[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [jetty-users] Sudden SSL problems
|
On Thu, Apr 11, 2013 at 9:44 PM, Joakim Erdfelt <joakim@xxxxxxxxxxx> wrote:
> If I'm reading this right (and I'm no expert in TLS/SSL), but others who
> follow this mailing list are...
>
> Record 111 == Certificate Unobtainable
> Record 115 == Unknown PSK identity
>
> Gut reaction: you have a certificate that cannot be verified.
> This is a best guess, considering both the "Unsupported record version" and
> specific record numbers on what looks like a TLS alert message.
> I can't tell if this is a server side certificate or a client side
> certificate issue.
hm, you have a good gut reaction. Not sure where the error resides, but
what you mentioned made me check my monitoring tool. It sends some kind of
pings via ssl. When I disabled the ssl checks, the error message disappeared.
I have catched up with the tool provider, maybe he has an idea.
Thanks for you help so far!
>
> --
> Joakim Erdfelt <joakim@xxxxxxxxxxx>
> webtide.com
> Developer advice, services and support
> from the Jetty & CometD experts
> eclipse.org/jetty - cometd.org
>
>
> On Thu, Apr 11, 2013 at 12:25 PM, Christian Grobmeier <grobmeier@xxxxxxxxx>
> wrote:
>>
>> On Thu, Apr 11, 2013 at 8:33 PM, Joakim Erdfelt <joakim@xxxxxxxxxxx>
>> wrote:
>> > Gut reaction: you are running an older JRE/JDK with known SSL/TLS bugs.
>> >
>> > Be sure you have Java 1.6 update 30 (or newer), or Java 1.7 update 15
>> > (or
>> > newer)
>>
>> You were right on that, I upgraded to 1.6u43.
>>
>> I still get SSLExceptions, but they look different:
>>
>> $ tail -f 2013_04_11.stderrout.log
>> 2013-04-11 19:12:11.085:INFO:oejs.Server:jetty-7.6.10.v20130312
>> 2013-04-11 19:12:11.115:INFO:oejdp.ScanningAppProvider:Deployment
>> monitor /home/www/apps/jetty/webapps at interval 1
>> 2013-04-11 19:12:11.197:INFO:oejdp.ScanningAppProvider:Deployment
>> monitor /home/www/apps/jetty/contexts at interval 1
>> 2013-04-11 19:12:11.200:INFO:oejd.DeploymentManager:Deployable added:
>> /home/www/apps/jetty/contexts/timeandbill.xml
>> 2013-04-11 19:12:11.545:INFO:oejw.WebInfConfiguration:Extract
>> jar:file:/home/www/releases/webapp.war!/ to
>> /tmp/jetty-0.0.0.0-8080-webapp-.war-_-www.domain.de-/webapp
>> 2013-04-11 19:12:20.121:INFO:oejpw.PlusConfiguration:No Transaction
>> manager found - if your webapp requires one, please configure one.
>> 2013-04-11 19:12:21.943:INFO:/:Initializing Spring root
>> WebApplicationContext
>> 2013-04-11 19:12:27.461:INFO:oejsh.ContextHandler:started
>>
>> o.e.j.w.WebAppContext{/,file:/tmp/jetty-0.0.0.0-8080-webapp.war-_-www.domain.de-/webapp/,www.domain.de},/home/www/apps/jetty/webapps/webapp.war
>> 2013-04-11 19:12:32.054:INFO:oejs.AbstractConnector:Started
>> SelectChannelConnector@0.0.0.0:8080
>> 2013-04-11 19:12:32.761:INFO:oejus.SslContextFactory:Enabled Protocols
>> [SSLv2Hello, SSLv3, TLSv1] of [SSLv2Hello, SSLv3, TLSv1]
>> 2013-04-11 19:12:32.764:INFO:oejs.AbstractConnector:Started
>> SslSelectChannelConnector@0.0.0.0:8443
>> 2013-04-11 19:13:54.713:WARN:oeji.nio:javax.net.ssl.SSLException:
>> Unsupported record version Unknown-111.116
>> 2013-04-11 19:16:46.341:WARN:oeji.nio:javax.net.ssl.SSLException:
>> Unsupported record version Unknown-115.108
>> 2013-04-11 19:16:48.213:WARN:oeji.nio:javax.net.ssl.SSLException:
>> Unsupported record version Unknown-115.108
>> 2013-04-11 19:17:46.385:WARN:oeji.nio:javax.net.ssl.SSLException:
>> Unsupported record version Unknown-111.116
>>
>> No more stacktrace. Whatever the java upgrade fixed, it did something.
>> Still there is something wrong
>>
>> Any more gutfeelings?
>>
>> Cheers
>> Christian
>>
>>
>>
>> > --
>> > Joakim Erdfelt <joakim@xxxxxxxxxxx>
>> > webtide.com
>> > Developer advice, services and support
>> > from the Jetty & CometD experts
>> > eclipse.org/jetty - cometd.org
>> >
>> >
>> > On Thu, Apr 11, 2013 at 11:30 AM, Christian Grobmeier
>> > <grobmeier@xxxxxxxxx>
>> > wrote:
>> >>
>> >> Hi list,
>> >>
>> >> I have two jettys running on one box with different ports. Both were
>> >> 7.4.4 so far but do not share anything in common. One is for testing,
>> >> one is for production.
>> >> Today I thought I would update jetty. I used the testing jetty and
>> >> upgrade to 7.6.10 at the afternoon.
>> >>
>> >> It went fine and I wanted to wait a couple of days before I go with
>> >> prod
>> >> jetty.
>> >>
>> >> A couple of hours later I got a message from my monitoring tool that
>> >> my non-ssl connector went down. I restartet and it went up ok. SSL
>> >> worked btw.
>> >>
>> >> Checking my logfiles I saw a lot of these exceptions:
>> >>
>> >> 2013-04-11 18:19:49.267:WARN:oeji.nio:handle failed
>> >> java.lang.RuntimeException:
>> >> sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DOMAIN_PARAMS_INVALID
>> >> at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1029)
>> >> at
>> >> sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:503)
>> >> at
>> >> sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1128)
>> >> at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1100)
>> >> at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
>> >> at org.eclipse.jetty.io.nio.SslConnection.wrap(SslConnection.java:460)
>> >> at
>> >> org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:386)
>> >> at
>> >>
>> >> org.eclipse.jetty.io.nio.SslConnection.access$900(SslConnection.java:48)
>> >> at
>> >>
>> >> org.eclipse.jetty.io.nio.SslConnection$SslEndPoint.fill(SslConnection.java:678)
>> >> at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1040)
>> >> at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:280)
>> >> at
>> >> org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
>> >> at
>> >>
>> >> org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
>> >> at
>> >> org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196)
>> >> at
>> >>
>> >> org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:628)
>> >> at
>> >>
>> >> org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
>> >> at
>> >>
>> >> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
>> >> at
>> >>
>> >> org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
>> >> at java.lang.Thread.run(Thread.java:636)
>> >>
>> >>
>> >> I never had them before. I then disabled the testing jetty, but the
>> >> exceptions kept going.
>> >> As both jettys used the same keystore, I considered it might be
>> >> problematic. So I went updating the prod jetty. Basically it was no
>> >> problem and everything looks well, but the exceptions
>> >> won't go away.
>> >>
>> >> I found a known issuen on openjdk and followed this instructions:
>> >>
>> >> http://shickys.blogspot.de/2012/11/addressing-openjdk-bug-with-ssl-on.html
>> >> (basically editing the pck12 providers).
>> >> But no luck.
>> >>
>> >> I checked this:
>> >> keytool -list -keystore keystore -v
>> >> just in any case. It appears CN= matches my domain and so I think it
>> >> should be all well too.
>> >>
>> >> Now I am puzzled and don't know where to search for the error.
>> >>
>> >> Any ideas are highly appreciated.
>> >>
>> >> Thanks,
>> >> Christian
>> >> _______________________________________________
>> >> jetty-users mailing list
>> >> jetty-users@xxxxxxxxxxx
>> >> https://dev.eclipse.org/mailman/listinfo/jetty-users
>> >
>> >
>> >
>> > _______________________________________________
>> > jetty-users mailing list
>> > jetty-users@xxxxxxxxxxx
>> > https://dev.eclipse.org/mailman/listinfo/jetty-users
>> >
>>
>>
>>
>> --
>> http://www.grobmeier.de
>> https://www.timeandbill.de
>> _______________________________________________
>> jetty-users mailing list
>> jetty-users@xxxxxxxxxxx
>> https://dev.eclipse.org/mailman/listinfo/jetty-users
>
>
>
> _______________________________________________
> jetty-users mailing list
> jetty-users@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/jetty-users
>
--
http://www.grobmeier.de
https://www.timeandbill.de
