Menu
▾
▴
Re: [ebxmlms-general] RE: SSLHandshakeException (SSL PROBLEM)
|
From: Ronald v. K. <rtv...@xs...> - 2005-06-22 22:35:11
|
This is most likely not a hermes issue, but an issue of the ssl libs used. Try implementing a real simple https client and see what happens. Probabl= y the same error. Ronald Robert A. Stockfleth probeerde me het volgende duidelijk te maken: > After several more hours of testing and packet sniffing - it looks like > Hermes bombs out anytime a server tries to switch to SSL v3... How do = I get > Hermes to connect to a SSL3 server? It seems like it tries to use TLS > protocol because it doesn=92t support SSL3????? > > PLEASE help - I really want Hermes to work????! > > From packet sniffer: (192.168.20.165 =3D Hermes, 192.168.10.101 =3D Cy= clone) > -------------------------------------------------------------- > > No. Time Source Destination Protoco= l > Info > 34 9.128011 192.168.20.165 192.168.10.101 TCP > 1453 > https [SYN] Seq=3D0 Ack=3D0 Win=3D65535 Len=3D0 MSS=3D1460 > > 36 9.197628 192.168.10.101 192.168.20.165 TCP > https > 1453 [SYN, ACK] Seq=3D0 Ack=3D1 Win=3D16560 Len=3D0 MSS=3D1380 > > 37 9.197767 192.168.20.165 192.168.10.101 TCP > 1453 > https [ACK] Seq=3D1 Ack=3D1 Win=3D65535 [TCP CHECKSUM INCORRECT]= Len=3D0 > > 38 9.199660 192.168.20.165 192.168.10.101 SSLv2 > Client Hello > > 39 9.293068 192.168.10.101 192.168.20.165 TLS > Server Hello, Certificate, Certificate Request, Server Hello Done > > 40 9.484113 192.168.20.165 192.168.10.101 TCP > 1453 > https [ACK] Seq=3D101 Ack=3D1323 Win=3D64213 [TCP CHECKSUM INCOR= RECT] Len=3D0 > > 41 9.498985 192.168.20.165 192.168.10.101 TLS > Certificate, Client Key Exchange > > 42 9.512283 192.168.20.165 192.168.10.101 TLS > Change Cipher Spec > > 43 9.540430 192.168.20.165 192.168.10.101 TLS > Encrypted Handshake Message > > 44 9.601759 192.168.10.101 192.168.20.165 TLS > Alert (Level: Fatal, Description: Handshake Failure) > > 45 9.602017 192.168.10.101 192.168.20.165 TCP > https > 1453 [FIN, ACK] Seq=3D1330 Ack=3D247 Win=3D16560 Len=3D0 > > 46 9.602096 192.168.20.165 192.168.10.101 TCP > 1453 > https [ACK] Seq=3D290 Ack=3D1331 Win=3D64206 [TCP CHECKSUM INCOR= RECT] Len=3D0 > > 47 9.602259 192.168.20.165 192.168.10.101 TCP > 1453 > https [FIN, ACK] Seq=3D290 Ack=3D1331 Win=3D64206 [TCP CHECKSUM = INCORRECT] > Len=3D0 > > 48 9.602378 192.168.10.101 192.168.20.165 TCP > https > 1453 [RST] Seq=3D1331 Ack=3D3694123473 Win=3D0 Len=3D0 > > -------------------------------------------------------------- > > > > > > > ________________________________________ > From: Robert A. Stockfleth [mailto:ro...@no...] > Sent: Monday, June 20, 2005 3:27 PM > To: 'ebx...@li...' > Subject: SSLHandshakeException (SSL PROBLEM) > > Hello, I hope someone out there would be kind enough to help me out =96= I have > been struggling with this problem for a couple weeks now. > > I am running Hermes 1.0 on a Windows 2003 Server using Java 1.5.0_03 > runtime. Every time I attempt to send a message to =93othercompany=94=92= s MSH > server (not hermes, Cyclone I think) I receive the SSLHandshakeExceptio= n. I > have all the necessary trusted certs installed in my cacerts file that > Hermes is using as it=92s TrustedAnchor. I am able to sign messages wi= th the > test09 private key with no problem from the Monitor app. > > =93othercompany=94=92s MSH server requires that I send my certificate f= or > authentication. I have tested the authentication process in a browser = with > no problems. > > I have also tried the 9.31 version of Hermes with the same result. My > private key originally came in a .pfx file =96 I was able to sign messa= ges > from the Monitor application using the .pfx file, but when I put that a= s my > keystore in the config file for SSL, it would always say =93Cannot load= the > keystore on SSL client authentication : Cannot load keystore : Invalid > keystore format=94. So I programmatically put the private key into the= JKS > format. > > Is there a good way to debug the whole SSL handshaking process, I=92ve = seen > posts about "-Djavax.net.debug=3Dall" =96 but can somebody elaborate an= d be more > specific about what I need to do? > > Please help =96 I=92ve included as much pertinent information below as = I can > think of!!!!!! > > -Rob > > -- from log ---------- > Add SSL Client Authentication entry : https://othercompany/msh/ > \hermes\test.keystore > Sending message to https://othercompany/msh/ > Connection class : class > com.sun.net.ssl.internal.www.protocol.https.HttpsURLConnectionOldImpl > Instance of HttpsURLConnection : true > Configuration to a HTTPS connection > use key manager for url : https://othercompany/msh/ > [10505] Cannot send SOAP message Exception: > javax.net.ssl.SSLHandshakeException Message: Received fatal alert: > handshake_failure > ------------------------------------ > > -- from config file ------- > <SSL> > <!-- Optional property specifying the implementation class name o= f > com.sun.net.ssl.HostnameVerifier from JSSE 1.0 which handle = the > case > when the URL's hostname and the server's identification host= name > mismatch--> > <!-- <HostnameVerifier>Verifier</HostnameVerifier> --> > <TrustedAnchor> > <!-- Trust keystore for SSL Server Authentication --> > <KeyStore> > <Path>/hermes</Path> > <File>cacerts</File> > <Password>changeit</Password> > </KeyStore> > </TrustedAnchor> > > <ClientAuth> > <URL>https://othercompany/msh/</URL> > <KeyStore> > <Path>/hermes</Path> > <File>test.keystore</File> > <Alias>test09</Alias> > <Password>password</Password> > </KeyStore> > </ClientAuth> > </SSL> > ------------------------------------ > > > -- from keytool ------ > D:\jdk1.5.0_03\bin>keytool -list -keystore test.keystore > Enter keystore password: password > > Keystore type: jks > Keystore provider: SUN > > Your keystore contains 1 entries > > > test09, Jun 13, 2005, keyEntry, > Certificate fingerprint (MD5): > 5D:69:75:75:7C:6D:4A:E9:C6:82:4B:9F:A8:E6:52:05 > ------------------------------------ > > > > ------------------------------------------------------- > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies > from IBM. Find simple to follow Roadmaps, straightforward articles, > informative Webcasts and more! Get everything you need to get up to > speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id=16492&op=CCk > _______________________________________________ > ebxmlms-general mailing list > ebx...@li... > https://lists.sourceforge.net/lists/listinfo/ebxmlms-general > > --=20 Kijk niet terug, maar kijk naar mij Against all odds |
