Probably the easiest way to see that there is a problem (for most combinations of client/server JREs) is to simply start an H2 server with SSL and then try to shut it down using the same server tool:
java -cp ./h2-1.4.190.jar org.h2.tools.Server -tcp -tcpSSL & # TCP server running at ssl://... java -cp ./h2-1.4.190.jar org.h2.tools.Server -tcpShutdown "ssl://localhost" # Exception in thread ... Connection is broken: "javax.net.ssl.SSLHandshakeException: ... PKIX path building failed Changes in Java regarding certificates are not related to this issue, but most of the observations in this thread are correct. The server side running on many modern JREs ignores anonymous ciphers (Java 6, 7, or 8). I have put a more detailed description of the causes in https://github.com/h2database/h2database/issues/235 A pull request which restores the ability to use anonymous TLS for H2 connections has been posted too. In general, one would have to update the h2 library on both server and client side to have it working reliably, however. Regards, Tomas On Monday, December 7, 2015 at 12:44:43 AM UTC-5, C Punk wrote: > > I can confirm this happens. Any help would be appreciated. > > My systems: > - OpenJDK Runtime Environment (build 1.8.0_72-internal-b05) -- Debian > GNU/Linux stretch/sid > - OpenJDK Runtime Environment (IcedTea 2.5.6) (7u79-2.5.6-1~deb8u1) -- > Debian GNU/Linux 8 > > I am testing as follows: > > 1) Server: > java -server -classpath ./h2-1.4.190.jar -Djavax.net.debug=SSL > org.h2.tools.Server -web -webAllowOthers -tcp -tcpSSL -tcpAllowOthers > > 2) Client: > java -Djavax.net.debug=SSL -cp h2-1.4.190.jar:. Test > > ...where the class Test is the result of: > javac Test.java > > ...where Test.java is: > --------------------------code----------------------------- > import java.sql.*; > import java.util.*; > > public class Test { > public static String SERVER_IP = "localhost"; > public static String SERVER_PORT = "9092"; > > public static void main(String[] a) throws Exception { > > Class.forName("org.h2.Driver"); > String url = "jdbc:h2:ssl://" + SERVER_IP + ":" + SERVER_PORT + > "/~/test"; > Properties prop = new Properties(); > prop.setProperty("user", "sa"); > prop.put("password", ""); > > Connection conn = null; > try { > conn = DriverManager.getConnection(url, prop); > } finally { > // nothing here > } > > System.out.println("Connected."); > conn.close(); > } > } > ------------------------ end code ----------------------- > > My SSL debug output suggests that CipherFactory.java tries to enable > anonymous TLS cipher suits, > but SSL negotiation is ignoring that. To confirm, I edited > CipherFactory.java in the following manner: > > ----------------------------- code -------------------------- > private static String[] enableAnonymous(String[] enabled, String[] > supported) { > HashSet<String> set = new HashSet<String>(); > Collections.addAll(set, enabled); > for (String x : supported) { > if (!x.startsWith("SSL") && > x.indexOf("_anon_") >= 0 && > x.indexOf("_AES_") >= 0 && > x.indexOf("_SHA") >= 0) { > System.out.println("Enabling [" + x + "]."); > set.add(x); > } > } > return set.toArray(new String[0]); > } > > private static String[] disableSSL(String[] enabled) { > HashSet<String> set = new HashSet<String>(); > for (String x : enabled) { > if (!x.startsWith("SSL")) { > System.out.println("Disabling [" + x + "]."); > set.add(x); > } > } > return set.toArray(new String[0]); > } > ----------------------------- end code -------------------------- > > Then rebuilt using: > > javac -sourcepath src/tools -d bin src/tools/org/h2/build/*.java > java -Xmx256m -cp > "bin:/usr/lib/jvm/java-7-openjdk-amd64/lib/tools.jar:temp" > org.h2.build.Build jar > > ...then ran the test code and got the output (among other things): > > done seeding SecureRandom > Disabling [TLSv1]. > Disabling [TLSv1.1]. > Disabling [TLSv1.2]. > Enabling [TLS_DH_anon_WITH_AES_256_GCM_SHA384]. > Enabling [TLS_DH_anon_WITH_AES_128_GCM_SHA256]. > Enabling [TLS_DH_anon_WITH_AES_256_CBC_SHA256]. > Enabling [TLS_ECDH_anon_WITH_AES_256_CBC_SHA]. > Enabling [TLS_DH_anon_WITH_AES_256_CBC_SHA]. > Enabling [TLS_DH_anon_WITH_AES_128_CBC_SHA256]. > Enabling [TLS_ECDH_anon_WITH_AES_128_CBC_SHA]. > Enabling [TLS_DH_anon_WITH_AES_128_CBC_SHA]. > Allow unsafe renegotiation: false > Allow legacy hello messages: true > > ....and it all ended as others have already described. For more detail, I > would also paste: > > The full server log: http://pastebin.com/LmVqa9aS > The full client log: http://pastebin.com/8msarqGA > > > > > -- You received this message because you are subscribed to the Google Groups "H2 Database" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/h2-database. For more options, visit https://groups.google.com/d/optout.
