster


This is strange...  can you provide more info?

- what is the jdk version ?
- which server are you trying to connect? apache httpd or any thing else?
- are you using any authentication scheme with ssl ? like basic/digest/ntlm etc

try to start jvm with following flag: -Djavax.net.debug=all
This will generate wire log output in console. Send the wire log result.

-Susanta

On Thu, Oct 4, 2012 at 7:03 PM, Welty, Richard <rw...@ltionline.com>> wrote:
Welty, Richard [mailto:rwelty@ltionline.com<ma...@ltionline.com>]  wrote:

>Susanta Mohapatra [mailto:mohapatra.susanta@gmail.com<ma...@gmail.com>] writes:
>> You need to add the unlimited strength JCE files. Google it, you can find the download link easily.

>I saw discussion of that in the context of Oracle/Sun environments, and IBM environments. It wasn't clear it applied to >openjdk, but I'll try it and see.
I have ended up switching from openjdk to an oracle/sun jdk, 6u35, and have installed the unlimited JCE policy files as specified. I am still getting the error:

javax.net.ssl.SSLKeyException: RSA premaster secret error
        at com.sun.net.ssl.internal.ssl.RSAClientKeyExchange.<init>(RSAClientKe\
yExchange.java:97)[:1.6]
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(Client\
Handshaker.java:744)[:1.6]
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientH\
andshaker.java:238)[:1.6]

any suggestions on how to diagnose this?

Richard

Re: how to work around javax.net.ssl.SSLKeyException: RSA premaster

Posted by Susanta Mohapatra <mo...@gmail.com>.

This is strange...  can you provide more info?

- what is the jdk version ?
- which server are you trying to connect? apache httpd or any thing else?
- are you using any authentication scheme with ssl ? like basic/digest/ntlm
etc

try to start jvm with following flag: -Djavax.net.debug=all
This will generate wire log output in console. Send the wire log result.

-Susanta


On Thu, Oct 4, 2012 at 7:03 PM, Welty, Richard <rw...@ltionline.com> wrote:

> Welty, Richard [mailto:rwelty@ltionline.com]  wrote:
>
> >Susanta Mohapatra [mailto:mohapatra.susanta@gmail.com] writes:
> >> You need to add the unlimited strength JCE files. Google it, you can
> find the download link easily.
>
> >I saw discussion of that in the context of Oracle/Sun environments, and
> IBM environments. It wasn't clear it applied to >openjdk, but I'll try it
> and see.
>
> I have ended up switching from openjdk to an oracle/sun jdk, 6u35, and
> have installed the unlimited JCE policy files as specified. I am still
> getting the error:
>
> javax.net.ssl.SSLKeyException: RSA premaster secret error
>         at
> com.sun.net.ssl.internal.ssl.RSAClientKeyExchange.<init>(RSAClientKe\
> yExchange.java:97)[:1.6]
>         at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(Client\
> Handshaker.java:744)[:1.6]
>         at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientH\
> andshaker.java:238)[:1.6]
>
> any suggestions on how to diagnose this?
>
> Richard
>
>

RE: how to work around javax.net.ssl.SSLKeyException: RSA premaster

Posted by "Welty, Richard" <rw...@ltionline.com>.

Welty, Richard [mailto:rwelty@ltionline.com]  wrote:

>Susanta Mohapatra [mailto:mohapatra.susanta@gmail.com] writes:
>> You need to add the unlimited strength JCE files. Google it, you can find the download link easily.

>I saw discussion of that in the context of Oracle/Sun environments, and IBM environments. It wasn't clear it applied to >openjdk, but I'll try it and see.

I have ended up switching from openjdk to an oracle/sun jdk, 6u35, and have installed the unlimited JCE policy files as specified. I am still getting the error:

javax.net.ssl.SSLKeyException: RSA premaster secret error
        at com.sun.net.ssl.internal.ssl.RSAClientKeyExchange.<init>(RSAClientKe\
yExchange.java:97)[:1.6]
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(Client\
Handshaker.java:744)[:1.6]
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientH\
andshaker.java:238)[:1.6]

any suggestions on how to diagnose this?

Richard


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org

RE: how to work around javax.net.ssl.SSLKeyException: RSA premaster

Posted by "Welty, Richard" <rw...@ltionline.com>.


Susanta Mohapatra [mailto:mohapatra.susanta@gmail.com] writes:
> You need to add the unlimited strength JCE files. Google it, you can find the download link easily.

I saw discussion of that in the context of Oracle/Sun environments, and IBM environments. It wasn't clear it applied to openjdk, but I'll try it and see.

Thanks,
  Richard


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org

Re: how to work around javax.net.ssl.SSLKeyException: RSA premaster

Posted by Susanta Mohapatra <mo...@gmail.com>.

You need to add the unlimited strength JCE files. Google it, you can find
the download link easily.

Regards
Susanta

On Wed, Sep 26, 2012 at 3:35 PM, Oleg Kalnichevski <ol...@apache.org> wrote:

> On Tue, 2012-09-25 at 15:39 +0000, Welty, Richard wrote:
> > I'm working on a project which is switching to httpclient 4 from the old
> commons-httpclient 3, and I'm working through certificate issues.
> >
> >
> >
> > The environment is FuseESBEnterprise-7.0.1, a packaging of apache
> servicenow, and I obtained httpclient 4 via the camel-http4 feature. The OS
> is CentO= S 6 with openjdk 1.6.0
> >
> >
> >
> > The remote site I'm accessing is demo04.service-now.com, which is using
> some sort of wildcarded certificate. I used code found here (
> http://javaskelet=
> >
> > on.blogspot.com/2010/07/avoiding-peer-not-authenticated-with.html) to
> work around the wildcard problem.
> >
> >
> >
> > I can access the site via curl easily enough:
> >
> >
> >
> > curl -u admin:admin
> https://demo04.service-now.com/cmdb_ci_list.do?XML&sysparm_query=name=123.123.123.198
> >
> >
> >
> > and it returns the expected result
> >
> >
> >
> > having worked through the wildcard issue, I'm now looking at this, with
> no clear understanding of how to go forward. Does anyone have any
> suggestions?
> >
> >
> >
>
> This looks like an SSL protocol issue unrelated to HttpClient. All I can
> think of is upgrading the JRE to something newer.
>
> Oleg
>
> > javax.net.ssl.SSLKeyException: RSA premaster secret error
> >
> >         at
> sun.security.ssl.RSAClientKeyExchange.<init>(RSAClientKeyExchange.java:114)[:1.6.0_24]
> >
> >         at
> sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:703)[:1.6.0_24]
> >
> >         at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:228)[:1.6.0_24]
> >
> >         at
> sun.security.ssl.Handshaker.processLoop(Handshaker.java:609)[:1.6.0_24]
> >
> >         at
> sun.security.ssl.Handshaker.process_record(Handshaker.java:545)[:1.6.0_24]
> >
> >         at
> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:945)[:1.6.0_24]
> >
> >         at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1190)[:1.6.0_24]
> >
> >         at
> sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:657)[:1.6.0_24]
> >
> >         at
> sun.security.ssl.AppOutputStream.write(AppOutputStream.java:108)[:1.6.0_24]
> >
> > ...
> >
> >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>

Re: how to work around javax.net.ssl.SSLKeyException: RSA premaster

Posted by Oleg Kalnichevski <ol...@apache.org>.

On Tue, 2012-09-25 at 15:39 +0000, Welty, Richard wrote:
> I'm working on a project which is switching to httpclient 4 from the old commons-httpclient 3, and I'm working through certificate issues.
> 
> 
> 
> The environment is FuseESBEnterprise-7.0.1, a packaging of apache servicenow, and I obtained httpclient 4 via the camel-http4 feature. The OS is CentO= S 6 with openjdk 1.6.0
> 
> 
> 
> The remote site I'm accessing is demo04.service-now.com, which is using some sort of wildcarded certificate. I used code found here (http://javaskelet=
> 
> on.blogspot.com/2010/07/avoiding-peer-not-authenticated-with.html) to work around the wildcard problem.
> 
> 
> 
> I can access the site via curl easily enough:
> 
> 
> 
> curl -u admin:admin https://demo04.service-now.com/cmdb_ci_list.do?XML&sysparm_query=name=123.123.123.198
> 
> 
> 
> and it returns the expected result
> 
> 
> 
> having worked through the wildcard issue, I'm now looking at this, with no clear understanding of how to go forward. Does anyone have any suggestions?
> 
> 
> 

This looks like an SSL protocol issue unrelated to HttpClient. All I can
think of is upgrading the JRE to something newer.

Oleg 

> javax.net.ssl.SSLKeyException: RSA premaster secret error
> 
>         at sun.security.ssl.RSAClientKeyExchange.<init>(RSAClientKeyExchange.java:114)[:1.6.0_24]
> 
>         at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:703)[:1.6.0_24]
> 
>         at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:228)[:1.6.0_24]
> 
>         at sun.security.ssl.Handshaker.processLoop(Handshaker.java:609)[:1.6.0_24]
> 
>         at sun.security.ssl.Handshaker.process_record(Handshaker.java:545)[:1.6.0_24]
> 
>         at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:945)[:1.6.0_24]
> 
>         at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1190)[:1.6.0_24]
> 
>         at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:657)[:1.6.0_24]
> 
>         at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:108)[:1.6.0_24]
> 
> ...
> 
> 



---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org