SSL connection failing for Java 7 -


i attempting create ssl connection remote server using java 7 , i'm receiving following exception:

javax.net.ssl.sslhandshakeexception: remote host closed connection during handshake     @ sun.security.ssl.sslsocketimpl.readrecord(sslsocketimpl.java:946)     @ sun.security.ssl.sslsocketimpl.performinitialhandshake(sslsocketimpl.java:1312)     @ sun.security.ssl.sslsocketimpl.writerecord(sslsocketimpl.java:702)     @ sun.security.ssl.appoutputstream.write(appoutputstream.java:122)     @ sun.nio.cs.streamencoder.writebytes(streamencoder.java:221)     @ sun.nio.cs.streamencoder.implflushbuffer(streamencoder.java:291)     @ sun.nio.cs.streamencoder.implflush(streamencoder.java:295)     @ sun.nio.cs.streamencoder.flush(streamencoder.java:141)     @ java.io.outputstreamwriter.flush(outputstreamwriter.java:229)     @ java.io.bufferedwriter.flush(bufferedwriter.java:254)     @ ssl7.client.main(client.java:22) caused by: java.io.eofexception: ssl peer shut down incorrectly     @ sun.security.ssl.inputrecord.read(inputrecord.java:482)     @ sun.security.ssl.sslsocketimpl.readrecord(sslsocketimpl.java:927)

when rerun code using java 6, there no exception. have found references problem elsewhere on stackoverflow situation comes twist. client code, fails java 7 is

public class client {      public static void main(string[] args) throws filenotfoundexception, ioexception, classnotfoundexception {         try {             sslsocketfactory sslsocketfactory = (sslsocketfactory) sslsocketfactory.getdefault();             sslsocket sslsocket = (sslsocket) sslsocketfactory.createsocket("login.solon.com", 443);                 outputstream outputstream = sslsocket.getoutputstream();             outputstreamwriter outputstreamwriter = new outputstreamwriter(outputstream);             bufferedwriter bufferedwriter = new bufferedwriter(outputstreamwriter);                 bufferedwriter.write("hello\n");                 bufferedwriter.flush();         } catch (exception exception) {             exception.printstacktrace();         }     } }

when add line 

sslsocket.setenabledciphersuites(new string[] {"ssl_rsa_with_rc4_128_md5"});

after creating socket, works.

now, ssl_rsa_with_rc4_128_md5 exists in original set of cipher suites i've done add restrictions. restricting cipher suites not viable solution in long run. can explain going on here?

the full debug log is:

keystore :  keystore type : jks keystore provider :  init keystore init keymanager of type sunx509 truststore is: c:\temp\keystore\clientkeystore truststore type : jks truststore provider :  init truststore adding trusted cert:   subject: cn=w, ou=d, o=s, l=h, st=i, c=il   issuer:  cn=w, ou=d, o=s, l=h, st=i, c=il   algorithm: dsa; serial number: 0x4a6e05b7   valid mon oct 07 10:22:54 eest 2013 until sun jan 05 09:22:54 eet 2014  adding trusted cert:   subject: cn=login.solon.com, ou=domain validated, ou=thawte ssl123 certificate, ou=go https://www.thawte.com/repository/index.html   issuer:  cn=thawte dv ssl ca, ou=domain validated ssl, o="thawte, inc.", c=us   algorithm: rsa; serial number: 0x3012ec22473f20aa2cdc4bf7fe2d22f4   valid wed feb 13 02:00:00 eet 2013 until thu apr 14 02:59:59 eest 2016  adding trusted cert:   subject: cn=w, ou=d, o=s, l=h, st=i, c=il   issuer:  cn=w, ou=d, o=s, l=h, st=i, c=il   algorithm: rsa; serial number: 0x5864235a   valid mon oct 07 10:28:06 eest 2013 until sun jan 05 09:28:06 eet 2014  trigger seeding of securerandom done seeding securerandom ignoring unavailable cipher suite: tls_ecdhe_rsa_with_aes_256_cbc_sha ignoring unavailable cipher suite: tls_dhe_rsa_with_aes_256_cbc_sha ignoring unavailable cipher suite: tls_ecdh_rsa_with_aes_256_cbc_sha ignoring unsupported cipher suite: tls_dhe_dss_with_aes_128_cbc_sha256 ignoring unsupported cipher suite: tls_dhe_dss_with_aes_256_cbc_sha256 ignoring unsupported cipher suite: tls_dhe_rsa_with_aes_128_cbc_sha256 ignoring unsupported cipher suite: tls_ecdh_rsa_with_aes_128_cbc_sha256 ignoring unsupported cipher suite: tls_dhe_rsa_with_aes_256_cbc_sha256 ignoring unsupported cipher suite: tls_ecdhe_rsa_with_aes_256_cbc_sha384 ignoring unsupported cipher suite: tls_ecdh_ecdsa_with_aes_256_cbc_sha384 ignoring unsupported cipher suite: tls_rsa_with_aes_256_cbc_sha256 ignoring unavailable cipher suite: tls_ecdhe_ecdsa_with_aes_256_cbc_sha ignoring unsupported cipher suite: tls_ecdhe_rsa_with_aes_128_cbc_sha256 ignoring unsupported cipher suite: tls_ecdhe_ecdsa_with_aes_256_cbc_sha384 ignoring unavailable cipher suite: tls_dhe_dss_with_aes_256_cbc_sha ignoring unsupported cipher suite: tls_ecdh_rsa_with_aes_256_cbc_sha384 ignoring unsupported cipher suite: tls_ecdhe_ecdsa_with_aes_128_cbc_sha256 ignoring unsupported cipher suite: tls_ecdh_ecdsa_with_aes_128_cbc_sha256 ignoring unavailable cipher suite: tls_ecdh_ecdsa_with_aes_256_cbc_sha ignoring unavailable cipher suite: tls_rsa_with_aes_256_cbc_sha ignoring unsupported cipher suite: tls_rsa_with_aes_128_cbc_sha256 allow unsafe renegotiation: true allow legacy hello messages: true initial handshake: true secure renegotiation: false %% no cached client session *** clienthello, tlsv1 randomcookie:  gmt: 1381093608 bytes = { 221, 239, 107, 239, 150, 213, 224, 210, 101, 229, 42, 58, 92, 9, 151, 0, 128, 105, 0, 55, 53, 224, 90, 111, 130, 175, 61, 121 } session id:  {} cipher suites: [tls_ecdhe_ecdsa_with_aes_128_cbc_sha, tls_ecdhe_rsa_with_aes_128_cbc_sha, tls_rsa_with_aes_128_cbc_sha, tls_ecdh_ecdsa_with_aes_128_cbc_sha, tls_ecdh_rsa_with_aes_128_cbc_sha, tls_dhe_rsa_with_aes_128_cbc_sha, tls_dhe_dss_with_aes_128_cbc_sha, tls_ecdhe_ecdsa_with_rc4_128_sha, tls_ecdhe_rsa_with_rc4_128_sha, ssl_rsa_with_rc4_128_sha, tls_ecdh_ecdsa_with_rc4_128_sha, tls_ecdh_rsa_with_rc4_128_sha, tls_ecdhe_ecdsa_with_3des_ede_cbc_sha, tls_ecdhe_rsa_with_3des_ede_cbc_sha, ssl_rsa_with_3des_ede_cbc_sha, tls_ecdh_ecdsa_with_3des_ede_cbc_sha, tls_ecdh_rsa_with_3des_ede_cbc_sha, ssl_dhe_rsa_with_3des_ede_cbc_sha, ssl_dhe_dss_with_3des_ede_cbc_sha, ssl_rsa_with_rc4_128_md5, tls_empty_renegotiation_info_scsv] compression methods:  { 0 } extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1} extension ec_point_formats, formats: [uncompressed] *** [write] md5 , sha1 hashes:  len = 149 0000: 01 00 00 91 03 01 52 52   d1 e8 dd ef 6b ef 96 d5  ......rr....k... 0010: e0 d2 65 e5 2a 3a 5c 09   97 00 80 69 00 37 35 e0  ..e.*:\....i.75. 0020: 5a 6f 82 af 3d 79 00 00   2a c0 09 c0 13 00 2f c0  zo..=y..*...../. 0030: 04 c0 0e 00 33 00 32 c0   07 c0 11 00 05 c0 02 c0  ....3.2......... 0040: 0c c0 08 c0 12 00 0a c0   03 c0 0d 00 16 00 13 00  ................ 0050: 04 00 ff 01 00 00 3e 00   0a 00 34 00 32 00 17 00  ......>...4.2... 0060: 01 00 03 00 13 00 15 00   06 00 07 00 09 00 0a 00  ................ 0070: 18 00 0b 00 0c 00 19 00   0d 00 0e 00 0f 00 10 00  ................ 0080: 11 00 02 00 12 00 04 00   05 00 14 00 08 00 16 00  ................ 0090: 0b 00 02 01 00                                     ..... main, write: tlsv1 handshake, length = 149 [raw write]: length = 154 0000: 16 03 01 00 95 01 00 00   91 03 01 52 52 d1 e8 dd  ...........rr... 0010: ef 6b ef 96 d5 e0 d2 65   e5 2a 3a 5c 09 97 00 80  .k.....e.*:\.... 0020: 69 00 37 35 e0 5a 6f 82   af 3d 79 00 00 2a c0 09  i.75.zo..=y..*.. 0030: c0 13 00 2f c0 04 c0 0e   00 33 00 32 c0 07 c0 11  .../.....3.2.... 0040: 00 05 c0 02 c0 0c c0 08   c0 12 00 0a c0 03 c0 0d  ................ 0050: 00 16 00 13 00 04 00 ff   01 00 00 3e 00 0a 00 34  ...........>...4 0060: 00 32 00 17 00 01 00 03   00 13 00 15 00 06 00 07  .2.............. 0070: 00 09 00 0a 00 18 00 0b   00 0c 00 19 00 0d 00 0e  ................ 0080: 00 0f 00 10 00 11 00 02   00 12 00 04 00 05 00 14  ................ 0090: 00 08 00 16 00 0b 00 02   01 00                    .......... main, received eofexception: error main, handling exception: javax.net.ssl.sslhandshakeexception: remote host closed connection during handshake main, send tlsv1 alert:  fatal, description = handshake_failure main, write: tlsv1 alert, length = 2 [raw write]: length = 7 0000: 15 03 01 00 02 02 28                               ......( main, called closesocket() javax.net.ssl.sslhandshakeexception: remote host closed connection during handshake     @ sun.security.ssl.sslsocketimpl.readrecord(sslsocketimpl.java:946)     @ sun.security.ssl.sslsocketimpl.performinitialhandshake(sslsocketimpl.java:1312)     @ sun.security.ssl.sslsocketimpl.writerecord(sslsocketimpl.java:702)     @ sun.security.ssl.appoutputstream.write(appoutputstream.java:122)     @ sun.nio.cs.streamencoder.writebytes(streamencoder.java:221)     @ sun.nio.cs.streamencoder.implflushbuffer(streamencoder.java:291)     @ sun.nio.cs.streamencoder.implflush(streamencoder.java:295)     @ sun.nio.cs.streamencoder.flush(streamencoder.java:141)     @ java.io.outputstreamwriter.flush(outputstreamwriter.java:229)     @ java.io.bufferedwriter.flush(bufferedwriter.java:254)     @ ssl7.client.main(client.java:22) caused by: java.io.eofexception: ssl peer shut down incorrectly     @ sun.security.ssl.inputrecord.read(inputrecord.java:482)     @ sun.security.ssl.sslsocketimpl.readrecord(sslsocketimpl.java:927)     ... 10 more

thanks.

i have seen sort of problem before when using ubuntu 12.04 server running java-based server using openjdk package. (this may have been patched since, i'm unable reproduce problem latest updates, configuration might different, can't remember.)

this problem described in this ubuntu issue.

there issue ec calculation on server side, prevented connection established correctly.

there difference in preference order cipher suites between java 6 , java 7 (see both tables).

because tls_rsa_with_aes_128_cbc_sha higher ec cipher suite in preference order in java 6 (and supported both client , server), chosen when connect java 6 client.

when connect java 7 client, ec cipher suites (e.g. tls_ecdhe_rsa_with_aes_128_cbc_sha or tls_ecdhe_rsa_with_aes_256_cbc_sha) chosen , server start proceed (you'd need see handshake debug log on server side confirm this). server done cipher suite selection process, fail go further because of subsequent bug when trying use cipher suite.

if have control on server (and if it's indeed running java-based server), try upgrade latest jre packages. can try fixes suggested in ubuntu issue (especially if it's not using pkcs#11) or disable ecdhe cipher suites in server configuration.


Comments

Post a Comment

Popular posts from this blog

c++ - CryptStringToBinary API behavior -

i seeing strange behavior cryptstringtobinary cryptography api. please see below code (config: x64 debug): #include "stdafx.h" #include <windows.h> #include <strsafe.h> #include <iostream> #include <exception> void main() { dword dwskip; dword dwflags; dword dwdatalen; //lpcwstr pszinput = l"jaaaaaecaaadzgaaakqaagdnnl1l56bwgfjdgr3rpxtqqqn6daw3usv2emkjym4t"; //this works fine lpcwstr pszinput = l"mytest"; //doesnt work, api returns false,error code 0x0000000d // determine size of byte array , allocate memory. if(! cryptstringtobinary( pszinput, _tcslen( pszinput ) + 1, crypt_string_base64, null, &dwdatalen, &dwskip, &dwflags ) ) { dword dw = getlasterror(); //0x0000000d: data invalid throw std::exception( "error computing byte length." ); } byte *pbytebyte = null; try { ...
Read more

c++ - Correct method for redrawing a layered window -

i have window created ws_ex_layered window style. drawing onto memory bitmap using gdi+, , using updatelayeredwindow update graphical content of layered window. intend use window main window of application, require redraw frequently. seeing layered windows not receive wm_paint windows message [?] , need come appropriate method re-drawing window. optimisation not essential , it's nice have cake , eat too. therefore, in search of "correct" method use. here thoughts far: i guess it's idea render onto off-screen bitmap before bitblt ing or similar. 60 frames rendered per second should (more than?) enough (but how compare other applications' frame rates?). possible solutions: use settimer send wm_timer message on regular basis. useful because through specifying time-out value, can achieve desired frames per second, without requirement measure duration "frame" takes rendered. would cause input or other lags due frequency , speed of m...
Read more

java.util.scanner - How to read and add only numbers to array from a text file -

i'm learning java , have question regarding reading file want read numbers file contains strings well. here example of file: 66.56 "3 java 3-43 5-42 2.1 1 and here coding: public class test { public static void main (string [] args){ if (0 < args.length) { file x = new file(args[0]); try{ scanner in = new scanner( new fileinputstream(x)); arraylist<double> test = new arraylist<>(); while(in.hasnext()){ if(in.hasnextdouble()){ double f=in.nextdouble(); test.add(f);} else {in.next();} } catch(ioexception e) { system.err.println("exception during reading: " + e); } } my problem add 66.56,2.1 , 1 doesn't add 3 after "3 or ignores 3-43 , 5-42 can tell me how skip strings , add doubles here? thanks all said 3 ie; "3, 3-43 , 4-42 strings either u read string , split , check number @ " , - or put in space between characters , integers. jvm after compilation tre...
Read more