If I'm reading this right (and I'm no expert in TLS/SSL), but others who follow this mailing list are...
Record 111 == Certificate Unobtainable Record 115 == Unknown PSK identity Gut reaction: you have a certificate that cannot be verified. This is a best guess, considering both the "Unsupported record version" and specific record numbers on what looks like a TLS alert message. I can't tell if this is a server side certificate or a client side certificate issue. -- Joakim Erdfelt <[email protected]> webtide.com <http://www.webtide.com/> Developer advice, services and support from the Jetty & CometD experts eclipse.org/jetty - cometd.org On Thu, Apr 11, 2013 at 12:25 PM, Christian Grobmeier <[email protected]>wrote: > On Thu, Apr 11, 2013 at 8:33 PM, Joakim Erdfelt <[email protected]> > wrote: > > Gut reaction: you are running an older JRE/JDK with known SSL/TLS bugs. > > > > Be sure you have Java 1.6 update 30 (or newer), or Java 1.7 update 15 (or > > newer) > > You were right on that, I upgraded to 1.6u43. > > I still get SSLExceptions, but they look different: > > $ tail -f 2013_04_11.stderrout.log > 2013-04-11 19:12:11.085:INFO:oejs.Server:jetty-7.6.10.v20130312 > 2013-04-11 19:12:11.115:INFO:oejdp.ScanningAppProvider:Deployment > monitor /home/www/apps/jetty/webapps at interval 1 > 2013-04-11 19:12:11.197:INFO:oejdp.ScanningAppProvider:Deployment > monitor /home/www/apps/jetty/contexts at interval 1 > 2013-04-11 19:12:11.200:INFO:oejd.DeploymentManager:Deployable added: > /home/www/apps/jetty/contexts/timeandbill.xml > 2013-04-11 19:12:11.545:INFO:oejw.WebInfConfiguration:Extract > jar:file:/home/www/releases/webapp.war!/ to > /tmp/jetty-0.0.0.0-8080-webapp-.war-_-www.domain.de-/webapp > 2013-04-11 19:12:20.121:INFO:oejpw.PlusConfiguration:No Transaction > manager found - if your webapp requires one, please configure one. > 2013-04-11 19:12:21.943:INFO:/:Initializing Spring root > WebApplicationContext > 2013-04-11 19:12:27.461:INFO:oejsh.ContextHandler:started > > o.e.j.w.WebAppContext{/,file:/tmp/jetty-0.0.0.0-8080-webapp.war-_-www.domain.de-/webapp/, > www.domain.de},/home/www/apps/jetty/webapps/webapp.war > 2013-04-11 19:12:32.054:INFO:oejs.AbstractConnector:Started > [email protected]:8080 > 2013-04-11 19:12:32.761:INFO:oejus.SslContextFactory:Enabled Protocols > [SSLv2Hello, SSLv3, TLSv1] of [SSLv2Hello, SSLv3, TLSv1] > 2013-04-11 19:12:32.764:INFO:oejs.AbstractConnector:Started > [email protected]:8443 > 2013-04-11 19:13:54.713:WARN:oeji.nio:javax.net.ssl.SSLException: > Unsupported record version Unknown-111.116 > 2013-04-11 19:16:46.341:WARN:oeji.nio:javax.net.ssl.SSLException: > Unsupported record version Unknown-115.108 > 2013-04-11 19:16:48.213:WARN:oeji.nio:javax.net.ssl.SSLException: > Unsupported record version Unknown-115.108 > 2013-04-11 19:17:46.385:WARN:oeji.nio:javax.net.ssl.SSLException: > Unsupported record version Unknown-111.116 > > No more stacktrace. Whatever the java upgrade fixed, it did something. > Still there is something wrong > > Any more gutfeelings? > > Cheers > Christian > > > > > -- > > Joakim Erdfelt <[email protected]> > > webtide.com > > Developer advice, services and support > > from the Jetty & CometD experts > > eclipse.org/jetty - cometd.org > > > > > > On Thu, Apr 11, 2013 at 11:30 AM, Christian Grobmeier < > [email protected]> > > wrote: > >> > >> Hi list, > >> > >> I have two jettys running on one box with different ports. Both were > >> 7.4.4 so far but do not share anything in common. One is for testing, > >> one is for production. > >> Today I thought I would update jetty. I used the testing jetty and > >> upgrade to 7.6.10 at the afternoon. > >> > >> It went fine and I wanted to wait a couple of days before I go with prod > >> jetty. > >> > >> A couple of hours later I got a message from my monitoring tool that > >> my non-ssl connector went down. I restartet and it went up ok. SSL > >> worked btw. > >> > >> Checking my logfiles I saw a lot of these exceptions: > >> > >> 2013-04-11 18:19:49.267:WARN:oeji.nio:handle failed > >> java.lang.RuntimeException: > >> sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID > >> at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1029) > >> at > sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:503) > >> at > sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1128) > >> at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1100) > >> at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) > >> at org.eclipse.jetty.io.nio.SslConnection.wrap(SslConnection.java:460) > >> at > org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:386) > >> at > >> org.eclipse.jetty.io.nio.SslConnection.access$900(SslConnection.java:48) > >> at > >> > org.eclipse.jetty.io.nio.SslConnection$SslEndPoint.fill(SslConnection.java:678) > >> at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1040) > >> at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:280) > >> at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235) > >> at > >> > org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82) > >> at org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196) > >> at > >> > org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:628) > >> at > >> > org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52) > >> at > >> > org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608) > >> at > >> > org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543) > >> at java.lang.Thread.run(Thread.java:636) > >> > >> > >> I never had them before. I then disabled the testing jetty, but the > >> exceptions kept going. > >> As both jettys used the same keystore, I considered it might be > >> problematic. So I went updating the prod jetty. Basically it was no > >> problem and everything looks well, but the exceptions > >> won't go away. > >> > >> I found a known issuen on openjdk and followed this instructions: > >> > http://shickys.blogspot.de/2012/11/addressing-openjdk-bug-with-ssl-on.html > >> (basically editing the pck12 providers). > >> But no luck. > >> > >> I checked this: > >> keytool -list -keystore keystore -v > >> just in any case. It appears CN= matches my domain and so I think it > >> should be all well too. > >> > >> Now I am puzzled and don't know where to search for the error. > >> > >> Any ideas are highly appreciated. > >> > >> Thanks, > >> Christian > >> _______________________________________________ > >> jetty-users mailing list > >> [email protected] > >> https://dev.eclipse.org/mailman/listinfo/jetty-users > > > > > > > > _______________________________________________ > > jetty-users mailing list > > [email protected] > > https://dev.eclipse.org/mailman/listinfo/jetty-users > > > > > > -- > http://www.grobmeier.de > https://www.timeandbill.de > _______________________________________________ > jetty-users mailing list > [email protected] > https://dev.eclipse.org/mailman/listinfo/jetty-users >
_______________________________________________ jetty-users mailing list [email protected] https://dev.eclipse.org/mailman/listinfo/jetty-users
