I can confirm this happens. Any help would be appreciated.
My systems:
- OpenJDK Runtime Environment (build 1.8.0_72-internal-b05) -- Debian
GNU/Linux stretch/sid
- OpenJDK Runtime Environment (IcedTea 2.5.6) (7u79-2.5.6-1~deb8u1) --
Debian GNU/Linux 8
I am testing as follows:
1) Server:
java -server -classpath ./h2-1.4.190.jar -Djavax.net.debug=SSL
org.h2.tools.Server -web -webAllowOthers -tcp -tcpSSL -tcpAllowOthers
2) Client:
java -Djavax.net.debug=SSL -cp h2-1.4.190.jar:. Test
...where the class Test is the result of:
javac Test.java
...where Test.java is:
--------------------------code-----------------------------
import java.sql.*;
import java.util.*;
public class Test {
public static String SERVER_IP = "localhost";
public static String SERVER_PORT = "9092";
public static void main(String[] a) throws Exception {
Class.forName("org.h2.Driver");
String url = "jdbc:h2:ssl://" + SERVER_IP + ":" + SERVER_PORT +
"/~/test";
Properties prop = new Properties();
prop.setProperty("user", "sa");
prop.put("password", "");
Connection conn = null;
try {
conn = DriverManager.getConnection(url, prop);
} finally {
// nothing here
}
System.out.println("Connected.");
conn.close();
}
}
------------------------ end code -----------------------
My SSL debug output suggests that CipherFactory.java tries to enable
anonymous TLS cipher suits,
but SSL negotiation is ignoring that. To confirm, I edited
CipherFactory.java in the following manner:
----------------------------- code --------------------------
private static String[] enableAnonymous(String[] enabled, String[]
supported) {
HashSet<String> set = new HashSet<String>();
Collections.addAll(set, enabled);
for (String x : supported) {
if (!x.startsWith("SSL") &&
x.indexOf("_anon_") >= 0 &&
x.indexOf("_AES_") >= 0 &&
x.indexOf("_SHA") >= 0) {
System.out.println("Enabling [" + x + "].");
set.add(x);
}
}
return set.toArray(new String[0]);
}
private static String[] disableSSL(String[] enabled) {
HashSet<String> set = new HashSet<String>();
for (String x : enabled) {
if (!x.startsWith("SSL")) {
System.out.println("Disabling [" + x + "].");
set.add(x);
}
}
return set.toArray(new String[0]);
}
----------------------------- end code --------------------------
Then rebuilt using:
javac -sourcepath src/tools -d bin src/tools/org/h2/build/*.java
java -Xmx256m -cp
"bin:/usr/lib/jvm/java-7-openjdk-amd64/lib/tools.jar:temp"
org.h2.build.Build jar
...then ran the test code and got the output (among other things):
done seeding SecureRandom
Disabling [TLSv1].
Disabling [TLSv1.1].
Disabling [TLSv1.2].
Enabling [TLS_DH_anon_WITH_AES_256_GCM_SHA384].
Enabling [TLS_DH_anon_WITH_AES_128_GCM_SHA256].
Enabling [TLS_DH_anon_WITH_AES_256_CBC_SHA256].
Enabling [TLS_ECDH_anon_WITH_AES_256_CBC_SHA].
Enabling [TLS_DH_anon_WITH_AES_256_CBC_SHA].
Enabling [TLS_DH_anon_WITH_AES_128_CBC_SHA256].
Enabling [TLS_ECDH_anon_WITH_AES_128_CBC_SHA].
Enabling [TLS_DH_anon_WITH_AES_128_CBC_SHA].
Allow unsafe renegotiation: false
Allow legacy hello messages: true
....and it all ended as others have already described. For more detail, I
would also paste:
The full server log: http://pastebin.com/LmVqa9aS
The full client log: http://pastebin.com/8msarqGA
--
You received this message because you are subscribed to the Google Groups "H2
Database" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/h2-database.
For more options, visit https://groups.google.com/d/optout.
