[jira] [Commented] (BROOKLYN-456) "SSLException: internal_error" upon trying to connect to site requiring SNI

Tue, 28 Mar 2017 02:29:56 -0700 

    [ 
https://issues.apache.org/jira/browse/BROOKLYN-456?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15944861#comment-15944861
 ] 

Mark McKenna commented on BROOKLYN-456:
---------------------------------------

[~geomacy]

h3. Minimal Http Client (above)
{code}
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1473915669 bytes = { 91, 69, 188, 125, 68, 253, 115, 233, 
175, 249, 200, 165, 84, 175, 61, 59, 186, 117, 172, 178, 172, 9, 212, 115, 49, 
11, 18, 153 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, 
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, 
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, 
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, 
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, 
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, 
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, 
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 
SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, 
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, 
secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, 
sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, 
secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, 
secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, 
SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, 
SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, 
MD5withRSA
Extension server_name, server_name: [type=host_name (0), value=httpbin.org]
***
{code}

h3. Brooklyn Http Tool
{code}
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1473915564 bytes = { 1, 122, 245, 210, 199, 169, 242, 121, 
247, 6, 223, 8, 107, 60, 178, 173, 249, 79, 153, 10, 194, 116, 19, 194, 17, 
198, 206, 204 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, 
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, 
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, 
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 
TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, 
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 
TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, 
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, 
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, 
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 
SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, 
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, 
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, 
secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, 
sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, 
secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, 
secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, 
SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, 
SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, 
MD5withRSA
***
{code}

I note that the brooklyn client is missing the server_name extension (cc 
[~aledsage])

> "SSLException: internal_error" upon trying to connect to site requiring SNI
> ---------------------------------------------------------------------------
>
>                 Key: BROOKLYN-456
>                 URL: https://issues.apache.org/jira/browse/BROOKLYN-456
>             Project: Brooklyn
>          Issue Type: Bug
>            Reporter: Geoff Macartney
>            Priority: Minor
>
> On 17th March brooklyn-server builds began failing, such as 
> https://builds.apache.org/view/Brooklyn/job/brooklyn-server-master/492/. 
> The errors were failures in tests 
> {quote}
> org.apache.brooklyn.camp.brooklyn.HttpCommandEffectorYamlRebindTest.testRebindWhenHealthy
> org.apache.brooklyn.camp.brooklyn.HttpCommandEffectorYamlTest.testHttpCommandEffectorWithParameters
> org.apache.brooklyn.camp.brooklyn.CompositeEffectorYamlRebindTest.testRebindWhenHealthy
> org.apache.brooklyn.camp.brooklyn.CompositeEffectorYamlTest.testCompositeEffector
> {quote}
> all of which issued requests to "https://httpbin.org"; for test purposes.
> There seems to have been a change in configuration on httpbin.org on the 16h 
> of March, see 
> [here|https://lists.apache.org/thread.html/2d7bfb556b5459590d266d079043861bc34c0b921a2b5346ae9fd8ae@%3Cdev.brooklyn.apache.org%3E].
> However the certificate changes appear not to be the problem, as far as I can 
> tell, as the certificate chain from the site has root "Let's Encrypt 
> Authority X3" (SHA1 
> Fingerprint=E6:A3:B4:5B:06:2D:50:9B:33:82:28:2D:19:6E:FE:97:D5:95:6C:CB), 
> which is signed by CA "DST Root CA X3"  (Certificate fingerprint 
> DA:C9:02:4F:54:D8:F6:DF:94:93:5F:B1:73:26:38:CA:6A:D7:7C:13), which is in the 
> cacerts file of Java 8 by default.
> I believe the problem lies on the Java SSL client side, specifically that the 
> client is not including the SNI (Server Naming Indicator) extension in the 
> SSL handshake.  httpbin requires this, compare 
> {code}
> openssl s_client -showcerts -connect httpbin.org:443  </dev/null
> CONNECTED(00000003)
> 7944:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake 
> failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.60.1/src/ssl/s23_lib.c:185:
> {code}
> with the output from 
> {code}
> openssl s_client -servername httpbin.org  -showcerts -connect httpbin.org:443 
>  </dev/null
> {code}
> The result is that the connection attempt fails with 
> {code}
> SSLException: Received fatal alert: internal_error
> {code}
> Searching around the web there seem to be a number of other people who have 
> encountered this problem, e.g. 
> https://forums.aws.amazon.com/message.jspa?messageID=669911.  The issue seems 
> to be fixed only in Java 9, but there may be workarounds on 7 and 8. I 
> haven't tried these out yet. 
> I will look at adding a test in Brooklyn to record this.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to