users@glassfish.java.net

Re: IIOP and SSL

From: <glassfish_at_javadesktop.org>
Date: Tue, 11 Mar 2008 03:03:42 PST

Hi Dies,

I've created a new self-signed certificate in a new keystore for the client.
I added the certificate to the truststore of the server.
To do this I used the following commands:
1. keytool -genkey -v -alias mykey -keyalg RSA -keypass mypass -validity 999
2. keytool -exportcert -v -file mykey.cer -alias mykey -keystore .keystore -storepass mypass
3. keytool -importcert -v -alias mykey -file mykey.cer -keypass mypass -keystore cacerts.jks -storepass changeit

I also redid the export of the server certificate and importing it in the truststore of the client (after deleting the existing one).
I gave the following commands:

1. keytool -exportcert -v -file s1as.cer -alias s1as -keystore keystore.jks -storepass changeit
2. keytool -delete -v -alias s1as -keystore cacerts -storepass changeit
3. keytool -importcert -v -alias s1as -file s1as.cer -keypass changeit -keystore cacerts -storepass changeit

If I use the -list option of the keytool utility all stores seems to be ok.
But:
--are my commands ok?
--do I need to specify more options (like the -storetype option)?

I also changed to code of the client which now sets the keystore to be this new one. The client side truststore is still the same.

After keytooling, restarting the server (with debug set to ALL), clearing the clientside cache I started the AppClient as first action.
Unfortunately the result is still the same.

But when I investigated the server.log, the following draw my attention:

Immediately when starting the AppClient the following lines are logged:

[i][#|2008-03-11T10:44:00.953+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=15;_ThreadName=SelectorThread-8181;|
Using SSLEngineImpl.|#]

[#|2008-03-11T10:44:00.953+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=16;_ThreadName=httpSSLWorkerThread-8181-0;|
httpSSLWorkerThread-8181-0, fatal error: 80: problem unwrapping net record
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?|#]

[#|2008-03-11T10:44:00.953+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=16;_ThreadName=httpSSLWorkerThread-8181-0;|
httpSSLWorkerThread-8181-0|#]

[#|2008-03-11T10:44:00.953+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=16;_ThreadName=httpSSLWorkerThread-8181-0;|, SEND TLSv1 ALERT: |#]

[#|2008-03-11T10:44:00.953+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=16;_ThreadName=httpSSLWorkerThread-8181-0;|fatal, |#]

[#|2008-03-11T10:44:00.953+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=16;_ThreadName=httpSSLWorkerThread-8181-0;|description = internal_error|#]

[#|2008-03-11T10:44:00.968+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=16;_ThreadName=httpSSLWorkerThread-8181-0;|
httpSSLWorkerThread-8181-0, WRITE: TLSv1 Alert, length = 2|#]

[#|2008-03-11T10:44:05.906+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=15;_ThreadName=SelectorThread-8181;|
Using SSLEngineImpl.|#]

[#|2008-03-11T10:44:05.906+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=17;_ThreadName=httpSSLWorkerThread-8181-1;|
[Raw read]: length = 5|#]

[#|2008-03-11T10:44:05.906+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=17;_ThreadName=httpSSLWorkerThread-8181-1;|
0000: |#][/i]

This looks like things go badly wrong on SSLWorkerThread-8181-[b]0[/b] (fatal error).
Therefore the server decides to switch to SSLWorkerThread-8181-[b]1[/b]

But then all of a sudden the following lines are logged:

[#|2008-03-11T10:44:07.171+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=17;_ThreadName=httpSSLWorkerThread-8181-1;|
httpSSLWorkerThread-8181-1, called closeInbound()|#]

[#|2008-03-11T10:44:07.171+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=17;_ThreadName=httpSSLWorkerThread-8181-1;|
httpSSLWorkerThread-8181-1, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?
javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?|#]

[#|2008-03-11T10:44:07.171+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=17;_ThreadName=httpSSLWorkerThread-8181-1;|
httpSSLWorkerThread-8181-1|#]

[#|2008-03-11T10:44:07.171+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=17;_ThreadName=httpSSLWorkerThread-8181-1;|, SEND TLSv1 ALERT: |#]

[#|2008-03-11T10:44:07.171+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=17;_ThreadName=httpSSLWorkerThread-8181-1;|fatal, |#]

[#|2008-03-11T10:44:07.171+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=17;_ThreadName=httpSSLWorkerThread-8181-1;|description = internal_error|#]

[#|2008-03-11T10:44:07.171+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=17;_ThreadName=httpSSLWorkerThread-8181-1;|
httpSSLWorkerThread-8181-1, WRITE: TLSv1 Alert, length = 2|#]

[#|2008-03-11T10:44:07.171+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=17;_ThreadName=httpSSLWorkerThread-8181-1;|
httpSSLWorkerThread-8181-1, called closeInbound()|#]

[#|2008-03-11T10:44:07.171+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=17;_ThreadName=httpSSLWorkerThread-8181-1;|
httpSSLWorkerThread-8181-1, closeInboundInternal()|#]

[#|2008-03-11T10:44:07.171+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=15;_ThreadName=SelectorThread-8181;|
Using SSLEngineImpl.|#]

[#|2008-03-11T10:44:07.187+0100|INFO|sun-appserver9.1|javax.enterprise.system.stream.out|_ThreadID=16;_ThreadName=httpSSLWorkerThread-8181-0;|
[Raw read]: length = 5|#]

Again things go wrong but this time there's more info.
But because things go wrong, the server reswitches to SSLWorkerThread-8181-0

This 'hiphopping' between the SSLWorkerThreads continues until I kill the javaws process via the taskmanager.

Searching the i-net for some info on the specified errors (and how to solve them) did not lead to any results.

Meanwhile I've been reading some other - more or less related - threads.
Some of them (f.e http://forums.java.net/jive/thread.jspa?threadID=34030&start=0 ) make me believe that it is not possible to use the Application Client with SSL.

A file that's frequently mentioned is the sun-acc.xml (located in the domain/config directory). It seems to be related to the behavior of AppClients.
Up until now I've done nothing with that file.
I also haven't changed any of the ORB settings of the server itself (via the admin webconsole).

Is that OK or should I actually have done something with the file/ ORB settings?

If you (or anyone else) have any ideas/clues/options/suggestions....

Bart.
[Message sent by forum member 'bertusdotcom' (bertusdotcom)]

http://forums.java.net/jive/thread.jspa?messageID=263313