You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by Gary Gregory <ga...@gmail.com> on 2017/08/30 20:57:53 UTC
HttpCore NIO, NHttpReverseProxy and diagnosing an SSL handshake_failure
Hi All:
To diagnose a problem I am seeing in my custom HC-NIO proxy, I run our
example NHttpReverseProxy with the command line arguments:
https://jsonplaceholder.typicode.com:443/ 33000 TrustSelfSignedStrategy
(with or without TrustSelfSignedStrategy)
Then I get a handshake_failure trying to access it:
$ curl http://localhost:33000/posts
% Total % Received % Xferd Average Speed Time Time Time
Current
Dload Upload Total Spent Left
Speed
100 39 100 39 0 0 39 0 0:00:01 --:--:-- 0:00:01
207Received fatal alert: handshake_failure
NHttpReverseProxy prints:
Using TrustSelfSignedStrategy (not for production)
Reverse proxy to https://jsonplaceholder.typicode.com:443
[client->proxy] connection open
0:0:0:0:0:0:0:1:33000<->0:0:0:0:0:0:0:1:55252
[client->proxy] 00000001 GET /posts HTTP/1.1
[client->proxy] 00000001 request completed
[proxy->origin] connection open 192.168.0.92:55254<->104.31.87.157:443
[proxy->origin] 00000001 GET /posts HTTP/1.1
[proxy->origin] 00000001 request completed
[client<-proxy] 00000001 javax.net.ssl.SSLException: Received fatal alert:
handshake_failure
[proxy->origin] connection released 0.0.0.0:55254<->104.31.87.157:443
[proxy->origin] [total kept alive: 0; total allocated: 0 of 100]
[proxy->origin] connection closed 0.0.0.0:55254<->104.31.87.157:443
[client->proxy] connection closed 0.0.0.0:33000<->0:0:0:0:0:0:0:1:55252
HttpClient works fine with:
public class HttpsClientSanityTest {
private void executeHttpsGetPosts(final CloseableHttpClient client)
throws IOException, ClientProtocolException {
try (final CloseableHttpResponse reponse = client.execute(new
HttpGet("https://jsonplaceholder.typicode.com/posts"))) {
final String string = EntityUtils.toString(reponse.getEntity());
Assert.assertNotNull(string);
// System.out.println(string);
}
}
@Test
public void test_typicode_com() throws KeyManagementException,
NoSuchAlgorithmException, ClientProtocolException, IOException {
try (final CloseableHttpClient client =
HttpClients.createDefault()) {
executeHttpsGetPosts(client);
}
}
}
curl works fine with 'curl https://jsonplaceholder.typicode.com/posts' and
returns a JSON document.
Any hints as to what is missing from NHttpReverseProxy?
Thank you,
Gary
Re: HttpCore NIO, NHttpReverseProxy and diagnosing an SSL handshake_failure
Posted by Gary Gregory <ga...@gmail.com>.
If I set -Djavax.net.debug=all in the proxy I see:
RandomCookie: GMT: 1487308723 bytes = { 46, 102, 239, 247, 53, 87, 164,
146, 197, 44, 72, 95, 153, 58, 9, 22, 138, 176, 137, 76, 196, 163, 34, 95,
220, 87, 105, 237 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1,
sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA,
SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA,
SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
***
[write] MD5 and SHA1 hashes: len = 161
0000: 01 00 00 9D 03 03 59 A7 88 B3 2E 66 EF F7 35 57 ......Y....f..5W
0010: A4 92 C5 2C 48 5F 99 3A 09 16 8A B0 89 4C C4 A3 ...,H_.:.....L..
0020: 22 5F DC 57 69 ED 00 00 3A C0 23 C0 27 00 3C C0 "_.Wi...:.#.'.<.
0030: 25 C0 29 00 67 00 40 C0 09 C0 13 00 2F C0 04 C0 %.).g.@...../...
0040: 0E 00 33 00 32 C0 2B C0 2F 00 9C C0 2D C0 31 00 ..3.2.+./...-.1.
0050: 9E 00 A2 C0 08 C0 12 00 0A C0 03 C0 0D 00 16 00 ................
0060: 13 00 FF 01 00 00 3A 00 0A 00 16 00 14 00 17 00 ......:.........
0070: 18 00 19 00 09 00 0A 00 0B 00 0C 00 0D 00 0E 00 ................
0080: 16 00 0B 00 02 01 00 00 0D 00 16 00 14 06 03 06 ................
0090: 01 05 03 05 01 04 03 04 01 04 02 02 03 02 01 02 ................
00A0: 02 .
I/O dispatcher 1, WRITE: TLSv1.2 Handshake, length = 161
[Raw write]: length = 166
0000: 16 03 03 00 A1 01 00 00 9D 03 03 59 A7 88 B3 2E ...........Y....
0010: 66 EF F7 35 57 A4 92 C5 2C 48 5F 99 3A 09 16 8A f..5W...,H_.:...
0020: B0 89 4C C4 A3 22 5F DC 57 69 ED 00 00 3A C0 23 ..L.."_.Wi...:.#
0030: C0 27 00 3C C0 25 C0 29 00 67 00 40 C0 09 C0 13 .'.<.%.).g.@....
0040: 00 2F C0 04 C0 0E 00 33 00 32 C0 2B C0 2F 00 9C ./.....3.2.+./..
0050: C0 2D C0 31 00 9E 00 A2 C0 08 C0 12 00 0A C0 03 .-.1............
0060: C0 0D 00 16 00 13 00 FF 01 00 00 3A 00 0A 00 16 ...........:....
0070: 00 14 00 17 00 18 00 19 00 09 00 0A 00 0B 00 0C ................
0080: 00 0D 00 0E 00 16 00 0B 00 02 01 00 00 0D 00 16 ................
0090: 00 14 06 03 06 01 05 03 05 01 04 03 04 01 04 02 ................
00A0: 02 03 02 01 02 02 ......
[Raw read]: length = 5
0000: 15 03 01 00 02 .....
[Raw read]: length = 2
0000: 02 28 .(
I/O dispatcher 1, READ: TLSv1 Alert, length = 2
I/O dispatcher 1, RECV TLSv1.2 ALERT: fatal, handshake_failure
I/O dispatcher 1, fatal: engine already closed. Rethrowing
javax.net.ssl.SSLException: Received fatal alert: handshake_failure
I/O dispatcher 1, fatal: engine already closed. Rethrowing
javax.net.ssl.SSLException: Received fatal alert: handshake_failure
[client<-proxy] 00000001 javax.net.ssl.SSLException: Received fatal alert:
handshake_failure
But, with the HttpClient, there is more data in the hex dumps which include
the origin server name and other bits:
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1487308648 bytes = { 223, 57, 250, 125, 154, 123, 122,
30, 110, 58, 163, 142, 215, 41, 230, 164, 96, 33, 206, 68, 84, 216, 191,
149, 12, 79, 94, 143 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1,
sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA,
SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA,
SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension server_name, server_name: [type=host_name (0), value=
jsonplaceholder.typicode.com]
***
[write] MD5 and SHA1 hashes: len = 198
0000: 01 00 00 C2 03 03 59 A7 87 68 DF 39 FA 7D 9A 7B ......Y..h.9....
0010: 7A 1E 6E 3A A3 8E D7 29 E6 A4 60 21 CE 44 54 D8 z.n:...)..`!.DT.
0020: BF 95 0C 4F 5E 8F 00 00 3A C0 23 C0 27 00 3C C0 ...O^...:.#.'.<.
0030: 25 C0 29 00 67 00 40 C0 09 C0 13 00 2F C0 04 C0 %.).g.@...../...
0040: 0E 00 33 00 32 C0 2B C0 2F 00 9C C0 2D C0 31 00 ..3.2.+./...-.1.
0050: 9E 00 A2 C0 08 C0 12 00 0A C0 03 C0 0D 00 16 00 ................
0060: 13 00 FF 01 00 00 5F 00 0A 00 16 00 14 00 17 00 ......_.........
0070: 18 00 19 00 09 00 0A 00 0B 00 0C 00 0D 00 0E 00 ................
0080: 16 00 0B 00 02 01 00 00 0D 00 16 00 14 06 03 06 ................
0090: 01 05 03 05 01 04 03 04 01 04 02 02 03 02 01 02 ................
*00A0: 02 00 00 00 21 00 1F 00 00 1C 6A 73 6F 6E 70 6C ....!.....jsonpl*
*00B0: 61 63 65 68 6F 6C 64 65 72 2E 74 79 70 69 63 6F aceholder.typico*
*00C0: 64 65 2E 63 6F 6D de.com
<http://de.com>*
main, WRITE: TLSv1.2 Handshake, length = 198
[Raw write]: length = 203
0000: 16 03 03 00 C6 01 00 00 C2 03 03 59 A7 87 68 DF ...........Y..h.
0010: 39 FA 7D 9A 7B 7A 1E 6E 3A A3 8E D7 29 E6 A4 60 9....z.n:...)..`
0020: 21 CE 44 54 D8 BF 95 0C 4F 5E 8F 00 00 3A C0 23 !.DT....O^...:.#
0030: C0 27 00 3C C0 25 C0 29 00 67 00 40 C0 09 C0 13 .'.<.%.).g.@....
0040: 00 2F C0 04 C0 0E 00 33 00 32 C0 2B C0 2F 00 9C ./.....3.2.+./..
0050: C0 2D C0 31 00 9E 00 A2 C0 08 C0 12 00 0A C0 03 .-.1............
0060: C0 0D 00 16 00 13 00 FF 01 00 00 5F 00 0A 00 16 ..........._....
0070: 00 14 00 17 00 18 00 19 00 09 00 0A 00 0B 00 0C ................
0080: 00 0D 00 0E 00 16 00 0B 00 02 01 00 00 0D 00 16 ................
0090: 00 14 06 03 06 01 05 03 05 01 04 03 04 01 04 02 ................
00A0: 02 03 02 01 02 02 00 00 00 21 00 1F 00 00 1C 6A .........!.....j
*00B0: 73 6F 6E 70 6C 61 63 65 68 6F 6C 64 65 72 2E 74 sonplaceholder.t*
*00C0: 79 70 69 63 6F 64 65 2E 63 6F 6D ypicode.com
<http://ypicode.com>*
[Raw read]: length = 5
0000: 16 03 03 00 5B ....[
[Raw read]: length = 91
0000: 02 00 00 57 03 03 59 A7 87 68 0C 1A D3 15 C5 F5 ...W..Y..h......
0010: 11 F2 26 9B 0B 61 99 90 4F 45 F3 CA B0 54 90 B0 ..&..a..OE...T..
0020: 34 87 B6 1D 93 FA 20 24 C7 1D BA C2 8B C8 3C 33 4..... $......<3
0030: 4F 76 CB C5 DE C3 A4 FF F5 6A 6A D8 65 CD 46 81 Ov.......jj.e.F.
0040: 39 EC D7 3F 7F 84 D9 C0 2B 00 00 0F FF 01 00 01 9..?....+.......
0050: 00 00 00 00 00 00 0B 00 02 01 00 ...........
main, READ: TLSv1.2 Handshake, length = 91
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1487308648 bytes = { 12, 26, 211, 21, 197, 245, 17,
242, 38, 155, 11, 97, 153, 144, 79, 69, 243, 202, 176, 84, 144, 176, 52,
135, 182, 29, 147, 250 }
Session ID: {36, 199, 29, 186, 194, 139, 200, 60, 51, 79, 118, 203, 197,
222, 195, 164, 255, 245, 106, 106, 216, 101, 205, 70, 129, 57, 236, 215,
63, 127, 132, 217}
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name:
Extension ec_point_formats, formats: [uncompressed]
***
%% Initialized: [Session-1, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256]
** TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Why doesn't HttpCore include these extra bits?
Gary
On Wed, Aug 30, 2017 at 3:19 PM, Gary Gregory <ga...@gmail.com>
wrote:
> I should add that I am running the latest Oracle Java 8 on Windows 10.
>
> Gary
>
> On Aug 30, 2017 14:57, "Gary Gregory" <ga...@gmail.com> wrote:
>
>> Hi All:
>>
>> To diagnose a problem I am seeing in my custom HC-NIO proxy, I run our
>> example NHttpReverseProxy with the command line arguments:
>>
>> https://jsonplaceholder.typicode.com:443/ 33000 TrustSelfSignedStrategy
>>
>> (with or without TrustSelfSignedStrategy)
>>
>> Then I get a handshake_failure trying to access it:
>>
>> $ curl http://localhost:33000/posts
>> % Total % Received % Xferd Average Speed Time Time Time
>> Current
>> Dload Upload Total Spent Left
>> Speed
>> 100 39 100 39 0 0 39 0 0:00:01 --:--:-- 0:00:01
>> 207Received fatal alert: handshake_failure
>>
>> NHttpReverseProxy prints:
>>
>> Using TrustSelfSignedStrategy (not for production)
>> Reverse proxy to https://jsonplaceholder.typicode.com:443
>> [client->proxy] connection open 0:0:0:0:0:0:0:1:33000<->0:0:0:
>> 0:0:0:0:1:55252
>> [client->proxy] 00000001 GET /posts HTTP/1.1
>> [client->proxy] 00000001 request completed
>> [proxy->origin] connection open 192.168.0.92:55254<->104.31.87.157:443
>> [proxy->origin] 00000001 GET /posts HTTP/1.1
>> [proxy->origin] 00000001 request completed
>> [client<-proxy] 00000001 javax.net.ssl.SSLException: Received fatal
>> alert: handshake_failure
>> [proxy->origin] connection released 0.0.0.0:55254<->104.31.87.157:443
>> [proxy->origin] [total kept alive: 0; total allocated: 0 of 100]
>> [proxy->origin] connection closed 0.0.0.0:55254<->104.31.87.157:443
>> [client->proxy] connection closed 0.0.0.0:33000<->0:0:0:0:0:0:0:1:55252
>>
>> HttpClient works fine with:
>>
>> public class HttpsClientSanityTest {
>>
>> private void executeHttpsGetPosts(final CloseableHttpClient client)
>> throws IOException, ClientProtocolException {
>> try (final CloseableHttpResponse reponse = client.execute(new
>> HttpGet("https://jsonplaceholder.typicode.com/posts"))) {
>> final String string = EntityUtils.toString(reponse.g
>> etEntity());
>> Assert.assertNotNull(string);
>> // System.out.println(string);
>> }
>> }
>>
>> @Test
>> public void test_typicode_com() throws KeyManagementException,
>> NoSuchAlgorithmException, ClientProtocolException, IOException {
>> try (final CloseableHttpClient client =
>> HttpClients.createDefault()) {
>> executeHttpsGetPosts(client);
>> }
>> }
>> }
>>
>> curl works fine with 'curl https://jsonplaceholder.typicode.com/posts'
>> and returns a JSON document.
>>
>> Any hints as to what is missing from NHttpReverseProxy?
>>
>> Thank you,
>> Gary
>>
>
Re: HttpCore NIO, NHttpReverseProxy and diagnosing an SSL handshake_failure
Posted by Gary Gregory <ga...@gmail.com>.
I should add that I am running the latest Oracle Java 8 on Windows 10.
Gary
On Aug 30, 2017 14:57, "Gary Gregory" <ga...@gmail.com> wrote:
> Hi All:
>
> To diagnose a problem I am seeing in my custom HC-NIO proxy, I run our
> example NHttpReverseProxy with the command line arguments:
>
> https://jsonplaceholder.typicode.com:443/ 33000 TrustSelfSignedStrategy
>
> (with or without TrustSelfSignedStrategy)
>
> Then I get a handshake_failure trying to access it:
>
> $ curl http://localhost:33000/posts
> % Total % Received % Xferd Average Speed Time Time Time
> Current
> Dload Upload Total Spent Left
> Speed
> 100 39 100 39 0 0 39 0 0:00:01 --:--:-- 0:00:01
> 207Received fatal alert: handshake_failure
>
> NHttpReverseProxy prints:
>
> Using TrustSelfSignedStrategy (not for production)
> Reverse proxy to https://jsonplaceholder.typicode.com:443
> [client->proxy] connection open 0:0:0:0:0:0:0:1:33000<->0:0:0:
> 0:0:0:0:1:55252
> [client->proxy] 00000001 GET /posts HTTP/1.1
> [client->proxy] 00000001 request completed
> [proxy->origin] connection open 192.168.0.92:55254<->104.31.87.157:443
> [proxy->origin] 00000001 GET /posts HTTP/1.1
> [proxy->origin] 00000001 request completed
> [client<-proxy] 00000001 javax.net.ssl.SSLException: Received fatal alert:
> handshake_failure
> [proxy->origin] connection released 0.0.0.0:55254<->104.31.87.157:443
> [proxy->origin] [total kept alive: 0; total allocated: 0 of 100]
> [proxy->origin] connection closed 0.0.0.0:55254<->104.31.87.157:443
> [client->proxy] connection closed 0.0.0.0:33000<->0:0:0:0:0:0:0:1:55252
>
> HttpClient works fine with:
>
> public class HttpsClientSanityTest {
>
> private void executeHttpsGetPosts(final CloseableHttpClient client)
> throws IOException, ClientProtocolException {
> try (final CloseableHttpResponse reponse = client.execute(new
> HttpGet("https://jsonplaceholder.typicode.com/posts"))) {
> final String string = EntityUtils.toString(reponse.
> getEntity());
> Assert.assertNotNull(string);
> // System.out.println(string);
> }
> }
>
> @Test
> public void test_typicode_com() throws KeyManagementException,
> NoSuchAlgorithmException, ClientProtocolException, IOException {
> try (final CloseableHttpClient client =
> HttpClients.createDefault()) {
> executeHttpsGetPosts(client);
> }
> }
> }
>
> curl works fine with 'curl https://jsonplaceholder.typicode.com/posts'
> and returns a JSON document.
>
> Any hints as to what is missing from NHttpReverseProxy?
>
> Thank you,
> Gary
>