[
https://jira.codehaus.org/browse/CONTINUUM-2501?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=362270#comment-362270
]
Brent N Atkinson commented on CONTINUUM-2501:
---------------------------------------------
After reading
http://blog.yuriytkach.com/2011/10/javaxnetsslsslexception-badrecordmac.html, I
was able to reproduce this error locally using an Apache Httpd server
configured only for SSLv3. The problem as the article states, is not with
certificates, but with attempting to negotiate an unsupported protocol to a
server that only supports SSLv3. Though this behavior is no longer present in
later versions of the JDK (I tried on 6 & 7) I could repeat the problem through
manual configuration of the security subsystem (using {{-Dhttps.protocols}}).
The version of httpd for reference:
{code}
$ apache2 -version
Server version: Apache/2.4.7 (Ubuntu)
Server built: Jul 22 2014 14:36:38
{code}
I enabled only the SSLv3 protocol by changing the apache configuration to read:
{code}
# Enable only the SSLv3 protocol
SSLProtocol SSLv3
{code}
Using the attached tryssl program, I was able to confirm that the problem was
no longer the same under Java 6. This is apparently because SSLv3 is now
disabled due to security vulnerabilities:
{code}
$ /usr/lib/jvm/java-6-oracle/bin/java -jar tryssl-1.0-SNAPSHOT.jar
"https://192.168.11.15/pom.xml";
Exception in thread "main" javax.net.ssl.SSLHandshakeException: Remote host
closed connection during handshake
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:882)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1188)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1215)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1199)
at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1195)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
at TrySSL.main(TrySSL.java:40)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:462)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:863)
... 8 more
{code}
The error given by Java 7 is more descriptive:
{code}
$ /usr/lib/jvm/java-7-oracle/bin/java -jar tryssl-1.0-SNAPSHOT.jar
"https://192.168.11.15/pom.xml";
Exception in thread "main" javax.net.ssl.SSLHandshakeException: Server chose
SSLv3, but that protocol version is not enabled or not supported by the client.
at
sun.security.ssl.ClientHandshaker.serverHello(ClientHandshaker.java:445)
at
sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:199)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:901)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:837)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)
at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343)
at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1301)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at TrySSL.main(TrySSL.java:40)
{code}
Using the {{https.protocols}} system property, I was able to successfully fetch
content by enabling the SSLv3 protocol (it does the same thing as the attached
patch, without requiring code changes):
{code}
/usr/lib/jvm/java-6-oracle/bin/java -Dhttps.protocols=SSLv3 -jar
tryssl-1.0-SNAPSHOT.jar "https://192.168.11.15/pom.xml";
<?xml version="1.0" encoding="windows-1252"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
....
{code}
Finally, I was able to reproduce the exact error message by specifying both
TLSv1 and SSLv3, which causes the java security subsystem to attempt
negotiation to the SSLv3 server using TLS:
{code}
$ /usr/lib/jvm/java-6-oracle/bin/java -Dhttps.protocols=TLSv1,SSLv3 -jar
tryssl-1.0-SNAPSHOT.jar "https://192.168.11.15/pom.xml";
Exception in thread "main" javax.net.ssl.SSLException: Received fatal alert:
bad_record_mac
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1822)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1004)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1188)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1215)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1199)
at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1195)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
at TrySSL.main(TrySSL.java:40)
{code}
Given that this can be configured using system properties, the patch
essentially forces using SSLv3 and nothing else, and no one should be using
SSLv3 for security reasons, I'm going to reject this.
> Exception while downloading pom from https url
> ----------------------------------------------
>
> Key: CONTINUUM-2501
> URL: https://jira.codehaus.org/browse/CONTINUUM-2501
> Project: Continuum
> Issue Type: Bug
> Components: Core system
> Affects Versions: 1.2.3, 1.3.6, 1.4.0 (Beta), 1.4.1
> Reporter: Vlado Pesov
> Assignee: Brent N Atkinson
> Priority: Minor
> Fix For: 1.5.0
>
> Attachments: EasySSLSocketFactory.patch, tryssl.tgz
>
>
> The exception is because the http client cannot handle certificates for SSLv3
> protocol, so this support must be explicitly enabled. Here is the exception:
> Could not download the URL: https://xxxxxx:*****@hostname.com/project/pom.xml
> javax.net.ssl.SSLException: Connection has been shutdown:
> javax.net.ssl.SSLException: Received fatal alert: bad_record_mac
> at com.sun.net.ssl.internal.ssl.
> SSLSocketImpl.checkEOF(SSLSocketImpl.java:1267)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.checkWrite(SSLSocketImpl.java:1279)
> at
> com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:43)
> at
> org.apache.http.impl.io.AbstractSessionOutputBuffer.flushBuffer(AbstractSessionOutputBuffer.java:87)
> at
> org.apache.http.impl.io.AbstractSessionOutputBuffer.flush(AbstractSessionOutputBuffer.java:94)
> at
> org.apache.http.impl.AbstractHttpClientConnection.doFlush(AbstractHttpClientConnection.java:171)
> at
> org.apache.http.impl.SocketHttpClientConnection.close(SocketHttpClientConnection.java:192)
> at
> org.apache.http.impl.conn.DefaultClientConnection.close(DefaultClientConnection.java:161)
> at
> org.apache.http.impl.conn.AbstractPooledConnAdapter.close(AbstractPooledConnAdapter.java:158)
> at
> org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:125)
> at
> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:410)
> at
> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
> at
> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
> at
> org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:465)
> at
> org.apache.maven.continuum.project.builder.AbstractContinuumProjectBuilder.createMetadataFile(AbstractContinuumProjectBuilder.java:122)
> at
> org.apache.maven.continuum.project.builder.AbstractContinuumProjectBuilder.createMetadataFile(AbstractContinuumProjectBuilder.java:244)
> at
> org.apache.maven.continuum.project.builder.maven.MavenTwoContinuumProjectBuilder.readModules(MavenTwoContinuumProjectBuilder.java:149)
> at
> org.apache.maven.continuum.project.builder.maven.MavenTwoContinuumProjectBuilder.buildProjectsFromMetadata(MavenTwoContinuumProjectBuilder.java:124)
> at
> org.apache.maven.continuum.core.action.CreateProjectsFromMetadataAction.execute(CreateProjectsFromMetadataAction.java:152)
> at
> org.apache.maven.continuum.DefaultContinuum.executeAction(DefaultContinuum.java:2759)
> at
> org.apache.maven.continuum.DefaultContinuum.executeAddProjectsFromMetadataActivity(DefaultContinuum.java:1569)
> at
> org.apache.maven.continuum.DefaultContinuum.executeAddProjectsFromMetadataActivity(DefaultContinuum.java:1815)
> at
> org.apache.maven.continuum.DefaultContinuum.addMavenTwoProject(DefaultContinuum.java:1365)
> at
> org.apache.maven.continuum.web.action.AddMavenTwoProjectAction.doExecute(AddMavenTwoProjectAction.java:109)
> at
> org.apache.maven.continuum.web.action.AddMavenProjectAction.execute(AddMavenProjectAction.java:189)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at
> com.opensymphony.xwork2.DefaultActionInvocation.invokeAction(DefaultActionInvocation.java:404)
> at
> com.opensymphony.xwork2.DefaultActionInvocation.invokeActionOnly(DefaultActionInvocation.java:267)
> at
> org.apache.struts2.interceptor.BackgroundProcess$1.run(BackgroundProcess.java:56)
> at java.lang.Thread.run(Thread.java:619)
> Caused by: javax.net.ssl.SSLException: Received fatal alert: bad_record_mac
> at
> com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)
> at
> com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1694)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:939)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1120)
> at
> com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:623)
> at
> com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
> at
> org.apache.http.impl.io.AbstractSessionOutputBuffer.flushBuffer(AbstractSessionOutputBuffer.java:87)
> at
> org.apache.http.impl.io.AbstractSessionOutputBuffer.flush(AbstractSessionOutputBuffer.java:94)
> at
> org.apache.http.impl.AbstractHttpClientConnection.doFlush(AbstractHttpClientConnection.java:171)
> at
> org.apache.http.impl.AbstractHttpClientConnection.flush(AbstractHttpClientConnection.java:176)
> at
> org.apache.http.impl.conn.AbstractClientConnAdapter.flush(AbstractClientConnAdapter.java:221)
> at
> org.apache.http.protocol.HttpRequestExecutor.doSendRequest(HttpRequestExecutor.java:240)
> at
> org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:119)
> ... 23 more
--
This message was sent by Atlassian JIRA
(v6.1.6#6162)
