Colm, Thanks!
From: coheigea [via CXF] [mailto:[email protected]] Sent: Tuesday, May 19, 2015 12:43 PM To: boca2608 Subject: Re: CXF 3.0.4 server cannot receive message from TLS1.0 client I've added a new way of including protocols for the next release: https://issues.apache.org/jira/browse/CXF-6414 This allows you to have a TLS endpoint, but also to support SSLv2Hello if required. For example: <httpj:engine-factory id="tls-but-allow-ssl3"> <httpj:engine port="${testutil.ports.SSLv3Server.4}"> <httpj:tlsServerParameters> <sec:keyManagers keyPassword="password"> <sec:keyStore type="jks" password="password" resource="keys/Bethal.jks"/> </sec:keyManagers> <sec:trustManagers> <sec:keyStore type="jks" password="password" resource="keys/Truststore.jks"/> </sec:trustManagers> <sec:clientAuthentication want="true" required="false"/> <sec:includeProtocols> <sec:includeProtocol>SSLv3</sec:includeProtocol> <sec:includeProtocol>SSLv2Hello</sec:includeProtocol> </sec:includeProtocols> </httpj:tlsServerParameters> </httpj:engine> </httpj:engine-factory> Colm. On Thu, May 14, 2015 at 6:58 PM, boca2608 <[hidden email]> wrote: > Colm, > > While I cannot do logging on the client side, I did some logging on the > server side for this issue. I attached the portion of the log below. > > The log shows that the client started with sending a SSLv2Hello handshake > first (the client should have sent TSLv1Hello if it had read the server's > capabilities properly). But anyway, the SSLv2Hello was rejected by the > server, interestingly with a TLSv1.2 ALERT. In this case, the client only > supports TLSv1.0 (not TLSv1.1 and TLSv1.2). I suspect the client had > problem in processing the TLSv1.2 ALERT and gave up. > > Does this make sense? If yes, what should be the proper way to reject > SSLv2Hello? Apparently, that client could talk to an IIS using TLSv1.0 > successfully. > > Thank you very much for your help! > > > > > Using SSLEngineImpl. > 2015-05-14 13:12:28,121 [qtp426435961-26 Selector0 ] DEBUG nio > - created > SCEP@62320e8{l(/165.122.232.248:57180) <mailto:SCEP@62320e8%7bl(/165.122.232.248:57180)%3c-%3er(/166.50.179.97:443> <->r(/166.50.179.97:443 > ),s=0,open=true,ishut=false,oshut=false,rb=false,wb=false,w=true,i=0}-{SslCo nnection@658c6f68 > SSL NOT_HANDSHAKING i/o/u=-1/-1/-1 ishut=false oshut=false > {AsyncHttpConnection@3a4d68e6 > ,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=-14,l=0,c=0},r=0}} > 2015-05-14 13:12:28,121 [qtp426435961-27 ] DEBUG ssl > - [Session-1, SSL_NULL_WITH_NULL_NULL] SslConnection@658c6f68 SSL > NOT_HANDSHAKING i/o/u=73/0/0 ishut=false oshut=false > {AsyncHttpConnection@3a4d68e6 > ,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=-14,l=0,c=0},r=0} > NOT_HANDSHAKING filled=73/73 flushed=0/0 > Allow unsafe renegotiation: false > Allow legacy hello messages: true > Is initial handshake: true > Is secure renegotiation: false > Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 > for TLSv1 > Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 > for > TLSv1 > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for > TLSv1 > Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 > for TLSv1 > Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for > TLSv1 > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for > TLSv1 > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for > TLSv1 > Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 > for TLSv1.1 > Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 > for > TLSv1.1 > Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for > TLSv1.1 > Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 > for TLSv1.1 > Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for > TLSv1.1 > Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for > TLSv1.1 > Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for > TLSv1.1 > qtp426435961-27, fatal error: 10: General SSLEngine problem > javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled > qtp426435961-27, SEND TLSv1.2 ALERT: fatal, description = > unexpected_message > qtp426435961-27, WRITE: TLSv1.2 Alert, length = 2 > qtp426435961-27, fatal: engine already closed. Rethrowing > javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled > 2015-05-14 13:12:28,152 [qtp426435961-27 ] DEBUG ssl > - > SCEP@62320e8{l(/165.122.232.248:57180) <mailto:SCEP@62320e8%7bl(/165.122.232.248:57180)%3c-%3er(/166.50.179.97:443> <->r(/166.50.179.97:443 > ),s=1,open=true,ishut=false,oshut=false,rb=false,wb=false,w=true,i=0r}-{SslC onnection@658c6f68 > SSL NEED_WRAP i/o/u=73/0/0 ishut=false oshut=false > {AsyncHttpConnection@3a4d68e6 > ,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=-14,l=0,c=0},r=0}} > javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled > at sun.security.ssl.InputRecord.handleUnknownRecord(Unknown Source) > at sun.security.ssl.InputRecord.read(Unknown Source) > at sun.security.ssl.EngineInputRecord.read(Unknown Source) > at sun.security.ssl.SSLEngineImpl.readRecord(Unknown Source) > at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source) > at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) > at javax.net.ssl.SSLEngine.unwrap(Unknown Source) > at > org.eclipse.jetty.io.nio.SslConnection.unwrap(SslConnection.java:536) > at > org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:359) > at > org.eclipse.jetty.io.nio.SslConnection.access$900(SslConnection.java:48) > at > > org.eclipse.jetty.io.nio.SslConnection$SslEndPoint.fill(SslConnection.java:6 78) > at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1044) > at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:280) > at > org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235) > at > > org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java :82) > at > org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196) > at > > org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint. java:696) > at > > org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.j ava:53) > at > > org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java: 608) > at > > org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:5 43) > at java.lang.Thread.run(Unknown Source) > 2015-05-14 13:12:28,152 [qtp426435961-27 ] DEBUG > ChannelEndPoint - close > SCEP@62320e8{l(/165.122.232.248:57180) <mailto:SCEP@62320e8%7bl(/165.122.232.248:57180)%3c-%3er(/166.50.179.97:443> <->r(/166.50.179.97:443 > ),s=1,open=true,ishut=false,oshut=false,rb=false,wb=false,w=true,i=0!}-{SslC onnection@658c6f68 > SSL NEED_WRAP i/o/u=73/0/0 ishut=false oshut=false > {AsyncHttpConnection@3a4d68e6 > ,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=-14,l=0,c=0},r=0}} > 2015-05-14 13:12:28,152 [qtp426435961-27 ] DEBUG HttpParser > - > javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled > at sun.security.ssl.InputRecord.handleUnknownRecord(Unknown Source) > at sun.security.ssl.InputRecord.read(Unknown Source) > at sun.security.ssl.EngineInputRecord.read(Unknown Source) > at sun.security.ssl.SSLEngineImpl.readRecord(Unknown Source) > at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source) > at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) > at javax.net.ssl.SSLEngine.unwrap(Unknown Source) > at > org.eclipse.jetty.io.nio.SslConnection.unwrap(SslConnection.java:536) > at > org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:359) > at > org.eclipse.jetty.io.nio.SslConnection.access$900(SslConnection.java:48) > at > > org.eclipse.jetty.io.nio.SslConnection$SslEndPoint.fill(SslConnection.java:6 78) > at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1044) > at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:280) > at > org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235) > at > > org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java :82) > at > org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196) > at > > org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint. java:696) > at > > org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.j ava:53) > at > > org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java: 608) > at > > org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:5 43) > at java.lang.Thread.run(Unknown Source) > 2015-05-14 13:12:28,152 [qtp426435961-27 ] DEBUG HttpParser > - HttpParser{s=-14,l=0,c=0} > org.eclipse.jetty.io.EofException > at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1050) > at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:280) > at > org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235) > at > > org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java :82) > at > org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196) > at > > org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint. java:696) > at > > org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.j ava:53) > at > > org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java: 608) > at > > org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:5 43) > at java.lang.Thread.run(Unknown Source) > Caused by: javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled > at sun.security.ssl.InputRecord.handleUnknownRecord(Unknown Source) > at sun.security.ssl.InputRecord.read(Unknown Source) > at sun.security.ssl.EngineInputRecord.read(Unknown Source) > at sun.security.ssl.SSLEngineImpl.readRecord(Unknown Source) > at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source) > at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) > at javax.net.ssl.SSLEngine.unwrap(Unknown Source) > at > org.eclipse.jetty.io.nio.SslConnection.unwrap(SslConnection.java:536) > at > org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:359) > at > org.eclipse.jetty.io.nio.SslConnection.access$900(SslConnection.java:48) > at > > org.eclipse.jetty.io.nio.SslConnection$SslEndPoint.fill(SslConnection.java:6 78) > at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1044) > ... 9 more > 2015-05-14 13:12:28,152 [qtp426435961-27 ] DEBUG > AsyncHttpConnection - Disabled read interest while writing > response SSL NEED_WRAP i/o/u=73/0/0 ishut=false oshut=false > {AsyncHttpConnection@3a4d68e6 > ,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=0,l=0,c=0},r=0} > 2015-05-14 13:12:28,152 [qtp426435961-27 ] DEBUG nio > - EOF > org.eclipse.jetty.io.EofException > at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1050) > at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:280) > at > org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235) > at > > org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java :82) > at > org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196) > at > > org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint. java:696) > at > > org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.j ava:53) > at > > org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java: 608) > at > > org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:5 43) > at java.lang.Thread.run(Unknown Source) > Caused by: javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled > at sun.security.ssl.InputRecord.handleUnknownRecord(Unknown Source) > at sun.security.ssl.InputRecord.read(Unknown Source) > at sun.security.ssl.EngineInputRecord.read(Unknown Source) > at sun.security.ssl.SSLEngineImpl.readRecord(Unknown Source) > at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source) > at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) > at javax.net.ssl.SSLEngine.unwrap(Unknown Source) > at > org.eclipse.jetty.io.nio.SslConnection.unwrap(SslConnection.java:536) > at > org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:359) > at > org.eclipse.jetty.io.nio.SslConnection.access$900(SslConnection.java:48) > at > > org.eclipse.jetty.io.nio.SslConnection$SslEndPoint.fill(SslConnection.java:6 78) > at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1044) > ... 9 more > 2015-05-14 13:12:28,152 [qtp426435961-27 ] DEBUG > ChannelEndPoint - close > SCEP@62320e8{l(/165.122.232.248:57180) <mailto:SCEP@62320e8%7bl(/165.122.232.248:57180)%3c-%3er(0.0.0.0/0.0.0.0:443 > <->r(0.0.0.0/0.0.0.0:443 > ),s=1,open=false,ishut=true,oshut=true,rb=false,wb=false,w=true,i=0!}-{SslCo nnection@658c6f68 > SSL NEED_WRAP i/o/u=73/0/0 ishut=false oshut=false > {AsyncHttpConnection@3a4d68e6 > ,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=0,l=0,c=0},r=0}} > 2015-05-14 13:12:28,152 [qtp426435961-26 Selector0 ] DEBUG nio > - destroyEndPoint > SCEP@62320e8{l(null) <mailto:SCEP@62320e8%7bl(null)%3c-%3er(0.0.0.0/0.0.0.0:443> <->r(0.0.0.0/0.0.0.0:443 > ),s=0,open=false,ishut=true,oshut=true,rb=false,wb=false,w=true,i=0!}-{SslCo nnection@658c6f68 > SSL NEED_WRAP i/o/u=73/0/0 ishut=false oshut=false > {AsyncHttpConnection@3a4d68e6 > ,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=0,l=0,c=0},r=0}} > 2015-05-14 13:12:28,152 [qtp426435961-26 Selector0 ] DEBUG > AbstractHttpConnection - closed > AsyncHttpConnection@3a4d68e6 > ,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=0,l=0,c=0},r=0 > > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/CXF-3-0-4-server-cannot-receive-message-from -TLS1-0-client-tp5756863p5757267.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com _____ If you reply to this email, your message will be added to the discussion below: http://cxf.547215.n5.nabble.com/CXF-3-0-4-server-cannot-receive-message-from -TLS1-0-client-tp5756863p5757458.html To unsubscribe from CXF 3.0.4 server cannot receive message from TLS1.0 client, click here <http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_ by_code&node=5756863&code=Ym9jYTI2MDhAZ21haWwuY29tfDU3NTY4NjN8LTM4MTMwNzE4MA ==> . <http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer &id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicName space-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.Node Namespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_email s%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> NAML -- View this message in context: http://cxf.547215.n5.nabble.com/CXF-3-0-4-server-cannot-receive-message-from-TLS1-0-client-tp5756863p5757562.html Sent from the cxf-user mailing list archive at Nabble.com.
