On Thu, Apr 11, 2013 at 9:44 PM, Joakim Erdfelt <[email protected]> wrote: > If I'm reading this right (and I'm no expert in TLS/SSL), but others who > follow this mailing list are... > > Record 111 == Certificate Unobtainable > Record 115 == Unknown PSK identity > > Gut reaction: you have a certificate that cannot be verified. > This is a best guess, considering both the "Unsupported record version" and > specific record numbers on what looks like a TLS alert message. > I can't tell if this is a server side certificate or a client side > certificate issue.
hm, you have a good gut reaction. Not sure where the error resides, but what you mentioned made me check my monitoring tool. It sends some kind of pings via ssl. When I disabled the ssl checks, the error message disappeared. I have catched up with the tool provider, maybe he has an idea. Thanks for you help so far! > > -- > Joakim Erdfelt <[email protected]> > webtide.com > Developer advice, services and support > from the Jetty & CometD experts > eclipse.org/jetty - cometd.org > > > On Thu, Apr 11, 2013 at 12:25 PM, Christian Grobmeier <[email protected]> > wrote: >> >> On Thu, Apr 11, 2013 at 8:33 PM, Joakim Erdfelt <[email protected]> >> wrote: >> > Gut reaction: you are running an older JRE/JDK with known SSL/TLS bugs. >> > >> > Be sure you have Java 1.6 update 30 (or newer), or Java 1.7 update 15 >> > (or >> > newer) >> >> You were right on that, I upgraded to 1.6u43. >> >> I still get SSLExceptions, but they look different: >> >> $ tail -f 2013_04_11.stderrout.log >> 2013-04-11 19:12:11.085:INFO:oejs.Server:jetty-7.6.10.v20130312 >> 2013-04-11 19:12:11.115:INFO:oejdp.ScanningAppProvider:Deployment >> monitor /home/www/apps/jetty/webapps at interval 1 >> 2013-04-11 19:12:11.197:INFO:oejdp.ScanningAppProvider:Deployment >> monitor /home/www/apps/jetty/contexts at interval 1 >> 2013-04-11 19:12:11.200:INFO:oejd.DeploymentManager:Deployable added: >> /home/www/apps/jetty/contexts/timeandbill.xml >> 2013-04-11 19:12:11.545:INFO:oejw.WebInfConfiguration:Extract >> jar:file:/home/www/releases/webapp.war!/ to >> /tmp/jetty-0.0.0.0-8080-webapp-.war-_-www.domain.de-/webapp >> 2013-04-11 19:12:20.121:INFO:oejpw.PlusConfiguration:No Transaction >> manager found - if your webapp requires one, please configure one. >> 2013-04-11 19:12:21.943:INFO:/:Initializing Spring root >> WebApplicationContext >> 2013-04-11 19:12:27.461:INFO:oejsh.ContextHandler:started >> >> o.e.j.w.WebAppContext{/,file:/tmp/jetty-0.0.0.0-8080-webapp.war-_-www.domain.de-/webapp/,www.domain.de},/home/www/apps/jetty/webapps/webapp.war >> 2013-04-11 19:12:32.054:INFO:oejs.AbstractConnector:Started >> [email protected]:8080 >> 2013-04-11 19:12:32.761:INFO:oejus.SslContextFactory:Enabled Protocols >> [SSLv2Hello, SSLv3, TLSv1] of [SSLv2Hello, SSLv3, TLSv1] >> 2013-04-11 19:12:32.764:INFO:oejs.AbstractConnector:Started >> [email protected]:8443 >> 2013-04-11 19:13:54.713:WARN:oeji.nio:javax.net.ssl.SSLException: >> Unsupported record version Unknown-111.116 >> 2013-04-11 19:16:46.341:WARN:oeji.nio:javax.net.ssl.SSLException: >> Unsupported record version Unknown-115.108 >> 2013-04-11 19:16:48.213:WARN:oeji.nio:javax.net.ssl.SSLException: >> Unsupported record version Unknown-115.108 >> 2013-04-11 19:17:46.385:WARN:oeji.nio:javax.net.ssl.SSLException: >> Unsupported record version Unknown-111.116 >> >> No more stacktrace. Whatever the java upgrade fixed, it did something. >> Still there is something wrong >> >> Any more gutfeelings? >> >> Cheers >> Christian >> >> >> >> > -- >> > Joakim Erdfelt <[email protected]> >> > webtide.com >> > Developer advice, services and support >> > from the Jetty & CometD experts >> > eclipse.org/jetty - cometd.org >> > >> > >> > On Thu, Apr 11, 2013 at 11:30 AM, Christian Grobmeier >> > <[email protected]> >> > wrote: >> >> >> >> Hi list, >> >> >> >> I have two jettys running on one box with different ports. Both were >> >> 7.4.4 so far but do not share anything in common. One is for testing, >> >> one is for production. >> >> Today I thought I would update jetty. I used the testing jetty and >> >> upgrade to 7.6.10 at the afternoon. >> >> >> >> It went fine and I wanted to wait a couple of days before I go with >> >> prod >> >> jetty. >> >> >> >> A couple of hours later I got a message from my monitoring tool that >> >> my non-ssl connector went down. I restartet and it went up ok. SSL >> >> worked btw. >> >> >> >> Checking my logfiles I saw a lot of these exceptions: >> >> >> >> 2013-04-11 18:19:49.267:WARN:oeji.nio:handle failed >> >> java.lang.RuntimeException: >> >> sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID >> >> at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1029) >> >> at >> >> sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:503) >> >> at >> >> sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1128) >> >> at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1100) >> >> at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) >> >> at org.eclipse.jetty.io.nio.SslConnection.wrap(SslConnection.java:460) >> >> at >> >> org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:386) >> >> at >> >> >> >> org.eclipse.jetty.io.nio.SslConnection.access$900(SslConnection.java:48) >> >> at >> >> >> >> org.eclipse.jetty.io.nio.SslConnection$SslEndPoint.fill(SslConnection.java:678) >> >> at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1040) >> >> at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:280) >> >> at >> >> org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235) >> >> at >> >> >> >> org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82) >> >> at >> >> org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196) >> >> at >> >> >> >> org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:628) >> >> at >> >> >> >> org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52) >> >> at >> >> >> >> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608) >> >> at >> >> >> >> org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543) >> >> at java.lang.Thread.run(Thread.java:636) >> >> >> >> >> >> I never had them before. I then disabled the testing jetty, but the >> >> exceptions kept going. >> >> As both jettys used the same keystore, I considered it might be >> >> problematic. So I went updating the prod jetty. Basically it was no >> >> problem and everything looks well, but the exceptions >> >> won't go away. >> >> >> >> I found a known issuen on openjdk and followed this instructions: >> >> >> >> http://shickys.blogspot.de/2012/11/addressing-openjdk-bug-with-ssl-on.html >> >> (basically editing the pck12 providers). >> >> But no luck. >> >> >> >> I checked this: >> >> keytool -list -keystore keystore -v >> >> just in any case. It appears CN= matches my domain and so I think it >> >> should be all well too. >> >> >> >> Now I am puzzled and don't know where to search for the error. >> >> >> >> Any ideas are highly appreciated. >> >> >> >> Thanks, >> >> Christian >> >> _______________________________________________ >> >> jetty-users mailing list >> >> [email protected] >> >> https://dev.eclipse.org/mailman/listinfo/jetty-users >> > >> > >> > >> > _______________________________________________ >> > jetty-users mailing list >> > [email protected] >> > https://dev.eclipse.org/mailman/listinfo/jetty-users >> > >> >> >> >> -- >> http://www.grobmeier.de >> https://www.timeandbill.de >> _______________________________________________ >> jetty-users mailing list >> [email protected] >> https://dev.eclipse.org/mailman/listinfo/jetty-users > > > > _______________________________________________ > jetty-users mailing list > [email protected] > https://dev.eclipse.org/mailman/listinfo/jetty-users > -- http://www.grobmeier.de https://www.timeandbill.de _______________________________________________ jetty-users mailing list [email protected] https://dev.eclipse.org/mailman/listinfo/jetty-users
