You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by Mark Renouf <ma...@gmail.com> on 2008/03/07 15:44:09 UTC
MINA-2.0.0-M1 -- SslFilter handshake failed?
I've been struggling with an SSL issue. I had it all working but I've
lost track of some changes and basically I'm stuck again. I've
dissolved it down to a unit test where I have a pair of VmPipe
(acceptor/connector) talking, each with an SslFilter. Each have a
seperate keystore, and a common truststore. Each's certificates are
signed by a CA cert in the trust store. These are known-good as they
were take from a production server.
The server has a simple handler set which waits for "PING" and sends
back "PONG". The test passes without the SSL Filter in place. In the
tests I also placed a logging filter last on the filter chain of the
connector so I can see the raw data after processing.
When I enable SSL on both ends, I get a failed handshake. I'm using
SSLContextFactory and KeyStoreFactory to load keystores. I've
independently verified the keystores are valid and being loaded
correctly (right passwords etc).
The com.XXXXX.XXXXX lines below are just package names from an
unreleased product of my employer which I've anonymized for now :-)
The handlers look like this:
IoHandler clientHandler = new IoHandlerAdapter() {
@Override
public void exceptionCaught(IoSession session, Throwable
cause) throws Exception {
LOGGER.fatal("CLIENT IoHandler: exceptionCaught", cause);
}
};
IoHandler serverHandler = new IoHandlerAdapter() {
@Override
public void exceptionCaught(IoSession session, Throwable
cause) throws Exception {
LOGGER.fatal("SERVER IoHandler: exceptionCaught", cause);
session.close(true);
}
@Override
public void messageReceived(IoSession session, Object
message) throws Exception {
if (message instanceof IoBuffer) {
String msg =
((IoBuffer)message).getString(CHARSET.newDecoder());
if (msg.equals("PING")) {
IoBuffer buffer = IoBuffer.allocate(4);
buffer.putString("PONG", CHARSET.newEncoder());
buffer.flip();
session.write(buffer);
}
}
}
};
There's also a LoggingFilter attached with the messageSent and
messageReceived levels visible (attached to the client's filter chain)
Here is the relevant test code:
Set up SSLContext ctx1 using SSLContextFactory....
171 IoAcceptor acceptor = new VmPipeAcceptor();
172 acceptor.setHandler(serverHandler);
173 SslFilter serverFilter = new SslFilter(ctx1);
174 serverFilter.setNeedClientAuth(true);
175 acceptor.getFilterChain().addLast("SSL", serverFilter);
176 acceptor.bind(new VmPipeAddress(1));
Set up SSLContext ctx2 using SSLContextFactory....
189 IoConnector connector = new VmPipeConnector();
190 connector.setHandler(clientHandler);
191 SslFilter clientFilter = new SslFilter(ctx2);
192 clientFilter.setUseClientMode(true);
(Set up LoggingFilter)
203 connector.getFilterChain().addLast("LOG", loggingFilter);
204 connector.getFilterChain().addLast("SSL", clientFilter);
Then:
206 ConnectFuture cf = connector.connect(new VmPipeAddress(1));
207 cf.await();
208 assertTrue(cf.isConnected());
209 IoSession session = cf.getSession();
210 session.getConfig().setUseReadOperation(true);
211 IoBuffer buffer = IoBuffer.allocate(4);
212 buffer.putString("PING", CHARSET.newEncoder());
213 buffer.flip();
214 WriteFuture wf = session.write(buffer);
215 wf.await();
216 assertTrue(wf.isWritten());
217
218
219 ReadFuture rf = session.read();
220 rf.await();
221 assertTrue(rf.isRead());
222 assertTrue(rf.getMessage() instanceof IoBuffer);
223 IoBuffer buffer2 = (IoBuffer) rf.getMessage();
224 assertEquals("PONG", buffer2.getString(CHARSET.newDecoder()));
225 }
Here is the log output from the failing test case:
2008-03-07 09:21:47,597 INFO main SSLTestClient - SENT:
HeapBuffer[pos=0 lim=100 cap=130: 80 62 01 03 01 00 39 00 00 00 20 00
00 04 01 00...]
2008-03-07 09:21:47,602 FATAL main SSLTest - SERVER IoHandler:
exceptionCaught
javax.net.ssl.SSLHandshakeException: SSL handshake failed.
at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:426)
at org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:405)
at org.apache.mina.common.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:40)
at org.apache.mina.common.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:823)
at org.apache.mina.common.DefaultIoFilterChain$HeadFilter.messageReceived(DefaultIoFilterChain.java:607)
at org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:405)
at org.apache.mina.common.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:399)
at org.apache.mina.transport.vmpipe.VmPipeFilterChain.fireEvent(VmPipeFilterChain.java:91)
at org.apache.mina.transport.vmpipe.VmPipeFilterChain.flushEvents(VmPipeFilterChain.java:75)
at org.apache.mina.transport.vmpipe.VmPipeFilterChain.pushEvent(VmPipeFilterChain.java:68)
at org.apache.mina.transport.vmpipe.VmPipeFilterChain.fireMessageReceived(VmPipeFilterChain.java:166)
at org.apache.mina.transport.vmpipe.VmPipeFilterChain$VmPipeIoProcessor.updateTrafficMask(VmPipeFilterChain.java:239)
at org.apache.mina.transport.vmpipe.VmPipeFilterChain$VmPipeIoProcessor.updateTrafficMask(VmPipeFilterChain.java:169)
at org.apache.mina.transport.vmpipe.VmPipeFilterChain.flushPendingDataQueues(VmPipeFilterChain.java:120)
at org.apache.mina.transport.vmpipe.VmPipeFilterChain.start(VmPipeFilterChain.java:62)
at org.apache.mina.transport.vmpipe.VmPipeConnector.connect0(VmPipeConnector.java:124)
at org.apache.mina.common.AbstractIoConnector.connect(AbstractIoConnector.java:167)
at org.apache.mina.common.AbstractIoConnector.connect(AbstractIoConnector.java:93)
at com.XXXXX.XXXXX.net.ssl.SSLTest.testSSLHandshake(SSLTest.java:206)
(junit code)
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:997)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:459)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1058)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1030)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:411)
at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:477)
at org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:286)
at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:407)
... 40 more
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1356)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:164)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:639)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:450)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:178)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:437)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:935)
at org.apache.mina.filter.ssl.SslHandler.doTasks(SslHandler.java:667)
at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:458)
... 42 more
2008-03-07 09:21:47,607 INFO main SSLTestClient - RECEIVED:
HeapBuffer[pos=0 lim=7 cap=7: 15 03 01 00 02 02 28]
2008-03-07 09:21:47,607 FATAL main SSLTest - CLIENT IoHandler:
exceptionCaught
javax.net.ssl.SSLHandshakeException: SSL handshake failed.
at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:426)
at org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:405)
at org.apache.mina.common.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:40)
at org.apache.mina.common.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:823)
at org.apache.mina.filter.logging.LoggingFilter.messageReceived(LoggingFilter.java:95)
at org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:405)
at org.apache.mina.common.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:40)
at org.apache.mina.common.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:823)
at org.apache.mina.common.DefaultIoFilterChain$HeadFilter.messageReceived(DefaultIoFilterChain.java:607)
at org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:405)
at org.apache.mina.common.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:399)
at org.apache.mina.transport.vmpipe.VmPipeFilterChain.fireEvent(VmPipeFilterChain.java:91)
at org.apache.mina.transport.vmpipe.VmPipeFilterChain.flushEvents(VmPipeFilterChain.java:75)
at org.apache.mina.transport.vmpipe.VmPipeFilterChain.pushEvent(VmPipeFilterChain.java:68)
at org.apache.mina.transport.vmpipe.VmPipeFilterChain.fireMessageReceived(VmPipeFilterChain.java:166)
at org.apache.mina.transport.vmpipe.VmPipeFilterChain$VmPipeIoProcessor.flush(VmPipeFilterChain.java:192)
at org.apache.mina.transport.vmpipe.VmPipeFilterChain$VmPipeIoProcessor.flush(VmPipeFilterChain.java:169)
at org.apache.mina.common.DefaultIoFilterChain$HeadFilter.filterWrite(DefaultIoFilterChain.java:644)
at org.apache.mina.common.DefaultIoFilterChain.callPreviousFilterWrite(DefaultIoFilterChain.java:467)
at org.apache.mina.common.DefaultIoFilterChain.access$1400(DefaultIoFilterChain.java:40)
at org.apache.mina.common.DefaultIoFilterChain$EntryImpl$1.filterWrite(DefaultIoFilterChain.java:835)
at org.apache.mina.filter.ssl.SslHandler.flushScheduledEvents(SslHandler.java:260)
at org.apache.mina.filter.ssl.SslFilter.filterClose(SslFilter.java:581)
at org.apache.mina.common.DefaultIoFilterChain.callPreviousFilterClose(DefaultIoFilterChain.java:482)
at org.apache.mina.common.DefaultIoFilterChain.access$1500(DefaultIoFilterChain.java:40)
at org.apache.mina.common.DefaultIoFilterChain$EntryImpl$1.filterClose(DefaultIoFilterChain.java:840)
at org.apache.mina.common.DefaultIoFilterChain$TailFilter.filterClose(DefaultIoFilterChain.java:767)
at org.apache.mina.common.DefaultIoFilterChain.callPreviousFilterClose(DefaultIoFilterChain.java:482)
at org.apache.mina.common.DefaultIoFilterChain.fireFilterClose(DefaultIoFilterChain.java:477)
at org.apache.mina.transport.vmpipe.VmPipeFilterChain.fireEvent(VmPipeFilterChain.java:115)
at org.apache.mina.transport.vmpipe.VmPipeFilterChain.flushEvents(VmPipeFilterChain.java:75)
at org.apache.mina.transport.vmpipe.VmPipeFilterChain.pushEvent(VmPipeFilterChain.java:68)
at org.apache.mina.transport.vmpipe.VmPipeFilterChain.fireFilterClose(VmPipeFilterChain.java:126)
at org.apache.mina.common.AbstractIoSession.close(AbstractIoSession.java:173)
at org.apache.mina.common.AbstractIoSession.close(AbstractIoSession.java:158)
at com.XXXXX.XXXXX.net.ssl.SSLTest$2.exceptionCaught(SSLTest.java:95)
(stacktrace continues back into client here)
Caused by: javax.net.ssl.SSLException: Received fatal alert: handshake_failure
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1356)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1324)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1486)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:961)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:787)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:663)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:566)
at org.apache.mina.filter.ssl.SslHandler.unwrap0(SslHandler.java:644)
at org.apache.mina.filter.ssl.SslHandler.unwrapHandshake(SslHandler.java:591)
at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:461)
at org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:286)
at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:407)
... 90 more
Re: MINA-2.0.0-M1 -- SslFilter handshake failed?
Posted by Mark Renouf <ma...@gmail.com>.
Maarten,
This is just for a unit test, the real application uses TCP/IP.
This helps to eliminate variables which could affect tests (like the
availability of a specific network port to bind/connect to).
I get the same results when using NioSocket, etc. From what I can tell
SslFilter does not care what the underlying transport is... (which is
pretty impressive and very nice for testing, big thanks to whoever
came up with VmPipe)
On Fri, Mar 7, 2008 at 10:28 AM, Maarten Bosteels
<mb...@gmail.com> wrote:
> You're using the VmPipeConnector and Acceptor ?
>
> Am not sure it makes sense to use an SSLFilter for the VmPipe transport ?
>
> SSL is meant to be used on sockets.
>
> Maarten
Re: MINA-2.0.0-M1 -- SslFilter handshake failed?
Posted by Maarten Bosteels <mb...@gmail.com>.
You're using the VmPipeConnector and Acceptor ?
Am not sure it makes sense to use an SSLFilter for the VmPipe transport ?
SSL is meant to be used on sockets.
Maarten
On Fri, Mar 7, 2008 at 4:22 PM, Mark Renouf <ma...@gmail.com> wrote:
> Hmm. I saw this from some googling I did on that particular message.
> We generally control both ends of the communication within our product
> so I had assumed the handshake would negotiate this automatically.
> From a wireshark trace of the same test over the wire, I saw a huge
> list of cipher-suites proposed to the other end (in fact, if you
> decode those 100 bytes, I beleive that's what you see in the
> messageSent log from my test).
>
>
> /**
> * Sets the list of cipher suites to be enabled when {@link SSLEngine}
> * is initialized.
> *
> * @param cipherSuites <tt>null</tt> means 'use {@link
> SSLEngine}'s default.'
> */
> public void setEnabledCipherSuites(String[] cipherSuites) {
> this.enabledCipherSuites = cipherSuites;
> }
>
> Just for kicks, I tried "setEnabledCipherSuites(null);" but with no
> change in behavior....
>
>
> On Fri, Mar 7, 2008 at 10:12 AM, Niklas Therning <ni...@trillian.se>
> wrote:
> > I think it is the "no cipher suites in common" error which causes the
> > handshake problem. You can use SslFilter.setEnabledCipherSuites() to
> > specify which suites should be enabled.
> >
> > HTH
> >
> > /Niklas
> >
> > Mark Renouf skrev:
> >
> >
> > > I've been struggling with an SSL issue. I had it all working but I've
> > > lost track of some changes and basically I'm stuck again. I've
> > > dissolved it down to a unit test where I have a pair of VmPipe
> > > (acceptor/connector) talking, each with an SslFilter. Each have a
> > > seperate keystore, and a common truststore. Each's certificates are
> > > signed by a CA cert in the trust store. These are known-good as they
> > > were take from a production server.
> > >
> > > The server has a simple handler set which waits for "PING" and sends
> > > back "PONG". The test passes without the SSL Filter in place. In the
> > > tests I also placed a logging filter last on the filter chain of the
> > > connector so I can see the raw data after processing.
> > >
> > > When I enable SSL on both ends, I get a failed handshake. I'm using
> > > SSLContextFactory and KeyStoreFactory to load keystores. I've
> > > independently verified the keystores are valid and being loaded
> > > correctly (right passwords etc).
> > >
> > > The com.XXXXX.XXXXX lines below are just package names from an
> > > unreleased product of my employer which I've anonymized for now :-)
> > >
> > > The handlers look like this:
> > > IoHandler clientHandler = new IoHandlerAdapter() {
> > > @Override
> > > public void exceptionCaught(IoSession session, Throwable
> > > cause) throws Exception {
> > > LOGGER.fatal("CLIENT IoHandler: exceptionCaught",
> cause);
> > > }
> > > };
> > >
> > > IoHandler serverHandler = new IoHandlerAdapter() {
> > > @Override
> > > public void exceptionCaught(IoSession session, Throwable
> > > cause) throws Exception {
> > > LOGGER.fatal("SERVER IoHandler: exceptionCaught",
> cause);
> > > session.close(true);
> > > }
> > >
> > > @Override
> > > public void messageReceived(IoSession session, Object
> > > message) throws Exception {
> > > if (message instanceof IoBuffer) {
> > > String msg =
> > > ((IoBuffer)message).getString(CHARSET.newDecoder());
> > > if (msg.equals("PING")) {
> > > IoBuffer buffer = IoBuffer.allocate(4);
> > > buffer.putString("PONG", CHARSET.newEncoder
> ());
> > > buffer.flip();
> > > session.write(buffer);
> > > }
> > > }
> > > }
> > > };
> > >
> > > There's also a LoggingFilter attached with the messageSent and
> > > messageReceived levels visible (attached to the client's filter
> chain)
> > >
> > > Here is the relevant test code:
> > >
> > > Set up SSLContext ctx1 using SSLContextFactory....
> > >
> > > 171 IoAcceptor acceptor = new VmPipeAcceptor();
> > > 172 acceptor.setHandler(serverHandler);
> > > 173 SslFilter serverFilter = new SslFilter(ctx1);
> > > 174 serverFilter.setNeedClientAuth(true);
> > > 175 acceptor.getFilterChain().addLast("SSL",
> serverFilter);
> > > 176 acceptor.bind(new VmPipeAddress(1));
> > >
> > > Set up SSLContext ctx2 using SSLContextFactory....
> > >
> > > 189 IoConnector connector = new VmPipeConnector();
> > > 190 connector.setHandler(clientHandler);
> > > 191 SslFilter clientFilter = new SslFilter(ctx2);
> > > 192 clientFilter.setUseClientMode(true);
> > > (Set up LoggingFilter)
> > > 203 connector.getFilterChain().addLast("LOG",
> loggingFilter);
> > > 204 connector.getFilterChain().addLast("SSL",
> clientFilter);
> > >
> > > Then:
> > >
> > > 206 ConnectFuture cf = connector.connect(new
> VmPipeAddress(1));
> > > 207 cf.await();
> > > 208 assertTrue(cf.isConnected());
> > > 209 IoSession session = cf.getSession();
> > > 210 session.getConfig().setUseReadOperation(true);
> > > 211 IoBuffer buffer = IoBuffer.allocate(4);
> > > 212 buffer.putString("PING", CHARSET.newEncoder());
> > > 213 buffer.flip();
> > > 214 WriteFuture wf = session.write(buffer);
> > > 215 wf.await();
> > > 216 assertTrue(wf.isWritten());
> > > 217
> > > 218
> > > 219 ReadFuture rf = session.read();
> > > 220 rf.await();
> > > 221 assertTrue(rf.isRead());
> > > 222 assertTrue(rf.getMessage() instanceof IoBuffer);
> > > 223 IoBuffer buffer2 = (IoBuffer) rf.getMessage();
> > > 224 assertEquals("PONG", buffer2.getString(
> CHARSET.newDecoder()));
> > > 225 }
> > >
> > >
> > > Here is the log output from the failing test case:
> > >
> > > 2008-03-07 09:21:47,597 INFO main SSLTestClient - SENT:
> > > HeapBuffer[pos=0 lim=100 cap=130: 80 62 01 03 01 00 39 00 00 00 20 00
> > > 00 04 01 00...]
> > > 2008-03-07 09:21:47,602 FATAL main SSLTest - SERVER IoHandler:
> > > exceptionCaught
> > > javax.net.ssl.SSLHandshakeException: SSL handshake failed.
> > > at org.apache.mina.filter.ssl.SslFilter.messageReceived(
> SslFilter.java:426)
> > > at
> org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(
> DefaultIoFilterChain.java:405)
> > > at org.apache.mina.common.DefaultIoFilterChain.access$1200(
> DefaultIoFilterChain.java:40)
> > > at
> org.apache.mina.common.DefaultIoFilterChain$EntryImpl$1.messageReceived(
> DefaultIoFilterChain.java:823)
> > > at
> org.apache.mina.common.DefaultIoFilterChain$HeadFilter.messageReceived(
> DefaultIoFilterChain.java:607)
> > > at
> org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(
> DefaultIoFilterChain.java:405)
> > > at
> org.apache.mina.common.DefaultIoFilterChain.fireMessageReceived(
> DefaultIoFilterChain.java:399)
> > > at org.apache.mina.transport.vmpipe.VmPipeFilterChain.fireEvent
> (VmPipeFilterChain.java:91)
> > > at
> org.apache.mina.transport.vmpipe.VmPipeFilterChain.flushEvents(
> VmPipeFilterChain.java:75)
> > > at org.apache.mina.transport.vmpipe.VmPipeFilterChain.pushEvent
> (VmPipeFilterChain.java:68)
> > > at
> org.apache.mina.transport.vmpipe.VmPipeFilterChain.fireMessageReceived(
> VmPipeFilterChain.java:166)
> > > at
> org.apache.mina.transport.vmpipe.VmPipeFilterChain$VmPipeIoProcessor.updateTrafficMask
> (VmPipeFilterChain.java:239)
> > > at
> org.apache.mina.transport.vmpipe.VmPipeFilterChain$VmPipeIoProcessor.updateTrafficMask
> (VmPipeFilterChain.java:169)
> > > at
> org.apache.mina.transport.vmpipe.VmPipeFilterChain.flushPendingDataQueues(
> VmPipeFilterChain.java:120)
> > > at org.apache.mina.transport.vmpipe.VmPipeFilterChain.start(
> VmPipeFilterChain.java:62)
> > > at org.apache.mina.transport.vmpipe.VmPipeConnector.connect0(
> VmPipeConnector.java:124)
> > > at org.apache.mina.common.AbstractIoConnector.connect(
> AbstractIoConnector.java:167)
> > > at org.apache.mina.common.AbstractIoConnector.connect(
> AbstractIoConnector.java:93)
> > > at com.XXXXX.XXXXX.net.ssl.SSLTest.testSSLHandshake(
> SSLTest.java:206)
> > > (junit code)
> > > Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in
> common
> > > at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(
> Handshaker.java:997)
> > > at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(
> SSLEngineImpl.java:459)
> > > at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(
> SSLEngineImpl.java:1058)
> > > at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(
> SSLEngineImpl.java:1030)
> > > at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:411)
> > > at org.apache.mina.filter.ssl.SslHandler.handshake(
> SslHandler.java:477)
> > > at org.apache.mina.filter.ssl.SslHandler.messageReceived(
> SslHandler.java:286)
> > > at org.apache.mina.filter.ssl.SslFilter.messageReceived(
> SslFilter.java:407)
> > > ... 40 more
> > > Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in
> common
> > > at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(
> Alerts.java:150)
> > > at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(
> SSLEngineImpl.java:1356)
> > > at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(
> Handshaker.java:176)
> > > at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(
> Handshaker.java:164)
> > > at
> com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(
> ServerHandshaker.java:639)
> > > at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(
> ServerHandshaker.java:450)
> > > at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage
> (ServerHandshaker.java:178)
> > > at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(
> Handshaker.java:495)
> > > at com.sun.net.ssl.internal.ssl.Handshaker$1.run(
> Handshaker.java:437)
> > > at java.security.AccessController.doPrivileged(Native Method)
> > > at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(
> Handshaker.java:935)
> > > at org.apache.mina.filter.ssl.SslHandler.doTasks(
> SslHandler.java:667)
> > > at org.apache.mina.filter.ssl.SslHandler.handshake(
> SslHandler.java:458)
> > > ... 42 more
> > > 2008-03-07 09:21:47,607 INFO main SSLTestClient - RECEIVED:
> > > HeapBuffer[pos=0 lim=7 cap=7: 15 03 01 00 02 02 28]
> > > 2008-03-07 09:21:47,607 FATAL main SSLTest - CLIENT IoHandler:
> > > exceptionCaught
> > > javax.net.ssl.SSLHandshakeException: SSL handshake failed.
> > > at org.apache.mina.filter.ssl.SslFilter.messageReceived(
> SslFilter.java:426)
> > > at
> org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(
> DefaultIoFilterChain.java:405)
> > > at org.apache.mina.common.DefaultIoFilterChain.access$1200(
> DefaultIoFilterChain.java:40)
> > > at
> org.apache.mina.common.DefaultIoFilterChain$EntryImpl$1.messageReceived(
> DefaultIoFilterChain.java:823)
> > > at org.apache.mina.filter.logging.LoggingFilter.messageReceived
> (LoggingFilter.java:95)
> > > at
> org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(
> DefaultIoFilterChain.java:405)
> > > at org.apache.mina.common.DefaultIoFilterChain.access$1200(
> DefaultIoFilterChain.java:40)
> > > at
> org.apache.mina.common.DefaultIoFilterChain$EntryImpl$1.messageReceived(
> DefaultIoFilterChain.java:823)
> > > at
> org.apache.mina.common.DefaultIoFilterChain$HeadFilter.messageReceived(
> DefaultIoFilterChain.java:607)
> > > at
> org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(
> DefaultIoFilterChain.java:405)
> > > at
> org.apache.mina.common.DefaultIoFilterChain.fireMessageReceived(
> DefaultIoFilterChain.java:399)
> > > at org.apache.mina.transport.vmpipe.VmPipeFilterChain.fireEvent
> (VmPipeFilterChain.java:91)
> > > at
> org.apache.mina.transport.vmpipe.VmPipeFilterChain.flushEvents(
> VmPipeFilterChain.java:75)
> > > at org.apache.mina.transport.vmpipe.VmPipeFilterChain.pushEvent
> (VmPipeFilterChain.java:68)
> > > at
> org.apache.mina.transport.vmpipe.VmPipeFilterChain.fireMessageReceived(
> VmPipeFilterChain.java:166)
> > > at
> org.apache.mina.transport.vmpipe.VmPipeFilterChain$VmPipeIoProcessor.flush
> (VmPipeFilterChain.java:192)
> > > at
> org.apache.mina.transport.vmpipe.VmPipeFilterChain$VmPipeIoProcessor.flush
> (VmPipeFilterChain.java:169)
> > > at
> org.apache.mina.common.DefaultIoFilterChain$HeadFilter.filterWrite(
> DefaultIoFilterChain.java:644)
> > > at
> org.apache.mina.common.DefaultIoFilterChain.callPreviousFilterWrite(
> DefaultIoFilterChain.java:467)
> > > at org.apache.mina.common.DefaultIoFilterChain.access$1400(
> DefaultIoFilterChain.java:40)
> > > at
> org.apache.mina.common.DefaultIoFilterChain$EntryImpl$1.filterWrite(
> DefaultIoFilterChain.java:835)
> > > at org.apache.mina.filter.ssl.SslHandler.flushScheduledEvents(
> SslHandler.java:260)
> > > at org.apache.mina.filter.ssl.SslFilter.filterClose(
> SslFilter.java:581)
> > > at
> org.apache.mina.common.DefaultIoFilterChain.callPreviousFilterClose(
> DefaultIoFilterChain.java:482)
> > > at org.apache.mina.common.DefaultIoFilterChain.access$1500(
> DefaultIoFilterChain.java:40)
> > > at
> org.apache.mina.common.DefaultIoFilterChain$EntryImpl$1.filterClose(
> DefaultIoFilterChain.java:840)
> > > at
> org.apache.mina.common.DefaultIoFilterChain$TailFilter.filterClose(
> DefaultIoFilterChain.java:767)
> > > at
> org.apache.mina.common.DefaultIoFilterChain.callPreviousFilterClose(
> DefaultIoFilterChain.java:482)
> > > at org.apache.mina.common.DefaultIoFilterChain.fireFilterClose(
> DefaultIoFilterChain.java:477)
> > > at org.apache.mina.transport.vmpipe.VmPipeFilterChain.fireEvent
> (VmPipeFilterChain.java:115)
> > > at
> org.apache.mina.transport.vmpipe.VmPipeFilterChain.flushEvents(
> VmPipeFilterChain.java:75)
> > > at org.apache.mina.transport.vmpipe.VmPipeFilterChain.pushEvent
> (VmPipeFilterChain.java:68)
> > > at
> org.apache.mina.transport.vmpipe.VmPipeFilterChain.fireFilterClose(
> VmPipeFilterChain.java:126)
> > > at org.apache.mina.common.AbstractIoSession.close(
> AbstractIoSession.java:173)
> > > at org.apache.mina.common.AbstractIoSession.close(
> AbstractIoSession.java:158)
> > > at com.XXXXX.XXXXX.net.ssl.SSLTest$2.exceptionCaught(
> SSLTest.java:95)
> > > (stacktrace continues back into client here)
> > >
> > > Caused by: javax.net.ssl.SSLException: Received fatal alert:
> handshake_failure
> > > at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(
> Alerts.java:166)
> > > at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(
> SSLEngineImpl.java:1356)
> > > at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(
> SSLEngineImpl.java:1324)
> > > at com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(
> SSLEngineImpl.java:1486)
> > > at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(
> SSLEngineImpl.java:961)
> > > at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(
> SSLEngineImpl.java:787)
> > > at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(
> SSLEngineImpl.java:663)
> > > at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:566)
> > > at org.apache.mina.filter.ssl.SslHandler.unwrap0(
> SslHandler.java:644)
> > > at org.apache.mina.filter.ssl.SslHandler.unwrapHandshake(
> SslHandler.java:591)
> > > at org.apache.mina.filter.ssl.SslHandler.handshake(
> SslHandler.java:461)
> > > at org.apache.mina.filter.ssl.SslHandler.messageReceived(
> SslHandler.java:286)
> > > at org.apache.mina.filter.ssl.SslFilter.messageReceived(
> SslFilter.java:407)
> > > ... 90 more
> > >
> >
> >
>
Re: MINA-2.0.0-M1 -- SslFilter handshake failed?
Posted by Mark Renouf <ma...@gmail.com>.
Hmm. I saw this from some googling I did on that particular message.
We generally control both ends of the communication within our product
so I had assumed the handshake would negotiate this automatically.
>From a wireshark trace of the same test over the wire, I saw a huge
list of cipher-suites proposed to the other end (in fact, if you
decode those 100 bytes, I beleive that's what you see in the
messageSent log from my test).
/**
* Sets the list of cipher suites to be enabled when {@link SSLEngine}
* is initialized.
*
* @param cipherSuites <tt>null</tt> means 'use {@link
SSLEngine}'s default.'
*/
public void setEnabledCipherSuites(String[] cipherSuites) {
this.enabledCipherSuites = cipherSuites;
}
Just for kicks, I tried "setEnabledCipherSuites(null);" but with no
change in behavior....
On Fri, Mar 7, 2008 at 10:12 AM, Niklas Therning <ni...@trillian.se> wrote:
> I think it is the "no cipher suites in common" error which causes the
> handshake problem. You can use SslFilter.setEnabledCipherSuites() to
> specify which suites should be enabled.
>
> HTH
>
> /Niklas
>
> Mark Renouf skrev:
>
>
> > I've been struggling with an SSL issue. I had it all working but I've
> > lost track of some changes and basically I'm stuck again. I've
> > dissolved it down to a unit test where I have a pair of VmPipe
> > (acceptor/connector) talking, each with an SslFilter. Each have a
> > seperate keystore, and a common truststore. Each's certificates are
> > signed by a CA cert in the trust store. These are known-good as they
> > were take from a production server.
> >
> > The server has a simple handler set which waits for "PING" and sends
> > back "PONG". The test passes without the SSL Filter in place. In the
> > tests I also placed a logging filter last on the filter chain of the
> > connector so I can see the raw data after processing.
> >
> > When I enable SSL on both ends, I get a failed handshake. I'm using
> > SSLContextFactory and KeyStoreFactory to load keystores. I've
> > independently verified the keystores are valid and being loaded
> > correctly (right passwords etc).
> >
> > The com.XXXXX.XXXXX lines below are just package names from an
> > unreleased product of my employer which I've anonymized for now :-)
> >
> > The handlers look like this:
> > IoHandler clientHandler = new IoHandlerAdapter() {
> > @Override
> > public void exceptionCaught(IoSession session, Throwable
> > cause) throws Exception {
> > LOGGER.fatal("CLIENT IoHandler: exceptionCaught", cause);
> > }
> > };
> >
> > IoHandler serverHandler = new IoHandlerAdapter() {
> > @Override
> > public void exceptionCaught(IoSession session, Throwable
> > cause) throws Exception {
> > LOGGER.fatal("SERVER IoHandler: exceptionCaught", cause);
> > session.close(true);
> > }
> >
> > @Override
> > public void messageReceived(IoSession session, Object
> > message) throws Exception {
> > if (message instanceof IoBuffer) {
> > String msg =
> > ((IoBuffer)message).getString(CHARSET.newDecoder());
> > if (msg.equals("PING")) {
> > IoBuffer buffer = IoBuffer.allocate(4);
> > buffer.putString("PONG", CHARSET.newEncoder());
> > buffer.flip();
> > session.write(buffer);
> > }
> > }
> > }
> > };
> >
> > There's also a LoggingFilter attached with the messageSent and
> > messageReceived levels visible (attached to the client's filter chain)
> >
> > Here is the relevant test code:
> >
> > Set up SSLContext ctx1 using SSLContextFactory....
> >
> > 171 IoAcceptor acceptor = new VmPipeAcceptor();
> > 172 acceptor.setHandler(serverHandler);
> > 173 SslFilter serverFilter = new SslFilter(ctx1);
> > 174 serverFilter.setNeedClientAuth(true);
> > 175 acceptor.getFilterChain().addLast("SSL", serverFilter);
> > 176 acceptor.bind(new VmPipeAddress(1));
> >
> > Set up SSLContext ctx2 using SSLContextFactory....
> >
> > 189 IoConnector connector = new VmPipeConnector();
> > 190 connector.setHandler(clientHandler);
> > 191 SslFilter clientFilter = new SslFilter(ctx2);
> > 192 clientFilter.setUseClientMode(true);
> > (Set up LoggingFilter)
> > 203 connector.getFilterChain().addLast("LOG", loggingFilter);
> > 204 connector.getFilterChain().addLast("SSL", clientFilter);
> >
> > Then:
> >
> > 206 ConnectFuture cf = connector.connect(new VmPipeAddress(1));
> > 207 cf.await();
> > 208 assertTrue(cf.isConnected());
> > 209 IoSession session = cf.getSession();
> > 210 session.getConfig().setUseReadOperation(true);
> > 211 IoBuffer buffer = IoBuffer.allocate(4);
> > 212 buffer.putString("PING", CHARSET.newEncoder());
> > 213 buffer.flip();
> > 214 WriteFuture wf = session.write(buffer);
> > 215 wf.await();
> > 216 assertTrue(wf.isWritten());
> > 217
> > 218
> > 219 ReadFuture rf = session.read();
> > 220 rf.await();
> > 221 assertTrue(rf.isRead());
> > 222 assertTrue(rf.getMessage() instanceof IoBuffer);
> > 223 IoBuffer buffer2 = (IoBuffer) rf.getMessage();
> > 224 assertEquals("PONG", buffer2.getString(CHARSET.newDecoder()));
> > 225 }
> >
> >
> > Here is the log output from the failing test case:
> >
> > 2008-03-07 09:21:47,597 INFO main SSLTestClient - SENT:
> > HeapBuffer[pos=0 lim=100 cap=130: 80 62 01 03 01 00 39 00 00 00 20 00
> > 00 04 01 00...]
> > 2008-03-07 09:21:47,602 FATAL main SSLTest - SERVER IoHandler:
> > exceptionCaught
> > javax.net.ssl.SSLHandshakeException: SSL handshake failed.
> > at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:426)
> > at org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:405)
> > at org.apache.mina.common.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:40)
> > at org.apache.mina.common.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:823)
> > at org.apache.mina.common.DefaultIoFilterChain$HeadFilter.messageReceived(DefaultIoFilterChain.java:607)
> > at org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:405)
> > at org.apache.mina.common.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:399)
> > at org.apache.mina.transport.vmpipe.VmPipeFilterChain.fireEvent(VmPipeFilterChain.java:91)
> > at org.apache.mina.transport.vmpipe.VmPipeFilterChain.flushEvents(VmPipeFilterChain.java:75)
> > at org.apache.mina.transport.vmpipe.VmPipeFilterChain.pushEvent(VmPipeFilterChain.java:68)
> > at org.apache.mina.transport.vmpipe.VmPipeFilterChain.fireMessageReceived(VmPipeFilterChain.java:166)
> > at org.apache.mina.transport.vmpipe.VmPipeFilterChain$VmPipeIoProcessor.updateTrafficMask(VmPipeFilterChain.java:239)
> > at org.apache.mina.transport.vmpipe.VmPipeFilterChain$VmPipeIoProcessor.updateTrafficMask(VmPipeFilterChain.java:169)
> > at org.apache.mina.transport.vmpipe.VmPipeFilterChain.flushPendingDataQueues(VmPipeFilterChain.java:120)
> > at org.apache.mina.transport.vmpipe.VmPipeFilterChain.start(VmPipeFilterChain.java:62)
> > at org.apache.mina.transport.vmpipe.VmPipeConnector.connect0(VmPipeConnector.java:124)
> > at org.apache.mina.common.AbstractIoConnector.connect(AbstractIoConnector.java:167)
> > at org.apache.mina.common.AbstractIoConnector.connect(AbstractIoConnector.java:93)
> > at com.XXXXX.XXXXX.net.ssl.SSLTest.testSSLHandshake(SSLTest.java:206)
> > (junit code)
> > Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
> > at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:997)
> > at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:459)
> > at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1058)
> > at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1030)
> > at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:411)
> > at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:477)
> > at org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:286)
> > at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:407)
> > ... 40 more
> > Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
> > at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
> > at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1356)
> > at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
> > at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:164)
> > at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:639)
> > at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:450)
> > at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:178)
> > at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
> > at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:437)
> > at java.security.AccessController.doPrivileged(Native Method)
> > at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:935)
> > at org.apache.mina.filter.ssl.SslHandler.doTasks(SslHandler.java:667)
> > at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:458)
> > ... 42 more
> > 2008-03-07 09:21:47,607 INFO main SSLTestClient - RECEIVED:
> > HeapBuffer[pos=0 lim=7 cap=7: 15 03 01 00 02 02 28]
> > 2008-03-07 09:21:47,607 FATAL main SSLTest - CLIENT IoHandler:
> > exceptionCaught
> > javax.net.ssl.SSLHandshakeException: SSL handshake failed.
> > at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:426)
> > at org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:405)
> > at org.apache.mina.common.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:40)
> > at org.apache.mina.common.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:823)
> > at org.apache.mina.filter.logging.LoggingFilter.messageReceived(LoggingFilter.java:95)
> > at org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:405)
> > at org.apache.mina.common.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:40)
> > at org.apache.mina.common.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:823)
> > at org.apache.mina.common.DefaultIoFilterChain$HeadFilter.messageReceived(DefaultIoFilterChain.java:607)
> > at org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:405)
> > at org.apache.mina.common.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:399)
> > at org.apache.mina.transport.vmpipe.VmPipeFilterChain.fireEvent(VmPipeFilterChain.java:91)
> > at org.apache.mina.transport.vmpipe.VmPipeFilterChain.flushEvents(VmPipeFilterChain.java:75)
> > at org.apache.mina.transport.vmpipe.VmPipeFilterChain.pushEvent(VmPipeFilterChain.java:68)
> > at org.apache.mina.transport.vmpipe.VmPipeFilterChain.fireMessageReceived(VmPipeFilterChain.java:166)
> > at org.apache.mina.transport.vmpipe.VmPipeFilterChain$VmPipeIoProcessor.flush(VmPipeFilterChain.java:192)
> > at org.apache.mina.transport.vmpipe.VmPipeFilterChain$VmPipeIoProcessor.flush(VmPipeFilterChain.java:169)
> > at org.apache.mina.common.DefaultIoFilterChain$HeadFilter.filterWrite(DefaultIoFilterChain.java:644)
> > at org.apache.mina.common.DefaultIoFilterChain.callPreviousFilterWrite(DefaultIoFilterChain.java:467)
> > at org.apache.mina.common.DefaultIoFilterChain.access$1400(DefaultIoFilterChain.java:40)
> > at org.apache.mina.common.DefaultIoFilterChain$EntryImpl$1.filterWrite(DefaultIoFilterChain.java:835)
> > at org.apache.mina.filter.ssl.SslHandler.flushScheduledEvents(SslHandler.java:260)
> > at org.apache.mina.filter.ssl.SslFilter.filterClose(SslFilter.java:581)
> > at org.apache.mina.common.DefaultIoFilterChain.callPreviousFilterClose(DefaultIoFilterChain.java:482)
> > at org.apache.mina.common.DefaultIoFilterChain.access$1500(DefaultIoFilterChain.java:40)
> > at org.apache.mina.common.DefaultIoFilterChain$EntryImpl$1.filterClose(DefaultIoFilterChain.java:840)
> > at org.apache.mina.common.DefaultIoFilterChain$TailFilter.filterClose(DefaultIoFilterChain.java:767)
> > at org.apache.mina.common.DefaultIoFilterChain.callPreviousFilterClose(DefaultIoFilterChain.java:482)
> > at org.apache.mina.common.DefaultIoFilterChain.fireFilterClose(DefaultIoFilterChain.java:477)
> > at org.apache.mina.transport.vmpipe.VmPipeFilterChain.fireEvent(VmPipeFilterChain.java:115)
> > at org.apache.mina.transport.vmpipe.VmPipeFilterChain.flushEvents(VmPipeFilterChain.java:75)
> > at org.apache.mina.transport.vmpipe.VmPipeFilterChain.pushEvent(VmPipeFilterChain.java:68)
> > at org.apache.mina.transport.vmpipe.VmPipeFilterChain.fireFilterClose(VmPipeFilterChain.java:126)
> > at org.apache.mina.common.AbstractIoSession.close(AbstractIoSession.java:173)
> > at org.apache.mina.common.AbstractIoSession.close(AbstractIoSession.java:158)
> > at com.XXXXX.XXXXX.net.ssl.SSLTest$2.exceptionCaught(SSLTest.java:95)
> > (stacktrace continues back into client here)
> >
> > Caused by: javax.net.ssl.SSLException: Received fatal alert: handshake_failure
> > at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166)
> > at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1356)
> > at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1324)
> > at com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1486)
> > at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:961)
> > at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:787)
> > at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:663)
> > at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:566)
> > at org.apache.mina.filter.ssl.SslHandler.unwrap0(SslHandler.java:644)
> > at org.apache.mina.filter.ssl.SslHandler.unwrapHandshake(SslHandler.java:591)
> > at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:461)
> > at org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:286)
> > at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:407)
> > ... 90 more
> >
>
>
Re: MINA-2.0.0-M1 -- SslFilter handshake failed?
Posted by Niklas Therning <ni...@trillian.se>.
I think it is the "no cipher suites in common" error which causes the
handshake problem. You can use SslFilter.setEnabledCipherSuites() to
specify which suites should be enabled.
HTH
/Niklas
Mark Renouf skrev:
> I've been struggling with an SSL issue. I had it all working but I've
> lost track of some changes and basically I'm stuck again. I've
> dissolved it down to a unit test where I have a pair of VmPipe
> (acceptor/connector) talking, each with an SslFilter. Each have a
> seperate keystore, and a common truststore. Each's certificates are
> signed by a CA cert in the trust store. These are known-good as they
> were take from a production server.
>
> The server has a simple handler set which waits for "PING" and sends
> back "PONG". The test passes without the SSL Filter in place. In the
> tests I also placed a logging filter last on the filter chain of the
> connector so I can see the raw data after processing.
>
> When I enable SSL on both ends, I get a failed handshake. I'm using
> SSLContextFactory and KeyStoreFactory to load keystores. I've
> independently verified the keystores are valid and being loaded
> correctly (right passwords etc).
>
> The com.XXXXX.XXXXX lines below are just package names from an
> unreleased product of my employer which I've anonymized for now :-)
>
> The handlers look like this:
> IoHandler clientHandler = new IoHandlerAdapter() {
> @Override
> public void exceptionCaught(IoSession session, Throwable
> cause) throws Exception {
> LOGGER.fatal("CLIENT IoHandler: exceptionCaught", cause);
> }
> };
>
> IoHandler serverHandler = new IoHandlerAdapter() {
> @Override
> public void exceptionCaught(IoSession session, Throwable
> cause) throws Exception {
> LOGGER.fatal("SERVER IoHandler: exceptionCaught", cause);
> session.close(true);
> }
>
> @Override
> public void messageReceived(IoSession session, Object
> message) throws Exception {
> if (message instanceof IoBuffer) {
> String msg =
> ((IoBuffer)message).getString(CHARSET.newDecoder());
> if (msg.equals("PING")) {
> IoBuffer buffer = IoBuffer.allocate(4);
> buffer.putString("PONG", CHARSET.newEncoder());
> buffer.flip();
> session.write(buffer);
> }
> }
> }
> };
>
> There's also a LoggingFilter attached with the messageSent and
> messageReceived levels visible (attached to the client's filter chain)
>
> Here is the relevant test code:
>
> Set up SSLContext ctx1 using SSLContextFactory....
>
> 171 IoAcceptor acceptor = new VmPipeAcceptor();
> 172 acceptor.setHandler(serverHandler);
> 173 SslFilter serverFilter = new SslFilter(ctx1);
> 174 serverFilter.setNeedClientAuth(true);
> 175 acceptor.getFilterChain().addLast("SSL", serverFilter);
> 176 acceptor.bind(new VmPipeAddress(1));
>
> Set up SSLContext ctx2 using SSLContextFactory....
>
> 189 IoConnector connector = new VmPipeConnector();
> 190 connector.setHandler(clientHandler);
> 191 SslFilter clientFilter = new SslFilter(ctx2);
> 192 clientFilter.setUseClientMode(true);
> (Set up LoggingFilter)
> 203 connector.getFilterChain().addLast("LOG", loggingFilter);
> 204 connector.getFilterChain().addLast("SSL", clientFilter);
>
> Then:
>
> 206 ConnectFuture cf = connector.connect(new VmPipeAddress(1));
> 207 cf.await();
> 208 assertTrue(cf.isConnected());
> 209 IoSession session = cf.getSession();
> 210 session.getConfig().setUseReadOperation(true);
> 211 IoBuffer buffer = IoBuffer.allocate(4);
> 212 buffer.putString("PING", CHARSET.newEncoder());
> 213 buffer.flip();
> 214 WriteFuture wf = session.write(buffer);
> 215 wf.await();
> 216 assertTrue(wf.isWritten());
> 217
> 218
> 219 ReadFuture rf = session.read();
> 220 rf.await();
> 221 assertTrue(rf.isRead());
> 222 assertTrue(rf.getMessage() instanceof IoBuffer);
> 223 IoBuffer buffer2 = (IoBuffer) rf.getMessage();
> 224 assertEquals("PONG", buffer2.getString(CHARSET.newDecoder()));
> 225 }
>
>
> Here is the log output from the failing test case:
>
> 2008-03-07 09:21:47,597 INFO main SSLTestClient - SENT:
> HeapBuffer[pos=0 lim=100 cap=130: 80 62 01 03 01 00 39 00 00 00 20 00
> 00 04 01 00...]
> 2008-03-07 09:21:47,602 FATAL main SSLTest - SERVER IoHandler:
> exceptionCaught
> javax.net.ssl.SSLHandshakeException: SSL handshake failed.
> at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:426)
> at org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:405)
> at org.apache.mina.common.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:40)
> at org.apache.mina.common.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:823)
> at org.apache.mina.common.DefaultIoFilterChain$HeadFilter.messageReceived(DefaultIoFilterChain.java:607)
> at org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:405)
> at org.apache.mina.common.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:399)
> at org.apache.mina.transport.vmpipe.VmPipeFilterChain.fireEvent(VmPipeFilterChain.java:91)
> at org.apache.mina.transport.vmpipe.VmPipeFilterChain.flushEvents(VmPipeFilterChain.java:75)
> at org.apache.mina.transport.vmpipe.VmPipeFilterChain.pushEvent(VmPipeFilterChain.java:68)
> at org.apache.mina.transport.vmpipe.VmPipeFilterChain.fireMessageReceived(VmPipeFilterChain.java:166)
> at org.apache.mina.transport.vmpipe.VmPipeFilterChain$VmPipeIoProcessor.updateTrafficMask(VmPipeFilterChain.java:239)
> at org.apache.mina.transport.vmpipe.VmPipeFilterChain$VmPipeIoProcessor.updateTrafficMask(VmPipeFilterChain.java:169)
> at org.apache.mina.transport.vmpipe.VmPipeFilterChain.flushPendingDataQueues(VmPipeFilterChain.java:120)
> at org.apache.mina.transport.vmpipe.VmPipeFilterChain.start(VmPipeFilterChain.java:62)
> at org.apache.mina.transport.vmpipe.VmPipeConnector.connect0(VmPipeConnector.java:124)
> at org.apache.mina.common.AbstractIoConnector.connect(AbstractIoConnector.java:167)
> at org.apache.mina.common.AbstractIoConnector.connect(AbstractIoConnector.java:93)
> at com.XXXXX.XXXXX.net.ssl.SSLTest.testSSLHandshake(SSLTest.java:206)
> (junit code)
> Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
> at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:997)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:459)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1058)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1030)
> at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:411)
> at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:477)
> at org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:286)
> at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:407)
> ... 40 more
> Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1356)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
> at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:164)
> at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:639)
> at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:450)
> at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:178)
> at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
> at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:437)
> at java.security.AccessController.doPrivileged(Native Method)
> at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:935)
> at org.apache.mina.filter.ssl.SslHandler.doTasks(SslHandler.java:667)
> at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:458)
> ... 42 more
> 2008-03-07 09:21:47,607 INFO main SSLTestClient - RECEIVED:
> HeapBuffer[pos=0 lim=7 cap=7: 15 03 01 00 02 02 28]
> 2008-03-07 09:21:47,607 FATAL main SSLTest - CLIENT IoHandler:
> exceptionCaught
> javax.net.ssl.SSLHandshakeException: SSL handshake failed.
> at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:426)
> at org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:405)
> at org.apache.mina.common.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:40)
> at org.apache.mina.common.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:823)
> at org.apache.mina.filter.logging.LoggingFilter.messageReceived(LoggingFilter.java:95)
> at org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:405)
> at org.apache.mina.common.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:40)
> at org.apache.mina.common.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:823)
> at org.apache.mina.common.DefaultIoFilterChain$HeadFilter.messageReceived(DefaultIoFilterChain.java:607)
> at org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:405)
> at org.apache.mina.common.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:399)
> at org.apache.mina.transport.vmpipe.VmPipeFilterChain.fireEvent(VmPipeFilterChain.java:91)
> at org.apache.mina.transport.vmpipe.VmPipeFilterChain.flushEvents(VmPipeFilterChain.java:75)
> at org.apache.mina.transport.vmpipe.VmPipeFilterChain.pushEvent(VmPipeFilterChain.java:68)
> at org.apache.mina.transport.vmpipe.VmPipeFilterChain.fireMessageReceived(VmPipeFilterChain.java:166)
> at org.apache.mina.transport.vmpipe.VmPipeFilterChain$VmPipeIoProcessor.flush(VmPipeFilterChain.java:192)
> at org.apache.mina.transport.vmpipe.VmPipeFilterChain$VmPipeIoProcessor.flush(VmPipeFilterChain.java:169)
> at org.apache.mina.common.DefaultIoFilterChain$HeadFilter.filterWrite(DefaultIoFilterChain.java:644)
> at org.apache.mina.common.DefaultIoFilterChain.callPreviousFilterWrite(DefaultIoFilterChain.java:467)
> at org.apache.mina.common.DefaultIoFilterChain.access$1400(DefaultIoFilterChain.java:40)
> at org.apache.mina.common.DefaultIoFilterChain$EntryImpl$1.filterWrite(DefaultIoFilterChain.java:835)
> at org.apache.mina.filter.ssl.SslHandler.flushScheduledEvents(SslHandler.java:260)
> at org.apache.mina.filter.ssl.SslFilter.filterClose(SslFilter.java:581)
> at org.apache.mina.common.DefaultIoFilterChain.callPreviousFilterClose(DefaultIoFilterChain.java:482)
> at org.apache.mina.common.DefaultIoFilterChain.access$1500(DefaultIoFilterChain.java:40)
> at org.apache.mina.common.DefaultIoFilterChain$EntryImpl$1.filterClose(DefaultIoFilterChain.java:840)
> at org.apache.mina.common.DefaultIoFilterChain$TailFilter.filterClose(DefaultIoFilterChain.java:767)
> at org.apache.mina.common.DefaultIoFilterChain.callPreviousFilterClose(DefaultIoFilterChain.java:482)
> at org.apache.mina.common.DefaultIoFilterChain.fireFilterClose(DefaultIoFilterChain.java:477)
> at org.apache.mina.transport.vmpipe.VmPipeFilterChain.fireEvent(VmPipeFilterChain.java:115)
> at org.apache.mina.transport.vmpipe.VmPipeFilterChain.flushEvents(VmPipeFilterChain.java:75)
> at org.apache.mina.transport.vmpipe.VmPipeFilterChain.pushEvent(VmPipeFilterChain.java:68)
> at org.apache.mina.transport.vmpipe.VmPipeFilterChain.fireFilterClose(VmPipeFilterChain.java:126)
> at org.apache.mina.common.AbstractIoSession.close(AbstractIoSession.java:173)
> at org.apache.mina.common.AbstractIoSession.close(AbstractIoSession.java:158)
> at com.XXXXX.XXXXX.net.ssl.SSLTest$2.exceptionCaught(SSLTest.java:95)
> (stacktrace continues back into client here)
>
> Caused by: javax.net.ssl.SSLException: Received fatal alert: handshake_failure
> at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1356)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1324)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1486)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:961)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:787)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:663)
> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:566)
> at org.apache.mina.filter.ssl.SslHandler.unwrap0(SslHandler.java:644)
> at org.apache.mina.filter.ssl.SslHandler.unwrapHandshake(SslHandler.java:591)
> at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:461)
> at org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:286)
> at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:407)
> ... 90 more
>