You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by "Welty, Richard" <rw...@ltionline.com> on 2012/09/25 17:39:18 UTC
how to work around javax.net.ssl.SSLKeyException: RSA premaster
I'm working on a project which is switching to httpclient 4 from the old commons-httpclient 3, and I'm working through certificate issues.
The environment is FuseESBEnterprise-7.0.1, a packaging of apache servicenow, and I obtained httpclient 4 via the camel-http4 feature. The OS is CentO= S 6 with openjdk 1.6.0
The remote site I'm accessing is demo04.service-now.com, which is using some sort of wildcarded certificate. I used code found here (http://javaskelet=
on.blogspot.com/2010/07/avoiding-peer-not-authenticated-with.html) to work around the wildcard problem.
I can access the site via curl easily enough:
curl -u admin:admin https://demo04.service-now.com/cmdb_ci_list.do?XML&sysparm_query=name=123.123.123.198
and it returns the expected result
having worked through the wildcard issue, I'm now looking at this, with no clear understanding of how to go forward. Does anyone have any suggestions?
javax.net.ssl.SSLKeyException: RSA premaster secret error
at sun.security.ssl.RSAClientKeyExchange.<init>(RSAClientKeyExchange.java:114)[:1.6.0_24]
at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:703)[:1.6.0_24]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:228)[:1.6.0_24]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:609)[:1.6.0_24]
at sun.security.ssl.Handshaker.process_record(Handshaker.java:545)[:1.6.0_24]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:945)[:1.6.0_24]
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1190)[:1.6.0_24]
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:657)[:1.6.0_24]
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:108)[:1.6.0_24]
...
RE: how to work around javax.net.ssl.SSLKeyException: RSA premaster
Posted by "Welty, Richard" <rw...@ltionline.com>.
Oleg Kalnichevski [mailto:olegk@apache.org] writes:
>This looks like an SSL protocol issue unrelated to HttpClient. All I can think of is upgrading the JRE to something newer.
I tried openjdk 1.7, no change. Will try the suggestion of the unlimited strength JCE files next.
Richard
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
RE: how to work around javax.net.ssl.SSLKeyException: RSA premaster
Posted by "Welty, Richard" <rw...@ltionline.com>.
I finally worked out how to get the wirelog out of a Fuse ESB application, it's attached.
From: Susanta Mohapatra [mailto:mohapatra.susanta@gmail.com]
Sent: Thursday, October 04, 2012 10:18 AM
To: Welty, Richard
Cc: HttpClient User Discussion
Subject: Re: how to work around javax.net.ssl.SSLKeyException: RSA premaster
This is strange... can you provide more info?
- what is the jdk version ?
- which server are you trying to connect? apache httpd or any thing else?
- are you using any authentication scheme with ssl ? like basic/digest/ntlm etc
try to start jvm with following flag: -Djavax.net.debug=all
This will generate wire log output in console. Send the wire log result.
-Susanta
On Thu, Oct 4, 2012 at 7:03 PM, Welty, Richard <rw...@ltionline.com>> wrote:
Welty, Richard [mailto:rwelty@ltionline.com<ma...@ltionline.com>] wrote:
>Susanta Mohapatra [mailto:mohapatra.susanta@gmail.com<ma...@gmail.com>] writes:
>> You need to add the unlimited strength JCE files. Google it, you can find the download link easily.
>I saw discussion of that in the context of Oracle/Sun environments, and IBM environments. It wasn't clear it applied to >openjdk, but I'll try it and see.
I have ended up switching from openjdk to an oracle/sun jdk, 6u35, and have installed the unlimited JCE policy files as specified. I am still getting the error:
javax.net.ssl.SSLKeyException: RSA premaster secret error
at com.sun.net.ssl.internal.ssl.RSAClientKeyExchange.<init>(RSAClientKe\
yExchange.java:97)[:1.6]
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(Client\
Handshaker.java:744)[:1.6]
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientH\
andshaker.java:238)[:1.6]
any suggestions on how to diagnose this?
Richard
RE: how to work around javax.net.ssl.SSLKeyException: RSA premaster
Posted by "Welty, Richard" <rw...@ltionline.com>.
The jdk is sun/oracle 6u35 (the most recent 1.6)
The server I'm trying to talk to is a demo server for the service now product, the url is
https://demo04.service-now.com/cmdb_ci_list.do?XML&sysparm_query=name=
with username/password of admin/admin
I can access it fine with curl on the linux box, specifying the username/password on the command line (the service now server won't do interactive prompting for username/password.)
The authentication scheme at servicenow is basic
I'll try the wirelog output momentarily.
Thanks,
richard
From: Susanta Mohapatra [mailto:mohapatra.susanta@gmail.com]
Sent: Thursday, October 04, 2012 10:18 AM
To: Welty, Richard
Cc: HttpClient User Discussion
Subject: Re: how to work around javax.net.ssl.SSLKeyException: RSA premaster
This is strange... can you provide more info?
- what is the jdk version ?
- which server are you trying to connect? apache httpd or any thing else?
- are you using any authentication scheme with ssl ? like basic/digest/ntlm etc
try to start jvm with following flag: -Djavax.net.debug=all
This will generate wire log output in console. Send the wire log result.
-Susanta
On Thu, Oct 4, 2012 at 7:03 PM, Welty, Richard <rw...@ltionline.com>> wrote:
Welty, Richard [mailto:rwelty@ltionline.com<ma...@ltionline.com>] wrote:
>Susanta Mohapatra [mailto:mohapatra.susanta@gmail.com<ma...@gmail.com>] writes:
>> You need to add the unlimited strength JCE files. Google it, you can find the download link easily.
>I saw discussion of that in the context of Oracle/Sun environments, and IBM environments. It wasn't clear it applied to >openjdk, but I'll try it and see.
I have ended up switching from openjdk to an oracle/sun jdk, 6u35, and have installed the unlimited JCE policy files as specified. I am still getting the error:
javax.net.ssl.SSLKeyException: RSA premaster secret error
at com.sun.net.ssl.internal.ssl.RSAClientKeyExchange.<init>(RSAClientKe\
yExchange.java:97)[:1.6]
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(Client\
Handshaker.java:744)[:1.6]
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientH\
andshaker.java:238)[:1.6]
any suggestions on how to diagnose this?
Richard
Re: how to work around javax.net.ssl.SSLKeyException: RSA premaster
Posted by Susanta Mohapatra <mo...@gmail.com>.
This is strange... can you provide more info?
- what is the jdk version ?
- which server are you trying to connect? apache httpd or any thing else?
- are you using any authentication scheme with ssl ? like basic/digest/ntlm
etc
try to start jvm with following flag: -Djavax.net.debug=all
This will generate wire log output in console. Send the wire log result.
-Susanta
On Thu, Oct 4, 2012 at 7:03 PM, Welty, Richard <rw...@ltionline.com> wrote:
> Welty, Richard [mailto:rwelty@ltionline.com] wrote:
>
> >Susanta Mohapatra [mailto:mohapatra.susanta@gmail.com] writes:
> >> You need to add the unlimited strength JCE files. Google it, you can
> find the download link easily.
>
> >I saw discussion of that in the context of Oracle/Sun environments, and
> IBM environments. It wasn't clear it applied to >openjdk, but I'll try it
> and see.
>
> I have ended up switching from openjdk to an oracle/sun jdk, 6u35, and
> have installed the unlimited JCE policy files as specified. I am still
> getting the error:
>
> javax.net.ssl.SSLKeyException: RSA premaster secret error
> at
> com.sun.net.ssl.internal.ssl.RSAClientKeyExchange.<init>(RSAClientKe\
> yExchange.java:97)[:1.6]
> at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(Client\
> Handshaker.java:744)[:1.6]
> at
> com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientH\
> andshaker.java:238)[:1.6]
>
> any suggestions on how to diagnose this?
>
> Richard
>
>
RE: how to work around javax.net.ssl.SSLKeyException: RSA premaster
Posted by "Welty, Richard" <rw...@ltionline.com>.
Welty, Richard [mailto:rwelty@ltionline.com] wrote:
>Susanta Mohapatra [mailto:mohapatra.susanta@gmail.com] writes:
>> You need to add the unlimited strength JCE files. Google it, you can find the download link easily.
>I saw discussion of that in the context of Oracle/Sun environments, and IBM environments. It wasn't clear it applied to >openjdk, but I'll try it and see.
I have ended up switching from openjdk to an oracle/sun jdk, 6u35, and have installed the unlimited JCE policy files as specified. I am still getting the error:
javax.net.ssl.SSLKeyException: RSA premaster secret error
at com.sun.net.ssl.internal.ssl.RSAClientKeyExchange.<init>(RSAClientKe\
yExchange.java:97)[:1.6]
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(Client\
Handshaker.java:744)[:1.6]
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientH\
andshaker.java:238)[:1.6]
any suggestions on how to diagnose this?
Richard
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
RE: how to work around javax.net.ssl.SSLKeyException: RSA premaster
Posted by "Welty, Richard" <rw...@ltionline.com>.
Susanta Mohapatra [mailto:mohapatra.susanta@gmail.com] writes:
> You need to add the unlimited strength JCE files. Google it, you can find the download link easily.
I saw discussion of that in the context of Oracle/Sun environments, and IBM environments. It wasn't clear it applied to openjdk, but I'll try it and see.
Thanks,
Richard
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org
Re: how to work around javax.net.ssl.SSLKeyException: RSA premaster
Posted by Susanta Mohapatra <mo...@gmail.com>.
You need to add the unlimited strength JCE files. Google it, you can find
the download link easily.
Regards
Susanta
On Wed, Sep 26, 2012 at 3:35 PM, Oleg Kalnichevski <ol...@apache.org> wrote:
> On Tue, 2012-09-25 at 15:39 +0000, Welty, Richard wrote:
> > I'm working on a project which is switching to httpclient 4 from the old
> commons-httpclient 3, and I'm working through certificate issues.
> >
> >
> >
> > The environment is FuseESBEnterprise-7.0.1, a packaging of apache
> servicenow, and I obtained httpclient 4 via the camel-http4 feature. The OS
> is CentO= S 6 with openjdk 1.6.0
> >
> >
> >
> > The remote site I'm accessing is demo04.service-now.com, which is using
> some sort of wildcarded certificate. I used code found here (
> http://javaskelet=
> >
> > on.blogspot.com/2010/07/avoiding-peer-not-authenticated-with.html) to
> work around the wildcard problem.
> >
> >
> >
> > I can access the site via curl easily enough:
> >
> >
> >
> > curl -u admin:admin
> https://demo04.service-now.com/cmdb_ci_list.do?XML&sysparm_query=name=123.123.123.198
> >
> >
> >
> > and it returns the expected result
> >
> >
> >
> > having worked through the wildcard issue, I'm now looking at this, with
> no clear understanding of how to go forward. Does anyone have any
> suggestions?
> >
> >
> >
>
> This looks like an SSL protocol issue unrelated to HttpClient. All I can
> think of is upgrading the JRE to something newer.
>
> Oleg
>
> > javax.net.ssl.SSLKeyException: RSA premaster secret error
> >
> > at
> sun.security.ssl.RSAClientKeyExchange.<init>(RSAClientKeyExchange.java:114)[:1.6.0_24]
> >
> > at
> sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:703)[:1.6.0_24]
> >
> > at
> sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:228)[:1.6.0_24]
> >
> > at
> sun.security.ssl.Handshaker.processLoop(Handshaker.java:609)[:1.6.0_24]
> >
> > at
> sun.security.ssl.Handshaker.process_record(Handshaker.java:545)[:1.6.0_24]
> >
> > at
> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:945)[:1.6.0_24]
> >
> > at
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1190)[:1.6.0_24]
> >
> > at
> sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:657)[:1.6.0_24]
> >
> > at
> sun.security.ssl.AppOutputStream.write(AppOutputStream.java:108)[:1.6.0_24]
> >
> > ...
> >
> >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
> For additional commands, e-mail: httpclient-users-help@hc.apache.org
>
>
Re: how to work around javax.net.ssl.SSLKeyException: RSA premaster
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Tue, 2012-09-25 at 15:39 +0000, Welty, Richard wrote:
> I'm working on a project which is switching to httpclient 4 from the old commons-httpclient 3, and I'm working through certificate issues.
>
>
>
> The environment is FuseESBEnterprise-7.0.1, a packaging of apache servicenow, and I obtained httpclient 4 via the camel-http4 feature. The OS is CentO= S 6 with openjdk 1.6.0
>
>
>
> The remote site I'm accessing is demo04.service-now.com, which is using some sort of wildcarded certificate. I used code found here (http://javaskelet=
>
> on.blogspot.com/2010/07/avoiding-peer-not-authenticated-with.html) to work around the wildcard problem.
>
>
>
> I can access the site via curl easily enough:
>
>
>
> curl -u admin:admin https://demo04.service-now.com/cmdb_ci_list.do?XML&sysparm_query=name=123.123.123.198
>
>
>
> and it returns the expected result
>
>
>
> having worked through the wildcard issue, I'm now looking at this, with no clear understanding of how to go forward. Does anyone have any suggestions?
>
>
>
This looks like an SSL protocol issue unrelated to HttpClient. All I can
think of is upgrading the JRE to something newer.
Oleg
> javax.net.ssl.SSLKeyException: RSA premaster secret error
>
> at sun.security.ssl.RSAClientKeyExchange.<init>(RSAClientKeyExchange.java:114)[:1.6.0_24]
>
> at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:703)[:1.6.0_24]
>
> at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:228)[:1.6.0_24]
>
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:609)[:1.6.0_24]
>
> at sun.security.ssl.Handshaker.process_record(Handshaker.java:545)[:1.6.0_24]
>
> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:945)[:1.6.0_24]
>
> at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1190)[:1.6.0_24]
>
> at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:657)[:1.6.0_24]
>
> at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:108)[:1.6.0_24]
>
> ...
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org