I forgot to mention that I am using HttpClient 3.1. On Tue, Jan 25, 2011 at 2:07 PM, Michael Lam <lammg0...@gmail.com> wrote:
> Hi all, > > We have been running into an issue lately where our client certificate > authenticated SSL connections are randomly closing with a TLS alert > "close_notify". The strange thing is that out of 10 tries, the connection > may work maybe around 2-3 times. All other times, the connections will > receive a "close_notify" and the connection will close. For comparison > purposes, we tried using command-line CURL to submit the same request with > client certificate authentication and we were able to connect and send data > without issues every time. > > Below is the debug (with -Djavax.net.debug=all) output from a sample > session. I have removed the actual data and replaced them with place > holders. > > ... <more data and messages> > Client MAC write Secret: > <data> > Server MAC write Secret: > <data> > Client write key: > <data> > Server write key: > <data> > ... no IV used for this cipher > Padded plaintext before ENCRYPTION: len = 17 > <data> > main, WRITE: TLSv1 Change Cipher Spec, length = 17 > [Raw write]: length = 22 > <data> > *** Finished > verify_data: <data> > *** > [write] MD5 and SHA1 hashes: len = 16 > <data> > Padded plaintext before ENCRYPTION: len = 32 > <data> > main, WRITE: TLSv1 Handshake, length = 32 > <data> > main, received EOFException: ignored > main, called closeInternal(false) > main, SEND TLSv1 ALERT: warning, description = close_notify > Padded plaintext before ENCRYPTION: len = 18 > <data> > main, WRITE: TLSv1 Alert, length = 18 > main, Exception sending alert: java.net.SocketException: Software > caused connection abort: socket write error > 2011-01-12 11:20:59,908 DEBUG > org.apache.commons.httpclient.HttpMethodDirector - Closing the connection. > 2011-01-12 11:20:59,908 DEBUG > org.apache.commons.httpclient.HttpConnection - enter HttpConnection.close() > 2011-01-12 11:20:59,908 DEBUG > org.apache.commons.httpclient.HttpConnection - enter > HttpConnection.closeSockedAndStreams() > main, called close() > main, called closeInternal(true) > main, called close() > main, called closeInternal(true) > main, called close() > main, called closeInternal(true) > 2011-01-12 11:20:59,909 INFO > org.apache.commons.httpclient.HttpMethodDirector - I/O exception > (org.apache.commons.httpclient.NoHttpResponseException) caught when > processing request: The server <host> failed to respond > 2011-01-12 11:20:59,912 DEBUG > org.apache.commons.httpclient.HttpMethodDirector - The server <host> failed > to respond > org.apache.commons.httpclient.NoHttpResponseException: The server > www.callit.com failed to respond > at > org.apache.commons.httpclient.HttpMethodBase.readStatusLine(HttpMethodBase.java:1976) > at > org.apache.commons.httpclient.HttpMethodBase.readResponse(HttpMethodBase.java:1735) > at > org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1098) > at > org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398) > at > org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) > at > org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) > at > org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323) > at SSLConnectionTest.main(SSLConnectionTest.java:83) > > > Here is the code I used to connect to the host: > > HttpClientParams params = new > HttpClientParams(DefaultHttpParams.getDefaultParams()); > HttpClient httpclient = new HttpClient(params); > > AuthSSLProtocolSocketFactory socketFactory = new > AuthSSLProtocolSocketFactory(keyStoreFileUrl.toURL(), keyStorePwd, null, > null); > Protocol httpsProtocol = new Protocol("https", socketFactory, 443); > httpclient.getHostConfiguration().setHost("www.myhost.com", 443, > httpsProtocol); > > PostMethod httppost = new PostMethod("/vl/feature.asp"); > > NameValuePair[] data = { > new NameValuePair("Query", "function"), > }; > try { > httppost.setRequestBody(data); > httpclient.executeMethod(httppost); > System.out.println(httppost.getResponseBodyAsString()); > } catch (HttpException e) { > e.printStackTrace(); > } catch (IOException e) { > e.printStackTrace(); > } finally { > httppost.releaseConnection(); > } > > Within the AuthSSLProtocolSocketFactory, we also use the > AuthSSLX509TrustManager and a custom KeyManager that stores the client > certificate and private key. Any pointers or tips to help debug this issue > will be greatly appreciated. > > Regards, > Mike > >