Re: [Simpleweb-Support] Getting started with SSL
Brought to you by:
niallg
Menu
▾
▴
Re: [Simpleweb-Support] Getting started with SSL
|
From: Niall G. <gal...@ya...> - 2010-08-04 11:49:32
|
Hi, I really must add better support for logging. This is my next goal. Glad you found the issue. Niall --- On Mon, 8/2/10, Brad McEvoy <br...@br...> wrote: From: Brad McEvoy <br...@br...> Subject: Re: [Simpleweb-Support] Getting started with SSL To: "Simple support and user issues" <sim...@li...> Date: Monday, August 2, 2010, 4:32 AM Got it. Added some logging and found this exception which was being caught but not logged in Task.run() Now to figure out why there's no cipher suites... javax.net.ssl.SSLHandshakeException: no cipher suites in common at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:938) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:465) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:701) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:669) at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:607) at org.simpleframework.transport.Handshake.read(Handshake.java:272) at org.simpleframework.transport.Handshake.read(Handshake.java:256) at org.simpleframework.transport.Handshake.exchange(Handshake.java:240) at org.simpleframework.transport.Handshake.process(Handshake.java:203) at org.simpleframework.transport.Handshake.resume(Handshake.java:182) at org.simpleframework.transport.Task.execute(Task.java:130) at org.simpleframework.transport.Task.run(Task.java:90) at org.simpleframework.transport.Handshake.resume(Handshake.java:186) at org.simpleframework.transport.Handshake.begin(Handshake.java:166) at org.simpleframework.transport.Handshake.run(Handshake.java:137) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:885) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:907) at java.lang.Thread.run(Thread.java:619) Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1366) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:189) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:177) at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:638) at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:425) at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:139) at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516) at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:458) at java.security.AccessController.doPrivileged(Native Method) at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:875) at org.simpleframework.transport.Handshake.execute(Handshake.java:346) at org.simpleframework.transport.Handshake.read(Handshake.java:284) ... 12 more Brad McEvoy wrote: I've checked and have the same issue with .21 I've done the same check with xlightweb and it also works on my windows box and fails silently on the linux server, so it is definitely something I'm doing wrong. Just a couple of specific things: - should the ssl protocol be SSL or TLS? - if i've built the certificate incorrectly, should I expect to see a program error on startup (or at any time)? - should the keystore type be JKS? - should the keystore algorithm be SunX509? - do any of these vary between windows and linux? - should I expect the same certificate file to work on windows and linux? Thanks in advance. Brad Niall Gallagher wrote: Hi, Are you using 4.1.21 to test HTTPS? There have been a number of bugs fixed recently for HTTPS/SSL. I would advise you use 4.1.21. Niall --- On Sun, 8/1/10, Brad McEvoy <br...@br...> wrote: From: Brad McEvoy <br...@br...> Subject: [Simpleweb-Support] Getting started with SSL To: "Simple support and user issues" <sim...@li...> Date: Sunday, August 1, 2010, 7:26 PM Hi All, I'm having a problem with using SSL in SimpleHTTP. I'm sure i'm doing something dumb but am at a loss as to where to start. All works fine on my Windows development machine, but when I deploy to an Ubuntu server (Sun VM 1.6) I get a "Connection interrupted" error in firefox. I've confirmed connectivity on port 443 to the server. When using the SimpleSSLHelloWorld (adapted for my own certificate and password) there is no output from logging and the handle method doesnt get called. When i modify the code to directly setup the ContainerServer in my code I can see that the process method does indeed get called on the ContainerServer for a https request, which then calls process on the wrapped processor, but then there is no more console output, there are no exceptions thrown, nothing is returned to the browser and the handle method doesnt get called. I'm a bit unsure about the ssl config. If there was a configuration error, should I expect to see an error on startup? Is there some particular class in simple web that I can add logging to to see whats going wrong? I've attached my slightly modified form of the SimpleSSLHelloWorld and also my own implementation SslSimpletonServer, both of which show the same results. Any help would be greatly appreciated. I'm happy to the digging myself but need to know where to stick my shovel! Cheers, Brad BTW: this is all part of a project to integrate simpleweb with milton (see http://milton.ettrema.com) for a very light weight webdav server Andrew Barlow wrote: Thanks Niall - works like a charm on Safari 5 now... AndyB On 26 Jul 2010, at 20:48, Niall Gallagher wrote: Hi, I have released 4.1.21 which fixes this issue by not requesting client authentication. If client authentication is needed it can be done just before the handshake begins by setting it on the SSLEngine associated with the org.simpleframework.transport.Socket. Regards, Niall --- On Thu, 7/8/10, Andrew Barlow <and...@sd...> wrote: From: Andrew Barlow <and...@sd...> Subject: [Simpleweb-Support] SSL client certificate request: Safari 5 problem? To: sim...@li... Date: Thursday, July 8, 2010, 1:14 AM Niall and Fabio kindly sent me links to example code for delivering web content over SSL, see http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpleweb-support. As I need to use an existing signed certificate inside a Java keystore I've adopted/adapted Fabio's example which reads from the keystore file. I have set the SSLContext to "TLS". I've tested against a keystore containing a bona-fide signed certificate issued by Thawte and all is well across a range of browsers: Internet Explorer on Windows and Firefox, Opera, Chrome on Windows and Mac. However on Safari 5 (but NOT 4) on the Mac I encounter a message asking for a client certificate, see screenshot: <clientcertificate.png> Upon selecting a certificate (doesn't matter which), Safari then gives a message: "Safari can’t open the page “xxxx” because Safari can’t establish a secure connection to the server “xxxx”. On Windows behaviour is slightly different, Safari 5 simply displays the message without prompting for client certificate. As this works fine with other browsers, including earlier version of Safari could this be an Safari 5 issue that needs to be addressed by Apple? Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP e: and...@sd... t: +44 (0)7830 302 268 The information in this email or facsimile is confidential and is intended solely for the addressee(s) and access to this email or facsimile by anyone else is unauthorised. If you are not the intended recipient then any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Information expressed in this email or facsimile is not given or endorsed by my firm or employer unless otherwise indicated by an authorised representative independent of this message. -----Inline Attachment Follows----- ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first -----Inline Attachment Follows----- _______________________________________________ Simpleweb-Support mailing list Sim...@li... https://lists.sourceforge.net/lists/listinfo/simpleweb-support ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://ad.doubleclick.net/clk;226879339;13503038;l? http://clk.atdmt.com/CRS/go/247765532/direct/01/_______________________________________________ Simpleweb-Support mailing list Sim...@li... https://lists.sourceforge.net/lists/listinfo/simpleweb-support Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP e: and...@sd... t: +44 (0)7830 302 268 The information in this email or facsimile is confidential and is intended solely for the addressee(s) and access to this email or facsimile by anyone else is unauthorised. If you are not the intended recipient then any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Information expressed in this email or facsimile is not given or endorsed by my firm or employer unless otherwise indicated by an authorised representative independent of this message. ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://ad.doubleclick.net/clk;226879339;13503038;l? http://clk.atdmt.com/CRS/go/247765532/direct/01/ _______________________________________________ Simpleweb-Support mailing list Sim...@li... https://lists.sourceforge.net/lists/listinfo/simpleweb-support -----Inline Attachment Follows----- ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm -----Inline Attachment Follows----- _______________________________________________ Simpleweb-Support mailing list Sim...@li... https://lists.sourceforge.net/lists/listinfo/simpleweb-support ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm _______________________________________________ Simpleweb-Support mailing list Sim...@li... https://lists.sourceforge.net/lists/listinfo/simpleweb-support ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm _______________________________________________ Simpleweb-Support mailing list Sim...@li... https://lists.sourceforge.net/lists/listinfo/simpleweb-support -----Inline Attachment Follows----- ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm -----Inline Attachment Follows----- _______________________________________________ Simpleweb-Support mailing list Sim...@li... https://lists.sourceforge.net/lists/listinfo/simpleweb-support |
