[jira] Closed: (HTTPCLIENT-1070) misleading javax.net.ssl.SSLPeerUnverifiedException thrown when cause is due to non SSL related IOException (e.g. java.net.SocketException: Connection reset)

["Oleg Kalnichevski (JIRA)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/HTTPCLIENT-1070?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Oleg Kalnichevski closed HTTPCLIENT-1070.
-----------------------------------------


> misleading javax.net.ssl.SSLPeerUnverifiedException thrown when cause is due to non SSL related IOException (e.g. java.net.SocketException: Connection reset)
> -------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: HTTPCLIENT-1070
>                 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1070
>             Project: HttpComponents HttpClient
>          Issue Type: Bug
>          Components: HttpClient
>    Affects Versions: 4.1 Final
>         Environment: mac os x
>            Reporter: Thuy Tran
>              Labels: security
>
> I have code that continually executes an http get request to a web server that requires server side authentication.  I have the appropriate certificate in the truststore and generally, it executes without a problem.
> System.setProperty("javax.net.ssl.trustStore", sslTrustStore);
> HttpGet httpGet = new HttpGet(uri);
> DefaultHttpClient client = new DefaultHttpClient();
> HttpResponse response = null;
> try {
>   response = httpClient.execute(httpGet);
>   //do something with response
> } catch (IOException e) {
> // have caught SSLPeerUnverifiedException
> } catch (ClientProtocolException e) {
> //log it
> }
> However, even after many successful requests, it can still get a javax.net.ssl.SSLPeerUnverifiedException. I turned ssl debug on (-Djavax.net.debug=ssl) and noticed that this can occur if during the ssl handshake, it gets a "java.net.SocketException: Connection reset":
> Thread-1, WRITE: TLSv1 Handshake, length = 113
> Thread-1, handling exception: java.net.SocketException: Connection reset
> Thread-1, SEND TLSv1 ALERT:  fatal, description = unexpected_message
> Thread-1, WRITE: TLSv1 Alert, length = 2
> Thread-1, Exception sending alert: java.net.SocketException: Broken pipe
> Thread-1, called closeSocket()
> Thread-1, IOException in getSession():  java.net.SocketException: Connection reset
> Thread-1, called close()
> Thread-1, called closeInternal(true)
> The stack trace shows that it's due to the use of com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates():
> 03/01/11 15:48:56 PM EST [Thread-1] WARN -  IOException sending request to server
> javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
>     at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)
>     at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
>     at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:390)
>     at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148)
>     at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:149)
>     at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121)
>     at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:562)
>     at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:415)
>     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820)
>     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:754)
>     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:732)
>     at mil.disa.common.http.HttpUtil.executeHttpRequest(HttpUtil.java:253)
> So I swapped out the code to use java.net.URLConnection class to send the request rather than HttpClient and noticed that if a SocketException occurs during the handshake, I get the appropriate SocketException error rather than SSLPeerUnverifiedException:
> Thread-12, WRITE: TLSv1 Handshake, length = 113
> Thread-12, handling exception: java.net.SocketException: Connection reset
> Thread-12, SEND TLSv1 ALERT:  fatal, description = unexpected_message
> Thread-12, WRITE: TLSv1 Alert, length = 2
> Thread-12, Exception sending alert: java.net.SocketException: Broken pipe
> Thread-12, called closeSocket()
> Thread-12, called close()
> Thread-12, called closeInternal(true)
> 03/10/11 13:29:59 PM EST [Thread-12] FATAL - IOException sending request to server
> java.net.SocketException: Connection reset
>     at java.net.SocketInputStream.read(SocketInputStream.java:168)
>     at com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:293)
>     at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:331)
>     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:798)
>     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)
>     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1165)
>     at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1149)
>     at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
>     at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
>     at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1019)
>     at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
>     at mil.disa.common.http.HttpUtil.executeHttpRequest2(HttpUtil.java:589)
> The SSLPeerUnverifiedException is misleading since if an IOException occurs, I want to retry sending the request if it's not SSL related.  This makes it difficult in debugging the error and I would only know that it's not SSLPeerUnverifiedException if I set -Djavax.net.debug=ssl.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org