the questions are:
(1) How many exception reasons that SSL Exception has?
(2) Are there any specifications or documents for SSL Exception?
We all know that SSL Exception has many types, such as SSLException, SSLHandshakeException, SSLKeyException,SSLPeerUnverifiedException,SSLProtocolException, etc.
for one of them, there are many exception reasons, below are some of them that I searched from internet:
(1) SSLException
1) javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
2) javax.net.ssl.SSLException: Not trusted server certificate Caused by:
java.security.cert.CertificateException:
java.security.cert.CertPathValidatorException: TrustAnchor for CertPath not found.
3) javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
4) javax.net.ssl.SSLException:
java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException:
the trustAnchors parameter must be non-empty
5) javax.net.ssl.SSLException: Invalid padding
(2) SSLHandshakeException
1) javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
2) javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Untrusted Server Certificate Chain
3) javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
4) java.net.SocketException: Default SSL context init failed: Keystore was tampered with, or password was incorrect
5) javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
Related
How to resolve HandshakeException (HandshakeException: Handshake error in client (OS Error: UNSUPPORTED_PROTOCOL(handshake_client.cc:697))). In the Register post flutter.
I am getting an error when i try to stop services
Failed to connect to the controller: The controller is not available at localhost:9990: java.net.ConnectException: WFLYPRT0053: Could not connect to http-remoting://localhost:9990. The connection failed: WFLYPRT0053: Could not connect to http-remoting://localhost:9990. The connection failed: Connection refused
when i try to start services, i get below error and need to restart the server multiple times to resolve it. need a solution to avoid errors during start and stop services. we use keycloack sercurity as well
2020-02-11 19:21:01,191 WARNING [com.lgc.dsl.admin.security.controllers.DSSecurity] (default task-12) Connect to localhost:8880 [localhost/IP] failed: Connection refused (Connection refused)
2020-02-11 19:21:09,462 WARN [org.kie.server.services.impl.controller.DefaultRestControllerImpl] (KieServer-ControllerConnect) Exception encountered while syncing with controller at http:localhost:port/dsbpm-console/rest/controller/server/dsbpm-kieserver error Error while sending PUT request to localhost:port/dsbpm-console/rest/controller/server/dsbpm-kieserver response code 405
Default kie server is not showing up in the server section
2020-02-11 19:21:01,191 WARNING [com.lgc.dsl.admin.security.controllers.DSSecurity] (default task-12) Connect to localhost:8880 [localhost/IP] failed: Connection refused (Connection refused)
2020-02-11 19:21:09,462 WARN [org.kie.server.services.impl.controller.DefaultRestControllerImpl] (KieServer-ControllerConnect) Exception encountered while syncing with controller at http:localhost:port/dsbpm-console/rest/controller/server/dsbpm-kieserver error Error while sending PUT request to localhost:port/dsbpm-console/rest/controller/server/dsbpm-kieserver response code 405
Check if you have 'dsbpm-console' for 'org.kie.server.controller' property, like as:
when I tried to SSO using Shibboleth IDP, a login Error occured, when username and password was submitted as, Login Failure: Pool is empty and connection creation failed.
My error logs are as follows
==> /opt/shibboleth-idp/logs/idp-warn.log <==
at org.ldaptive.provider.jndi.JndiConnectionFactory.createInternal(JndiConnectionFactory.java:102)
Caused by: javax.naming.CommunicationException: localhost:10389
at com.sun.jndi.ldap.Connection.<init>(Connection.java:216)
Caused by: java.net.ConnectException: Connection refused (Connection refused)
at java.net.PlainSocketImpl.socketConnect(Native Method)
2018-08-13 09:32:53,752 - WARN [org.ldaptive.pool.BlockingConnectionPool:600] - unable to create active connection
2018-08-13 09:32:53,753 - ERROR [org.ldaptive.pool.BlockingConnectionPool:197] - Could not service check out request
2018-08-13 09:32:53,754 - WARN [net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstLDAP:192] - Profile Action ValidateUsernamePasswordAgainstLDAP: Login by admin produced exception
org.ldaptive.pool.PoolExhaustedException: Pool is empty and connection creation failed
at org.ldaptive.pool.BlockingConnectionPool.getConnection(BlockingConnectionPool.java:198)
Can anyone suggest me a way to solve this?
Old question, answer for google.
Check /opt/shibboleth-idp/conf/ldap.properties if your domain/IP and port are correct.
In my case i missed out that the image bitnami/openldap uses port 1389 by default.
I want to use server certificate when connecting with IO::Socket::SSL client.
What I did is to extract certificate first,
openssl s_client -showcerts -connect 127.0.0.1:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >/tmp/localhost.crt
-----BEGIN CERTIFICATE-----
MIID1jCCAr6gAwIBAgICBH8wDQYJKoZIhvcNAQELBQAwgZ8xCzAJBgNVBAYTAi0t
MRIwEAYDVQQIDAlTb21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5MRkwFwYDVQQK
DBBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLDBZTb21lT3JnYW5pemF0aW9uYWxV
bml0MRAwDgYDVQQDDAdiaWdnZXIyMRswGQYJKoZIhvcNAQkBFgxyb290QGJpZ2dl
cjIwHhcNMTYwODA0MDUyMTA5WhcNMTcwODA0MDUyMTA5WjCBnzELMAkGA1UEBhMC
LS0xEjAQBgNVBAgMCVNvbWVTdGF0ZTERMA8GA1UEBwwIU29tZUNpdHkxGTAXBgNV
BAoMEFNvbWVPcmdhbml6YXRpb24xHzAdBgNVBAsMFlNvbWVPcmdhbml6YXRpb25h
bFVuaXQxEDAOBgNVBAMMB2JpZ2dlcjIxGzAZBgkqhkiG9w0BCQEWDHJvb3RAYmln
Z2VyMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALSJplghG5oD5FhU
1v9IkE8z0k/7g1W29GhUXwf7IKzzjplIgpsZ+Ya/OtDbIctSYZ3gNEMyj+LdlvEW
6rCDCSTULPWwdjuSdHmUiFyeJm+QBtnMIp9I3P7zPCd+W9Cyhue911tXCHiQMg+E
ZNi2WlqnBGf/5l6VFRVMxQTEbTRiTPaH9VFnuyCKcJTk9ephZmZRgfeNmXT7BRjG
nmsYa0jG2rh2UmJGQrJhZOZYmghbq1BL66m7yCxfknsjTHGfy7PS/c+K83fPVI0p
bcBgl0VCA7d8TX6xj4BwMec7nwdi95ISVAG3jjL11+lrlcg6UGs+bd+NVpd1PbVY
XwVcWu8CAwEAAaMaMBgwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwDQYJKoZIhvcN
AQELBQADggEBAFkWi/C8UlEqXPO0aDrn78teYzh3D0BIuhB4vawDSUuz68Clq41u
bMLIbdWZS244NFLeWAYJf4k0WDk7/nz5pxWLqlDg4LumZxNOUeSWUSbantRn6NnQ
rJrWZi6gJFgeC/34t3k+XvtmbDl5a2L213TxOtnSZJty/ZxUr3v3Z3Dp5+kfTAyR
xlD/gOlAEHgrOjwv1XofVb5pALPjzGj9gAfe/bpMEG4GORgtJzFz/teugL4yZ4Mk
sk6BhIBd1hTWJXUfvH6GPaoieug46CAkolmvc0q2nfMiU+hZOkDE1rtyqS5XMF5t
O2nma+wuMF6z/naEXFPq65sFOHI8vz+oEaQ=
-----END CERTIFICATE-----
and then connect using ssl_client.pl from examples folder,
ssl_client.pl -d10 --ca /tmp/localhost.crt localhost:443
DEBUG: .../IO/Socket/SSL.pm:2757: new ctx 17132992
DEBUG: .../IO/Socket/SSL.pm:643: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:645: socket connected
DEBUG: .../IO/Socket/SSL.pm:667: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:700: using SNI with hostname localhost
DEBUG: .../IO/Socket/SSL.pm:735: request OCSP stapling
DEBUG: .../IO/Socket/SSL.pm:769: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:2658: did not get stapled OCSP response
DEBUG: .../IO/Socket/SSL.pm:2611: ok=0 [0] /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=bigger2/emailAddress=root#bigger2/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=bigger2/emailAddress=root#bigger2
DEBUG: .../IO/Socket/SSL.pm:772: done Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:775: SSL connect attempt failed
DEBUG: .../IO/Socket/SSL.pm:775: local error: SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: .../IO/Socket/SSL.pm:778: fatal SSL error: SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: ...inux/IO/Socket.pm:49: ignoring less severe local error 'IO::Socket::INET configuration failed', keep 'SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed'
DEBUG: .../IO/Socket/SSL.pm:2779: free ctx 17132992 open=17132992
DEBUG: .../IO/Socket/SSL.pm:2784: free ctx 17132992 callback
DEBUG: .../IO/Socket/SSL.pm:2791: OK free ctx 17132992
failed to connect to localhost:443: ,SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed at ./ssl_client.pl line 52.
This doesn't work as expected, so please suggest how to properly verify server using locally stored certificate.
While your certificate is self-signed (i.e. signed by itself) it is not a CA:
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Because it is not a CA it is not allowed to be used as an issuer of a certificate and thus can in theory not even be used to sign itself.
This is at least the logic implemented in OpenSSL (and thus Net::SSLeay, IO::Socket::SSL). Other implementations like NSS seem to work with such certificates probably because they check if the server certificate itself is explicitly trusted. Such a check is different from only checking if it is signed by a trusted CA which is done by using the SSL_ca* options in IO::Socket::SSL (or -CAfile, -CApath arguments in openssl s_client).
Explicitly trusting a specific certificate no matter if it is self-signed, expired, revoked or whatever can be done in IO::Socket::SSL by using the SSL_fingerprint option.
Note that debugging IO::Socket::SSL in this case does not help a lot since the logic in this case is implemented in OpenSSL. There is some small indicator where it is going wrong:
DEBUG: ... ok=0 [0] .../CN=bigger2/emailAddress=root#bigger2 .../CN=bigger2/emailAddress=root#bigger2
This debug statement is called from the verification callback. ok=0 [0] indicates that this callback was called with ok=0 at level certificate level 0, i.e. that the built-in validation of OpenSSL did not consider this certificate as valid.
The following error keeps showing up:
ERROR 12:39:10,529 PriviledgedActionException as:cassandra/datastax3.mytest.org#MYTEST.ORG cause:org.apache.hadoop.ipc.RemoteException: GSS initiate failed
INFO 12:39:10,529 Initiating logout for cassandra/datastax3.mytest.org#MYTEST.ORG
INFO 12:39:10,529 Initiating re-login for cassandra/datastax3.mytest.org#MYTEST.ORG
WARN 12:39:13,009 Auth failed for 170.173.220.222:56765:null
INFO 12:39:13,009 IPC Server listener on 8012: readAndProcess threw exception javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)]. Count of bytes read: 0
javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)]
at com.sun.security.sasl.gsskerb.GssKrb5Server.evaluateResponse(GssKrb5Server.java:177)
at org.apache.hadoop.ipc.Server$Connection.saslReadAndProcess(Server.java:1007)
at org.apache.hadoop.ipc.Server$Connection.readAndProcess(Server.java:1180)
at org.apache.hadoop.ipc.Server$Listener.doRead(Server.java:537)
at org.apache.hadoop.ipc.Server$Listener$Reader.run(Server.java:344)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:724)
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)
at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Krb5Context.java:788)
Original post: http://www.datastax.com/support-forums/topic/error-message-in-systemlog-with-kerberos-enabled
AES 256 is not supported by JVM by default. You need to install unlimited strength cryptography extension first to enable AES 256.
http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html
Thanks to Piotr for the original answer.