[
https://issues.apache.org/jira/browse/BROOKLYN-456?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15933563#comment-15933563
]
ASF GitHub Bot commented on BROOKLYN-456:
-----------------------------------------
GitHub user geomacy opened a pull request:
https://github.com/apache/brooklyn-server/pull/602
Add test illustrating SNI connection problem.
See https://issues.apache.org/jira/browse/BROOKLYN-456.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/geomacy/brooklyn-server sni-test
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/brooklyn-server/pull/602.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #602
----
commit c541ebe7a748d8a6e244c4ee07eabb08abfae9d7
Author: Geoff Macartney <[email protected]>
Date: 2017-03-20T21:05:55Z
Add test illustrating SNI connection problem.
See https://issues.apache.org/jira/browse/BROOKLYN-456.
----
> "SSLException: internal_error" upon trying to connect to site requiring SNI
> ---------------------------------------------------------------------------
>
> Key: BROOKLYN-456
> URL: https://issues.apache.org/jira/browse/BROOKLYN-456
> Project: Brooklyn
> Issue Type: Bug
> Reporter: Geoff Macartney
> Priority: Minor
>
> On 17th March brooklyn-server builds began failing, such as
> https://builds.apache.org/view/Brooklyn/job/brooklyn-server-master/492/.
> The errors were failures in tests
> {quote}
> org.apache.brooklyn.camp.brooklyn.HttpCommandEffectorYamlRebindTest.testRebindWhenHealthy
> org.apache.brooklyn.camp.brooklyn.HttpCommandEffectorYamlTest.testHttpCommandEffectorWithParameters
> org.apache.brooklyn.camp.brooklyn.CompositeEffectorYamlRebindTest.testRebindWhenHealthy
> org.apache.brooklyn.camp.brooklyn.CompositeEffectorYamlTest.testCompositeEffector
> {quote}
> all of which issued requests to "https://httpbin.org"; for test purposes.
> There seems to have been a change in configuration on httpbin.org on the 16h
> of March, see
> [here|https://lists.apache.org/thread.html/2d7bfb556b5459590d266d079043861bc34c0b921a2b5346ae9fd8ae@%3Cdev.brooklyn.apache.org%3E].
> However the certificate changes appear not to be the problem, as far as I can
> tell, as the certificate chain from the site has root "Let's Encrypt
> Authority X3" (SHA1
> Fingerprint=E6:A3:B4:5B:06:2D:50:9B:33:82:28:2D:19:6E:FE:97:D5:95:6C:CB),
> which is signed by CA "DST Root CA X3" (Certificate fingerprint
> DA:C9:02:4F:54:D8:F6:DF:94:93:5F:B1:73:26:38:CA:6A:D7:7C:13), which is in the
> cacerts file of Java 8 by default.
> I believe the problem lies on the Java SSL client side, specifically that the
> client is not including the SNI (Server Naming Indicator) extension in the
> SSL handshake. httpbin requires this, compare
> {code}
> openssl s_client -showcerts -connect httpbin.org:443 </dev/null
> CONNECTED(00000003)
> 7944:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.60.1/src/ssl/s23_lib.c:185:
> {code}
> with the output from
> {code}
> openssl s_client -servername httpbin.org -showcerts -connect httpbin.org:443
> </dev/null
> {code}
> The result is that the connection attempt fails with
> {code}
> SSLException: Received fatal alert: internal_error
> {code}
> Searching around the web there seem to be a number of other people who have
> encountered this problem, e.g.
> https://forums.aws.amazon.com/message.jspa?messageID=669911. The issue seems
> to be fixed only in Java 9, but there may be workarounds on 7 and 8. I
> haven't tried these out yet.
> I will look at adding a test in Brooklyn to record this.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
