Thread: [Simpleweb-Support] SSL client certificate request: Safari 5 problem?
Brought to you by:
niallg
Menu
▾
▴
simpleweb-support
|
From: Andrew B. <and...@sd...> - 2010-07-08 08:14:48
|
Niall and Fabio kindly sent me links to example code for delivering web content over SSL, see http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpleweb-support. As I need to use an existing signed certificate inside a Java keystore I've adopted/adapted Fabio's example which reads from the keystore file. I have set the SSLContext to "TLS". I've tested against a keystore containing a bona-fide signed certificate issued by Thawte and all is well across a range of browsers: Internet Explorer on Windows and Firefox, Opera, Chrome on Windows and Mac. However on Safari 5 (but NOT 4) on the Mac I encounter a message asking for a client certificate, see screenshot: Upon selecting a certificate (doesn't matter which), Safari then gives a message: "Safari can’t open the page “xxxx” because Safari can’t establish a secure connection to the server “xxxx”. On Windows behaviour is slightly different, Safari 5 simply displays the message without prompting for client certificate. As this works fine with other browsers, including earlier version of Safari could this be an Safari 5 issue that needs to be addressed by Apple? Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP e: and...@sd... t: +44 (0)7830 302 268 The information in this email or facsimile is confidential and is intended solely for the addressee(s) and access to this email or facsimile by anyone else is unauthorised. If you are not the intended recipient then any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Information expressed in this email or facsimile is not given or endorsed by my firm or employer unless otherwise indicated by an authorised representative independent of this message. |
|
From: Bruno H. <Bru...@ma...> - 2010-07-08 22:58:00
|
Hi, SimpleWeb always requests (but doesn't require) a client certificate during the SSL handshake. Safari's client-certificate mechanism was broken (it wouldn't prompt when it should have) so that's probably why the message didn't appear in version 4. I guess this has been fixed in Safari 5 (but I haven't tried). For the certificate to be accepted, it would need to be verifiable by the server, so its emitter (or something higher up in the chain) should be in the server's trust store. If you're not really using client-certificate authentication and seeing this only as a side-effect of SimpleWeb requesting a client certificate by default (I think it's hard-coded in fact), I'd suggest clicking on Cancel rather than choosing a certificate. This shouldn't send a client-cert and thus the server wouldn't have to verify it. Best wishes, Bruno. On 08/07/2010 10:14, Andrew Barlow wrote: > Niall and Fabio kindly sent me links to example code for delivering web > content over SSL, see > http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpleweb-support > <http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpleweb-support>. > > As I need to use an existing signed certificate inside a Java keystore > I've adopted/adapted Fabio's example which reads from the keystore file. > > I have set the SSLContext to "TLS". > > I've tested against a keystore containing a bona-fide signed certificate > issued by Thawte and all is well across a range of browsers: Internet > Explorer on Windows and Firefox, Opera, Chrome on Windows and Mac. > > However on Safari 5 (but NOT 4) on the Mac I encounter a message asking > for a client certificate, see screenshot: > > > Upon selecting a certificate (doesn't matter which), Safari then gives a > message: > > "Safari can’t open the page “xxxx” because Safari can’t establish a > secure connection to the server “xxxx”. > > On Windows behaviour is slightly different, Safari 5 simply displays the > message without prompting for client certificate. > > As this works fine with other browsers, including earlier version of > Safari could this be an Safari 5 issue that needs to be addressed by Apple? > > Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP > > e: and...@sd... <mailto:and...@sd...> > t: +44 (0)7830 302 268 |
|
From: <nia...@rb...> - 2010-07-09 09:06:55
|
Hi,
Currently this is hardcoded in the handshake as setWantClientAuth, it should really be configurable. I will add better configuration options in the next release. You can override this in a hacky kind of way. To do this you would need to wrap the SSLEngine for the org.simpleframework.transport.Socket in your own SSLEngine like so.
public class MySSLEngineWrapper extends SSLEngine {
private final SSLEngine realEngine;
// .. add proxy methods that delegate to the realEngine here
public void setWantClientAuth(boolean value) {
realEngine.setWantClientAuth(false); // here wa set false always because we do not want auth
}
}
This should work, but its a bit ugly.
Niall
Niall Gallagher
RBS Global Banking & Markets
Office: +44 2070851454
________________________________
From: Andrew Barlow [mailto:and...@sd...]
Sent: 09 July 2010 08:53
To: Bruno Harbulot
Cc: GALLAGHER, Niall, GBM
Subject: Re: [Simpleweb-Support] SSL client certificate request: Safari 5 problem?
Thanks Bruno
I don't need to authenticate the client certificate.
Do you know of any way to switch this off in Simple?
AndyB
On 8 Jul 2010, at 23:57, Bruno Harbulot wrote:
Hi,
SimpleWeb always requests (but doesn't require) a client certificate during the SSL handshake.
Safari's client-certificate mechanism was broken (it wouldn't prompt when it should have) so that's probably why the message didn't appear in version 4. I guess this has been fixed in Safari 5 (but I haven't tried).
For the certificate to be accepted, it would need to be verifiable by the server, so its emitter (or something higher up in the chain) should be in the server's trust store.
If you're not really using client-certificate authentication and seeing this only as a side-effect of SimpleWeb requesting a client certificate by default (I think it's hard-coded in fact), I'd suggest clicking on Cancel rather than choosing a certificate. This shouldn't send a client-cert and thus the server wouldn't have to verify it.
Best wishes,
Bruno.
On 08/07/2010 10:14, Andrew Barlow wrote:
Niall and Fabio kindly sent me links to example code for delivering web
content over SSL, see
http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpleweb-support
<http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpleweb-support>.
As I need to use an existing signed certificate inside a Java keystore
I've adopted/adapted Fabio's example which reads from the keystore file.
I have set the SSLContext to "TLS".
I've tested against a keystore containing a bona-fide signed certificate
issued by Thawte and all is well across a range of browsers: Internet
Explorer on Windows and Firefox, Opera, Chrome on Windows and Mac.
However on Safari 5 (but NOT 4) on the Mac I encounter a message asking
for a client certificate, see screenshot:
Upon selecting a certificate (doesn't matter which), Safari then gives a
message:
"Safari can't open the page "xxxx" because Safari can't establish a
secure connection to the server "xxxx".
On Windows behaviour is slightly different, Safari 5 simply displays the
message without prompting for client certificate.
As this works fine with other browsers, including earlier version of
Safari could this be an Safari 5 issue that needs to be addressed by Apple?
Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP
e: and...@sd...<mailto:and...@sd...> <mailto:and...@sd...>
t: +44 (0)7830 302 268
Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP
e: and...@sd...<mailto:and...@sd...>
t: +44 (0)7830 302 268
The information in this email or facsimile is confidential and is intended solely for the addressee(s) and access to this email or facsimile by anyone else is unauthorised. If you are not the intended recipient then any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Information expressed in this email or facsimile is not given or endorsed by my firm or employer unless otherwise indicated by an authorised representative independent of this message.
***********************************************************************************
The Royal Bank of Scotland plc. Registered in Scotland No 90312.
Registered Office: 36 St Andrew Square, Edinburgh EH2 2YB.
Authorised and regulated by the Financial Services Authority. The
Royal Bank of Scotland N.V. is authorised and regulated by the
De Nederlandsche Bank and has its seat at Amsterdam, the
Netherlands, and is registered in the Commercial Register under
number 33002587. Registered Office: Gustav Mahlerlaan 10,
Amsterdam, The Netherlands. The Royal Bank of Scotland N.V. and
The Royal Bank of Scotland plc are authorised to act as agent for each
other in certain jurisdictions.
This e-mail message is confidential and for use by the addressee only.
If the message is received by anyone other than the addressee, please
return the message to the sender by replying to it and then delete the
message from your computer. Internet e-mails are not necessarily
secure. The Royal Bank of Scotland plc and The Royal Bank of Scotland
N.V. including its affiliates ("RBS group") does not accept responsibility
for changes made to this message after it was sent.
Whilst all reasonable care has been taken to avoid the transmission of
viruses, it is the responsibility of the recipient to ensure that the onward
transmission, opening or use of this message and any attachments will
not adversely affect its systems or data. No responsibility is accepted
by the RBS group in this regard and the recipient should carry out such
virus and other checks as it considers appropriate.
Visit our website at www.rbs.com
***********************************************************************************
|
|
From: <nia...@rb...> - 2010-07-13 10:37:03
|
Hi, I am removing this from the Handshake as it is not required, in future implementations wanting client authentication will have to intercept the SSLEngine in the transport layer to set the value. This allows for customization without forcing the client to ask for the certificate. This should be released this week some time. Niall -----Original Message----- From: Bruno Harbulot [mailto:Bru...@ma...] Sent: 09 July 2010 10:05 To: Andrew Barlow Cc: GALLAGHER, Niall, GBM Subject: Re: [Simpleweb-Support] SSL client certificate request: Safari 5 problem? Hi, setWantClientAuth(true) is hard-coded in org.simpleframework.transport.Handshake (run() method): http://www.simpleframework.org/doc/source/org.simpleframework.transport.Handshake.html There would need to be a way to pass a parameter there, I'm not sure how. Best wishes, Bruno. On 09/07/2010 09:52, Andrew Barlow wrote: > Thanks Bruno > > I don't need to authenticate the client certificate. > > Do you know of any way to switch this off in Simple? > > AndyB > > On 8 Jul 2010, at 23:57, Bruno Harbulot wrote: > >> Hi, >> >> SimpleWeb always requests (but doesn't require) a client certificate >> during the SSL handshake. >> >> Safari's client-certificate mechanism was broken (it wouldn't prompt >> when it should have) so that's probably why the message didn't appear >> in version 4. I guess this has been fixed in Safari 5 (but I haven't >> tried). >> >> For the certificate to be accepted, it would need to be verifiable by >> the server, so its emitter (or something higher up in the chain) >> should be in the server's trust store. >> >> If you're not really using client-certificate authentication and >> seeing this only as a side-effect of SimpleWeb requesting a client >> certificate by default (I think it's hard-coded in fact), I'd suggest >> clicking on Cancel rather than choosing a certificate. This shouldn't >> send a client-cert and thus the server wouldn't have to verify it. >> >> >> Best wishes, >> >> Bruno. >> >> >> >> On 08/07/2010 10:14, Andrew Barlow wrote: >>> Niall and Fabio kindly sent me links to example code for delivering >>> web content over SSL, see >>> http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2L >>> qrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpl >>> eweb-support >>> <http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2 >>> LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simp >>> leweb-support> >>> <http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2 >>> LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simp >>> leweb-support >>> <http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpleweb-support>>. >>> >>> As I need to use an existing signed certificate inside a Java >>> keystore I've adopted/adapted Fabio's example which reads from the keystore file. >>> >>> I have set the SSLContext to "TLS". >>> >>> I've tested against a keystore containing a bona-fide signed >>> certificate issued by Thawte and all is well across a range of >>> browsers: Internet Explorer on Windows and Firefox, Opera, Chrome on Windows and Mac. >>> >>> However on Safari 5 (but NOT 4) on the Mac I encounter a message >>> asking for a client certificate, see screenshot: >>> >>> >>> Upon selecting a certificate (doesn't matter which), Safari then >>> gives a >>> message: >>> >>> "Safari can't open the page "xxxx" because Safari can't establish a >>> secure connection to the server "xxxx". >>> >>> On Windows behaviour is slightly different, Safari 5 simply displays >>> the message without prompting for client certificate. >>> >>> As this works fine with other browsers, including earlier version of >>> Safari could this be an Safari 5 issue that needs to be addressed by >>> Apple? >>> >>> Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP >>> >>> e: and...@sd... >>> <mailto:and...@sd...> >>> <mailto:and...@sd...> >>> t: +44 (0)7830 302 268 > > Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP > > e: and...@sd... <mailto:and...@sd...> > t: +44 (0)7830 302 268 > > /The information in this email or facsimile is confidential and is > intended solely for the addressee(s) and access to this email or > facsimile by anyone else is unauthorised. If you are not the intended > recipient then any disclosure, copying, distribution or any action > taken or omitted to be taken in reliance on it, is prohibited and may > be unlawful. Information expressed in this email or facsimile is not > given or endorsed by my firm or employer unless otherwise indicated by > an authorised representative independent of this message./ > *********************************************************************************** The Royal Bank of Scotland plc. Registered in Scotland No 90312. Registered Office: 36 St Andrew Square, Edinburgh EH2 2YB. Authorised and regulated by the Financial Services Authority. The Royal Bank of Scotland N.V. is authorised and regulated by the De Nederlandsche Bank and has its seat at Amsterdam, the Netherlands, and is registered in the Commercial Register under number 33002587. Registered Office: Gustav Mahlerlaan 10, Amsterdam, The Netherlands. The Royal Bank of Scotland N.V. and The Royal Bank of Scotland plc are authorised to act as agent for each other in certain jurisdictions. This e-mail message is confidential and for use by the addressee only. If the message is received by anyone other than the addressee, please return the message to the sender by replying to it and then delete the message from your computer. Internet e-mails are not necessarily secure. The Royal Bank of Scotland plc and The Royal Bank of Scotland N.V. including its affiliates ("RBS group") does not accept responsibility for changes made to this message after it was sent. Whilst all reasonable care has been taken to avoid the transmission of viruses, it is the responsibility of the recipient to ensure that the onward transmission, opening or use of this message and any attachments will not adversely affect its systems or data. No responsibility is accepted by the RBS group in this regard and the recipient should carry out such virus and other checks as it considers appropriate. Visit our website at www.rbs.com *********************************************************************************** |
|
From: Niall G. <gal...@ya...> - 2010-07-26 19:48:15
|
Hi, I have released 4.1.21 which fixes this issue by not requesting client authentication. If client authentication is needed it can be done just before the handshake begins by setting it on the SSLEngine associated with the org.simpleframework.transport.Socket. Regards, Niall --- On Thu, 7/8/10, Andrew Barlow <and...@sd...> wrote: From: Andrew Barlow <and...@sd...> Subject: [Simpleweb-Support] SSL client certificate request: Safari 5 problem? To: sim...@li... Date: Thursday, July 8, 2010, 1:14 AM Niall and Fabio kindly sent me links to example code for delivering web content over SSL, see http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpleweb-support. As I need to use an existing signed certificate inside a Java keystore I've adopted/adapted Fabio's example which reads from the keystore file. I have set the SSLContext to "TLS". I've tested against a keystore containing a bona-fide signed certificate issued by Thawte and all is well across a range of browsers: Internet Explorer on Windows and Firefox, Opera, Chrome on Windows and Mac. However on Safari 5 (but NOT 4) on the Mac I encounter a message asking for a client certificate, see screenshot: Upon selecting a certificate (doesn't matter which), Safari then gives a message: "Safari can’t open the page “xxxx” because Safari can’t establish a secure connection to the server “xxxx”. On Windows behaviour is slightly different, Safari 5 simply displays the message without prompting for client certificate. As this works fine with other browsers, including earlier version of Safari could this be an Safari 5 issue that needs to be addressed by Apple? Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP e: and...@sd...: +44 (0)7830 302 268 The information in this email or facsimile is confidential and is intended solely for the addressee(s) and access to this email or facsimile by anyone else is unauthorised. If you are not the intended recipient then any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Information expressed in this email or facsimile is not given or endorsed by my firm or employer unless otherwise indicated by an authorised representative independent of this message. -----Inline Attachment Follows----- ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first -----Inline Attachment Follows----- _______________________________________________ Simpleweb-Support mailing list Sim...@li... https://lists.sourceforge.net/lists/listinfo/simpleweb-support |
|
From: Andrew B. <and...@sd...> - 2010-07-27 08:01:19
|
Thanks Niall - works like a charm on Safari 5 now... AndyB On 26 Jul 2010, at 20:48, Niall Gallagher wrote: > Hi, > > I have released 4.1.21 which fixes this issue by not requesting client authentication. If client authentication is needed it can be done just before the handshake begins by setting it on the SSLEngine associated with the org.simpleframework.transport.Socket. > > Regards, > Niall > > --- On Thu, 7/8/10, Andrew Barlow <and...@sd...> wrote: > > From: Andrew Barlow <and...@sd...> > Subject: [Simpleweb-Support] SSL client certificate request: Safari 5 problem? > To: sim...@li... > Date: Thursday, July 8, 2010, 1:14 AM > > Niall and Fabio kindly sent me links to example code for delivering web content over SSL, see http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpleweb-support. > > As I need to use an existing signed certificate inside a Java keystore I've adopted/adapted Fabio's example which reads from the keystore file. > > I have set the SSLContext to "TLS". > > I've tested against a keystore containing a bona-fide signed certificate issued by Thawte and all is well across a range of browsers: Internet Explorer on Windows and Firefox, Opera, Chrome on Windows and Mac. > > However on Safari 5 (but NOT 4) on the Mac I encounter a message asking for a client certificate, see screenshot: > <clientcertificate.png> > > > Upon selecting a certificate (doesn't matter which), Safari then gives a message: > > "Safari can’t open the page “xxxx” because Safari can’t establish a secure connection to the server “xxxx”. > > On Windows behaviour is slightly different, Safari 5 simply displays the message without prompting for client certificate. > > As this works fine with other browsers, including earlier version of Safari could this be an Safari 5 issue that needs to be addressed by Apple? > > Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP > > e: and...@sd... > t: +44 (0)7830 302 268 > > The information in this email or facsimile is confidential and is intended solely for the addressee(s) and access to this email or facsimile by anyone else is unauthorised. If you are not the intended recipient then any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Information expressed in this email or facsimile is not given or endorsed by my firm or employer unless otherwise indicated by an authorised representative independent of this message. > > > -----Inline Attachment Follows----- > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Sprint > What will you do first with EVO, the first 4G phone? > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first > > -----Inline Attachment Follows----- > > _______________________________________________ > Simpleweb-Support mailing list > Sim...@li... > https://lists.sourceforge.net/lists/listinfo/simpleweb-support > > ------------------------------------------------------------------------------ > The Palm PDK Hot Apps Program offers developers who use the > Plug-In Development Kit to bring their C/C++ apps to Palm for a share > of $1 Million in cash or HP Products. Visit us here for more details: > http://ad.doubleclick.net/clk;226879339;13503038;l? > http://clk.atdmt.com/CRS/go/247765532/direct/01/_______________________________________________ > Simpleweb-Support mailing list > Sim...@li... > https://lists.sourceforge.net/lists/listinfo/simpleweb-support Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP e: and...@sd... t: +44 (0)7830 302 268 The information in this email or facsimile is confidential and is intended solely for the addressee(s) and access to this email or facsimile by anyone else is unauthorised. If you are not the intended recipient then any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Information expressed in this email or facsimile is not given or endorsed by my firm or employer unless otherwise indicated by an authorised representative independent of this message. |
|
From: Brad M. <br...@br...> - 2010-08-02 02:46:50
Attachments:
SslSimpletonServer.java
|
package com.ettrema.berry.simple;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.PrintStream;
import java.net.InetSocketAddress;
import java.net.SocketAddress;
import java.security.KeyStore;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import org.simpleframework.http.Request;
import org.simpleframework.http.Response;
import org.simpleframework.http.core.Container;
import org.simpleframework.transport.connect.Connection;
import org.simpleframework.transport.connect.SocketConnection;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
*
* @author brad
*/
public class SimpleSSLHelloWorld implements Container{
private static final Logger log = LoggerFactory.getLogger(SimpleSSLHelloWorld.class);
public static int count = 0;
public static String EMTPY_STRING = "";
public static String KEYSTORE_PROPERTY = "javax.net.ssl.keyStore";
public static String KEYSTORE_PASSWORD_PROPERTY = "javax.net.ssl.keyStorePassword";
public static String KEYSTORE_TYPE_PROPERTY = "javax.net.ssl.keyStoreType";
public static String KEYSTORE_ALIAS_PROPERTY = "javax.net.ssl.keyStoreAlias";
public int serverPort = 443;
private String keystore;
private String password;
public SimpleSSLHelloWorld(int serverPort, String keystore, String password) throws Exception {
// System.setProperty("javax.net.debug", "all");
setServerPort( serverPort );
setKeystore( keystore );
setPassword( password );
SocketAddress address = new InetSocketAddress(serverPort);
SSLContext sslContext = SimpleSSLHelloWorld.createSSLContext();
SocketConnection connectionHttps = new SocketConnection(this);
connectionHttps.connect(address, sslContext);
System.out.println("Simple Server started on port: " + serverPort);
}
public int getServerPort() {
return serverPort;
}
public void setServerPort( int serverPort ) {
this.serverPort = serverPort;
}
public String getKeystore() {
return keystore;
}
public void setKeystore( String keystore ) {
this.keystore = keystore;
System.setProperty(SimpleSSLHelloWorld.KEYSTORE_PROPERTY, keystore); //"C:\\keystores\\proxy.keystore");
}
public String getPassword() {
return password;
}
public void setPassword( String password ) {
this.password = password;
System.setProperty(SimpleSSLHelloWorld.KEYSTORE_PASSWORD_PROPERTY, password); // "proxypasswd");
}
public void handle(final Request request, final Response response) {
log.debug( "handle");
try {
SimpleSSLHelloWorld.logRequest(request);
SimpleSSLHelloWorld.dummyResponse(response);
SimpleSSLHelloWorld.logResponse(response);
} catch (Exception e) {
e.printStackTrace();
}
}
public static SSLContext createSSLContext() throws Exception {
log.debug( "createSSLContext");
String keyStoreFile = System.getProperty(SimpleSSLHelloWorld.KEYSTORE_PROPERTY);
String keyStorePassword = System.getProperty(SimpleSSLHelloWorld.KEYSTORE_PASSWORD_PROPERTY,
SimpleSSLHelloWorld.EMTPY_STRING);
String keyStoreType = System.getProperty(SimpleSSLHelloWorld.KEYSTORE_TYPE_PROPERTY, KeyStore.getDefaultType());
KeyStore keyStore = SimpleSSLHelloWorld.loadKeyStore(keyStoreFile, keyStorePassword, null);
FileInputStream keyStoreFileInpuStream = null;
try {
if (keyStoreFile != null) {
keyStoreFileInpuStream = new FileInputStream(keyStoreFile);
keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(keyStoreFileInpuStream, keyStorePassword.toCharArray());
}
} finally {
if (keyStoreFileInpuStream != null) {
keyStoreFileInpuStream.close();
}
}
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, keyStorePassword.toCharArray());
SSLContext sslContext = SSLContext.getInstance("SSL");
// sslContext.init(keyManagerFactory.getKeyManagers(), new TrustManager[]{new NaiveX509TrustManager()}, null);
sslContext.init(keyManagerFactory.getKeyManagers(), null, null);
return sslContext;
}
public static KeyStore loadKeyStore(final String keyStoreFilePath, final String keyStorePassword,
final String keyStoreType) throws Exception {
KeyStore keyStore = null;
File keyStoreFile = new File(keyStoreFilePath);
if (keyStoreFile.isFile()) {
keyStore = KeyStore.getInstance(keyStoreType != null ? keyStoreType : KeyStore.getDefaultType());
keyStore.load(new FileInputStream(keyStoreFile), keyStorePassword != null ? keyStorePassword
.toCharArray() : SimpleSSLHelloWorld.EMTPY_STRING.toCharArray());
}
return keyStore;
}
public static void logRequest(final Request request) throws IOException {
StringBuilder builder = new StringBuilder();
builder.append(">>> REQUEST\n");
builder.append(request);
builder.append(request.getContent());
System.out.println(builder);
}
public static void logResponse(final Response response) throws IOException {
StringBuilder builder = new StringBuilder();
builder.append("<<< RESPONSE\n");
builder.append(response);
if (response.getContentLength() > 0) {
builder.append("... ").append(response.getContentLength()).append(" bytes ...\n");
}
System.out.println(builder);
}
public static void dummyResponse(final Response response) throws IOException {
PrintStream body = response.getPrintStream();
long time = System.currentTimeMillis();
response.set("Content-Type", "text/plain");
response.set("Server", "SSL HelloWorld/1.0 (Simple 4.0)");
response.setDate("Date", time);
response.setDate("Last-Modified", time);
body.println("Hello World: " + ++SimpleSSLHelloWorld.count);
body.close();
}
}
|
|
From: Niall G. <gal...@ya...> - 2010-08-02 10:13:45
|
Hi, Are you using 4.1.21 to test HTTPS? There have been a number of bugs fixed recently for HTTPS/SSL. I would advise you use 4.1.21. Niall --- On Sun, 8/1/10, Brad McEvoy <br...@br...> wrote: From: Brad McEvoy <br...@br...> Subject: [Simpleweb-Support] Getting started with SSL To: "Simple support and user issues" <sim...@li...> Date: Sunday, August 1, 2010, 7:26 PM Hi All, I'm having a problem with using SSL in SimpleHTTP. I'm sure i'm doing something dumb but am at a loss as to where to start. All works fine on my Windows development machine, but when I deploy to an Ubuntu server (Sun VM 1.6) I get a "Connection interrupted" error in firefox. I've confirmed connectivity on port 443 to the server. When using the SimpleSSLHelloWorld (adapted for my own certificate and password) there is no output from logging and the handle method doesnt get called. When i modify the code to directly setup the ContainerServer in my code I can see that the process method does indeed get called on the ContainerServer for a https request, which then calls process on the wrapped processor, but then there is no more console output, there are no exceptions thrown, nothing is returned to the browser and the handle method doesnt get called. I'm a bit unsure about the ssl config. If there was a configuration error, should I expect to see an error on startup? Is there some particular class in simple web that I can add logging to to see whats going wrong? I've attached my slightly modified form of the SimpleSSLHelloWorld and also my own implementation SslSimpletonServer, both of which show the same results. Any help would be greatly appreciated. I'm happy to the digging myself but need to know where to stick my shovel! Cheers, Brad BTW: this is all part of a project to integrate simpleweb with milton (see http://milton.ettrema.com) for a very light weight webdav server Andrew Barlow wrote: Thanks Niall - works like a charm on Safari 5 now... AndyB On 26 Jul 2010, at 20:48, Niall Gallagher wrote: Hi, I have released 4.1.21 which fixes this issue by not requesting client authentication. If client authentication is needed it can be done just before the handshake begins by setting it on the SSLEngine associated with the org.simpleframework.transport.Socket. Regards, Niall --- On Thu, 7/8/10, Andrew Barlow <and...@sd...> wrote: From: Andrew Barlow <and...@sd...> Subject: [Simpleweb-Support] SSL client certificate request: Safari 5 problem? To: sim...@li... Date: Thursday, July 8, 2010, 1:14 AM Niall and Fabio kindly sent me links to example code for delivering web content over SSL, see http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpleweb-support. As I need to use an existing signed certificate inside a Java keystore I've adopted/adapted Fabio's example which reads from the keystore file. I have set the SSLContext to "TLS". I've tested against a keystore containing a bona-fide signed certificate issued by Thawte and all is well across a range of browsers: Internet Explorer on Windows and Firefox, Opera, Chrome on Windows and Mac. However on Safari 5 (but NOT 4) on the Mac I encounter a message asking for a client certificate, see screenshot: <clientcertificate.png> Upon selecting a certificate (doesn't matter which), Safari then gives a message: "Safari can’t open the page “xxxx” because Safari can’t establish a secure connection to the server “xxxx”. On Windows behaviour is slightly different, Safari 5 simply displays the message without prompting for client certificate. As this works fine with other browsers, including earlier version of Safari could this be an Safari 5 issue that needs to be addressed by Apple? Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP e: and...@sd... t: +44 (0)7830 302 268 The information in this email or facsimile is confidential and is intended solely for the addressee(s) and access to this email or facsimile by anyone else is unauthorised. If you are not the intended recipient then any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Information expressed in this email or facsimile is not given or endorsed by my firm or employer unless otherwise indicated by an authorised representative independent of this message. -----Inline Attachment Follows----- ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first -----Inline Attachment Follows----- _______________________________________________ Simpleweb-Support mailing list Sim...@li... https://lists.sourceforge.net/lists/listinfo/simpleweb-support ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://ad.doubleclick.net/clk;226879339;13503038;l? http://clk.atdmt.com/CRS/go/247765532/direct/01/_______________________________________________ Simpleweb-Support mailing list Sim...@li... https://lists.sourceforge.net/lists/listinfo/simpleweb-support Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP e: and...@sd... t: +44 (0)7830 302 268 The information in this email or facsimile is confidential and is intended solely for the addressee(s) and access to this email or facsimile by anyone else is unauthorised. If you are not the intended recipient then any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Information expressed in this email or facsimile is not given or endorsed by my firm or employer unless otherwise indicated by an authorised representative independent of this message. ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://ad.doubleclick.net/clk;226879339;13503038;l? http://clk.atdmt.com/CRS/go/247765532/direct/01/ _______________________________________________ Simpleweb-Support mailing list Sim...@li... https://lists.sourceforge.net/lists/listinfo/simpleweb-support -----Inline Attachment Follows----- ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm -----Inline Attachment Follows----- _______________________________________________ Simpleweb-Support mailing list Sim...@li... https://lists.sourceforge.net/lists/listinfo/simpleweb-support |
|
From: Brad M. <br...@br...> - 2010-08-02 10:22:02
|
I'm on .20 at the moment, will have a go with .21 Niall Gallagher wrote: > Hi, > > Are you using 4.1.21 to test HTTPS? There have been a number of bugs > fixed recently for HTTPS/SSL. I would advise you use 4.1.21. > > Niall > > --- On *Sun, 8/1/10, Brad McEvoy /<br...@br...>/* wrote: > > > From: Brad McEvoy <br...@br...> > Subject: [Simpleweb-Support] Getting started with SSL > To: "Simple support and user issues" > <sim...@li...> > Date: Sunday, August 1, 2010, 7:26 PM > > Hi All, > > I'm having a problem with using SSL in SimpleHTTP. I'm sure i'm > doing something dumb but am at a loss as to where to start. > > All works fine on my Windows development machine, but when I > deploy to an Ubuntu server (Sun VM 1.6) I get a "Connection > interrupted" error in firefox. I've confirmed connectivity on port > 443 to the server. > > When using the SimpleSSLHelloWorld (adapted for my own certificate > and password) there is no output from logging and the handle > method doesnt get called. > > When i modify the code to directly setup the ContainerServer in my > code I can see that the process method does indeed get called on > the ContainerServer for a https request, which then calls process > on the wrapped processor, but then there is no more console > output, there are no exceptions thrown, nothing is returned to the > browser and the handle method doesnt get called. > > I'm a bit unsure about the ssl config. If there was a > configuration error, should I expect to see an error on startup? > Is there some particular class in simple web that I can add > logging to to see whats going wrong? > > I've attached my slightly modified form of the SimpleSSLHelloWorld > and also my own implementation SslSimpletonServer, both of which > show the same results. > > Any help would be greatly appreciated. I'm happy to the digging > myself but need to know where to stick my shovel! > > Cheers, > Brad > > BTW: this is all part of a project to integrate simpleweb with > milton (see http://milton.ettrema.com) for a very light weight > webdav server > > > Andrew Barlow wrote: >> Thanks Niall - works like a charm on Safari 5 now... >> >> AndyB >> On 26 Jul 2010, at 20:48, Niall Gallagher wrote: >> >>> Hi, >>> >>> I have released 4.1.21 which fixes this issue by not requesting >>> client authentication. If client authentication is needed it can >>> be done just before the handshake begins by setting it on the >>> SSLEngine associated with the org.simpleframework.transport.Socket. >>> >>> Regards, >>> Niall >>> >>> --- On *Thu, 7/8/10, Andrew Barlow >>> /<and...@sd... >>> </mc/compose?to=...@sd...>>/* wrote: >>> >>> >>> From: Andrew Barlow <and...@sd... >>> </mc/compose?to=...@sd...>> >>> Subject: [Simpleweb-Support] SSL client certificate request: >>> Safari 5 problem? >>> To: sim...@li... >>> </mc/compose?to=...@li...> >>> Date: Thursday, July 8, 2010, 1:14 AM >>> >>> Niall and Fabio kindly sent me links to example code for >>> delivering web content over SSL, see >>> http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpleweb-support >>> <http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpleweb-support>. >>> >>> >>> As I need to use an existing signed certificate inside a >>> Java keystore I've adopted/adapted Fabio's example which >>> reads from the keystore file. >>> >>> I have set the SSLContext to "TLS". >>> >>> I've tested against a keystore containing a bona-fide signed >>> certificate issued by Thawte and all is well across a range >>> of browsers: Internet Explorer on Windows and Firefox, >>> Opera, Chrome on Windows and Mac. >>> >>> However on Safari 5 (but NOT 4) on the Mac I encounter a >>> message asking for a client certificate, see screenshot: >>> <clientcertificate.png> >>> >>> >>> Upon selecting a certificate (doesn't matter which), Safari >>> then gives a message: >>> >>> "Safari can’t open the page “xxxx” because Safari can’t >>> establish a secure connection to the server “xxxx”. >>> >>> On Windows behaviour is slightly different, Safari 5 simply >>> displays the message without prompting for client certificate. >>> >>> As this works fine with other browsers, including earlier >>> version of Safari could this be an Safari 5 issue that needs >>> to be addressed by Apple? >>> >>> Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP >>> >>> e: and...@sd... >>> t: +44 (0)7830 302 268 >>> >>> /The information in this email or facsimile is confidential >>> and is intended solely for the addressee(s) and access to >>> this email or facsimile by anyone else is unauthorised. If >>> you are not the intended recipient then any disclosure, >>> copying, distribution or any action taken or omitted to be >>> taken in reliance on it, is prohibited and may be unlawful. >>> Information expressed in this email or facsimile is not >>> given or endorsed by my firm or employer unless otherwise >>> indicated by an authorised representative independent of >>> this message./ >>> >>> >>> -----Inline Attachment Follows----- >>> >>> ------------------------------------------------------------------------------ >>> This SF.net <http://SF.net> email is sponsored by Sprint >>> What will you do first with EVO, the first 4G phone? >>> Visit sprint.com/first <http://sprint.com/first> -- >>> http://p.sf.net/sfu/sprint-com-first >>> >>> -----Inline Attachment Follows----- >>> >>> _______________________________________________ >>> Simpleweb-Support mailing list >>> Sim...@li... >>> https://lists.sourceforge.net/lists/listinfo/simpleweb-support >>> >>> >>> ------------------------------------------------------------------------------ >>> The Palm PDK Hot Apps Program offers developers who use the >>> Plug-In Development Kit to bring their C/C++ apps to Palm for a >>> share >>> of $1 Million in cash or HP Products. Visit us here for more >>> details: >>> http://ad.doubleclick.net/clk;226879339;13503038;l? >>> http://clk.atdmt.com/CRS/go/247765532/direct/01/_______________________________________________ >>> Simpleweb-Support mailing list >>> Sim...@li... >>> </mc/compose?to=...@li...> >>> https://lists.sourceforge.net/lists/listinfo/simpleweb-support >> >> Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP >> >> e: and...@sd... >> </mc/compose?to=...@sd...> >> t: +44 (0)7830 302 268 >> >> /The information in this email or facsimile is confidential and >> is intended solely for the addressee(s) and access to this email >> or facsimile by anyone else is unauthorised. If you are not the >> intended recipient then any disclosure, copying, distribution or >> any action taken or omitted to be taken in reliance on it, is >> prohibited and may be unlawful. Information expressed in this >> email or facsimile is not given or endorsed by my firm or >> employer unless otherwise indicated by an >> authorised representative independent of this message./ >> >> >> ------------------------------------------------------------------------------ >> The Palm PDK Hot Apps Program offers developers who use the >> Plug-In Development Kit to bring their C/C++ apps to Palm for a share >> of $1 Million in cash or HP Products. Visit us here for more details: >> http://ad.doubleclick.net/clk;226879339;13503038;l? >> http://clk.atdmt.com/CRS/go/247765532/direct/01/ >> >> >> _______________________________________________ >> Simpleweb-Support mailing list >> Sim...@li... </mc/compose?to=...@li...> >> https://lists.sourceforge.net/lists/listinfo/simpleweb-support >> > > > -----Inline Attachment Follows----- > > ------------------------------------------------------------------------------ > The Palm PDK Hot Apps Program offers developers who use the > Plug-In Development Kit to bring their C/C++ apps to Palm for a share > of $1 Million in cash or HP Products. Visit us here for more details: > http://p.sf.net/sfu/dev2dev-palm > > -----Inline Attachment Follows----- > > _______________________________________________ > Simpleweb-Support mailing list > Sim...@li... > </mc/compose?to=...@li...> > https://lists.sourceforge.net/lists/listinfo/simpleweb-support > > > > ------------------------------------------------------------------------------ > The Palm PDK Hot Apps Program offers developers who use the > Plug-In Development Kit to bring their C/C++ apps to Palm for a share > of $1 Million in cash or HP Products. Visit us here for more details: > http://p.sf.net/sfu/dev2dev-palm > > > _______________________________________________ > Simpleweb-Support mailing list > Sim...@li... > https://lists.sourceforge.net/lists/listinfo/simpleweb-support > |
|
From: Brad M. <br...@br...> - 2010-08-02 10:53:31
|
I've checked and have the same issue with .21 I've done the same check with xlightweb and it also works on my windows box and fails silently on the linux server, so it is definitely something I'm doing wrong. Just a couple of specific things: - should the ssl protocol be SSL or TLS? - if i've built the certificate incorrectly, should I expect to see a program error on startup (or at any time)? - should the keystore type be JKS? - should the keystore algorithm be SunX509? - do any of these vary between windows and linux? - should I expect the same certificate file to work on windows and linux? Thanks in advance. Brad Niall Gallagher wrote: > Hi, > > Are you using 4.1.21 to test HTTPS? There have been a number of bugs > fixed recently for HTTPS/SSL. I would advise you use 4.1.21. > > Niall > > --- On *Sun, 8/1/10, Brad McEvoy /<br...@br...>/* wrote: > > > From: Brad McEvoy <br...@br...> > Subject: [Simpleweb-Support] Getting started with SSL > To: "Simple support and user issues" > <sim...@li...> > Date: Sunday, August 1, 2010, 7:26 PM > > Hi All, > > I'm having a problem with using SSL in SimpleHTTP. I'm sure i'm > doing something dumb but am at a loss as to where to start. > > All works fine on my Windows development machine, but when I > deploy to an Ubuntu server (Sun VM 1.6) I get a "Connection > interrupted" error in firefox. I've confirmed connectivity on port > 443 to the server. > > When using the SimpleSSLHelloWorld (adapted for my own certificate > and password) there is no output from logging and the handle > method doesnt get called. > > When i modify the code to directly setup the ContainerServer in my > code I can see that the process method does indeed get called on > the ContainerServer for a https request, which then calls process > on the wrapped processor, but then there is no more console > output, there are no exceptions thrown, nothing is returned to the > browser and the handle method doesnt get called. > > I'm a bit unsure about the ssl config. If there was a > configuration error, should I expect to see an error on startup? > Is there some particular class in simple web that I can add > logging to to see whats going wrong? > > I've attached my slightly modified form of the SimpleSSLHelloWorld > and also my own implementation SslSimpletonServer, both of which > show the same results. > > Any help would be greatly appreciated. I'm happy to the digging > myself but need to know where to stick my shovel! > > Cheers, > Brad > > BTW: this is all part of a project to integrate simpleweb with > milton (see http://milton.ettrema.com) for a very light weight > webdav server > > > Andrew Barlow wrote: >> Thanks Niall - works like a charm on Safari 5 now... >> >> AndyB >> On 26 Jul 2010, at 20:48, Niall Gallagher wrote: >> >>> Hi, >>> >>> I have released 4.1.21 which fixes this issue by not requesting >>> client authentication. If client authentication is needed it can >>> be done just before the handshake begins by setting it on the >>> SSLEngine associated with the org.simpleframework.transport.Socket. >>> >>> Regards, >>> Niall >>> >>> --- On *Thu, 7/8/10, Andrew Barlow >>> /<and...@sd... >>> </mc/compose?to=...@sd...>>/* wrote: >>> >>> >>> From: Andrew Barlow <and...@sd... >>> </mc/compose?to=...@sd...>> >>> Subject: [Simpleweb-Support] SSL client certificate request: >>> Safari 5 problem? >>> To: sim...@li... >>> </mc/compose?to=...@li...> >>> Date: Thursday, July 8, 2010, 1:14 AM >>> >>> Niall and Fabio kindly sent me links to example code for >>> delivering web content over SSL, see >>> http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpleweb-support >>> <http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpleweb-support>. >>> >>> >>> As I need to use an existing signed certificate inside a >>> Java keystore I've adopted/adapted Fabio's example which >>> reads from the keystore file. >>> >>> I have set the SSLContext to "TLS". >>> >>> I've tested against a keystore containing a bona-fide signed >>> certificate issued by Thawte and all is well across a range >>> of browsers: Internet Explorer on Windows and Firefox, >>> Opera, Chrome on Windows and Mac. >>> >>> However on Safari 5 (but NOT 4) on the Mac I encounter a >>> message asking for a client certificate, see screenshot: >>> <clientcertificate.png> >>> >>> >>> Upon selecting a certificate (doesn't matter which), Safari >>> then gives a message: >>> >>> "Safari can’t open the page “xxxx” because Safari can’t >>> establish a secure connection to the server “xxxx”. >>> >>> On Windows behaviour is slightly different, Safari 5 simply >>> displays the message without prompting for client certificate. >>> >>> As this works fine with other browsers, including earlier >>> version of Safari could this be an Safari 5 issue that needs >>> to be addressed by Apple? >>> >>> Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP >>> >>> e: and...@sd... >>> t: +44 (0)7830 302 268 >>> >>> /The information in this email or facsimile is confidential >>> and is intended solely for the addressee(s) and access to >>> this email or facsimile by anyone else is unauthorised. If >>> you are not the intended recipient then any disclosure, >>> copying, distribution or any action taken or omitted to be >>> taken in reliance on it, is prohibited and may be unlawful. >>> Information expressed in this email or facsimile is not >>> given or endorsed by my firm or employer unless otherwise >>> indicated by an authorised representative independent of >>> this message./ >>> >>> >>> -----Inline Attachment Follows----- >>> >>> ------------------------------------------------------------------------------ >>> This SF.net <http://SF.net> email is sponsored by Sprint >>> What will you do first with EVO, the first 4G phone? >>> Visit sprint.com/first <http://sprint.com/first> -- >>> http://p.sf.net/sfu/sprint-com-first >>> >>> -----Inline Attachment Follows----- >>> >>> _______________________________________________ >>> Simpleweb-Support mailing list >>> Sim...@li... >>> https://lists.sourceforge.net/lists/listinfo/simpleweb-support >>> >>> >>> ------------------------------------------------------------------------------ >>> The Palm PDK Hot Apps Program offers developers who use the >>> Plug-In Development Kit to bring their C/C++ apps to Palm for a >>> share >>> of $1 Million in cash or HP Products. Visit us here for more >>> details: >>> http://ad.doubleclick.net/clk;226879339;13503038;l? >>> http://clk.atdmt.com/CRS/go/247765532/direct/01/_______________________________________________ >>> Simpleweb-Support mailing list >>> Sim...@li... >>> </mc/compose?to=...@li...> >>> https://lists.sourceforge.net/lists/listinfo/simpleweb-support >> >> Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP >> >> e: and...@sd... >> </mc/compose?to=...@sd...> >> t: +44 (0)7830 302 268 >> >> /The information in this email or facsimile is confidential and >> is intended solely for the addressee(s) and access to this email >> or facsimile by anyone else is unauthorised. If you are not the >> intended recipient then any disclosure, copying, distribution or >> any action taken or omitted to be taken in reliance on it, is >> prohibited and may be unlawful. Information expressed in this >> email or facsimile is not given or endorsed by my firm or >> employer unless otherwise indicated by an >> authorised representative independent of this message./ >> >> >> ------------------------------------------------------------------------------ >> The Palm PDK Hot Apps Program offers developers who use the >> Plug-In Development Kit to bring their C/C++ apps to Palm for a share >> of $1 Million in cash or HP Products. Visit us here for more details: >> http://ad.doubleclick.net/clk;226879339;13503038;l? >> http://clk.atdmt.com/CRS/go/247765532/direct/01/ >> >> >> _______________________________________________ >> Simpleweb-Support mailing list >> Sim...@li... </mc/compose?to=...@li...> >> https://lists.sourceforge.net/lists/listinfo/simpleweb-support >> > > > -----Inline Attachment Follows----- > > ------------------------------------------------------------------------------ > The Palm PDK Hot Apps Program offers developers who use the > Plug-In Development Kit to bring their C/C++ apps to Palm for a share > of $1 Million in cash or HP Products. Visit us here for more details: > http://p.sf.net/sfu/dev2dev-palm > > -----Inline Attachment Follows----- > > _______________________________________________ > Simpleweb-Support mailing list > Sim...@li... > </mc/compose?to=...@li...> > https://lists.sourceforge.net/lists/listinfo/simpleweb-support > > > > ------------------------------------------------------------------------------ > The Palm PDK Hot Apps Program offers developers who use the > Plug-In Development Kit to bring their C/C++ apps to Palm for a share > of $1 Million in cash or HP Products. Visit us here for more details: > http://p.sf.net/sfu/dev2dev-palm > > > _______________________________________________ > Simpleweb-Support mailing list > Sim...@li... > https://lists.sourceforge.net/lists/listinfo/simpleweb-support > |
|
From: Brad M. <br...@br...> - 2010-08-02 11:32:36
|
Got it. Added some logging and found this exception which was being
caught but not logged in Task.run()
Now to figure out why there's no cipher suites...
javax.net.ssl.SSLHandshakeException: no cipher suites in common
at
com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:938)
at
com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:465)
at
com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:701)
at
com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:669)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:607)
at org.simpleframework.transport.Handshake.read(Handshake.java:272)
at org.simpleframework.transport.Handshake.read(Handshake.java:256)
at
org.simpleframework.transport.Handshake.exchange(Handshake.java:240)
at
org.simpleframework.transport.Handshake.process(Handshake.java:203)
at
org.simpleframework.transport.Handshake.resume(Handshake.java:182)
at org.simpleframework.transport.Task.execute(Task.java:130)
at org.simpleframework.transport.Task.run(Task.java:90)
at
org.simpleframework.transport.Handshake.resume(Handshake.java:186)
at
org.simpleframework.transport.Handshake.begin(Handshake.java:166)
at org.simpleframework.transport.Handshake.run(Handshake.java:137)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:885)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:907)
at java.lang.Thread.run(Thread.java:619)
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at
com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1366)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:189)
at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:177)
at
com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:638)
at
com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:425)
at
com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:139)
at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
at
com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:458)
at java.security.AccessController.doPrivileged(Native Method)
at
com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:875)
at
org.simpleframework.transport.Handshake.execute(Handshake.java:346)
at org.simpleframework.transport.Handshake.read(Handshake.java:284)
... 12 more
Brad McEvoy wrote:
> I've checked and have the same issue with .21
>
> I've done the same check with xlightweb and it also works on my
> windows box and fails silently on the linux server, so it is
> definitely something I'm doing wrong.
>
> Just a couple of specific things:
> - should the ssl protocol be SSL or TLS?
> - if i've built the certificate incorrectly, should I expect to see a
> program error on startup (or at any time)?
> - should the keystore type be JKS?
> - should the keystore algorithm be SunX509?
> - do any of these vary between windows and linux?
> - should I expect the same certificate file to work on windows and linux?
>
> Thanks in advance.
>
> Brad
>
> Niall Gallagher wrote:
>> Hi,
>>
>> Are you using 4.1.21 to test HTTPS? There have been a number of bugs
>> fixed recently for HTTPS/SSL. I would advise you use 4.1.21.
>>
>> Niall
>>
>> --- On *Sun, 8/1/10, Brad McEvoy /<br...@br...>/* wrote:
>>
>>
>> From: Brad McEvoy <br...@br...>
>> Subject: [Simpleweb-Support] Getting started with SSL
>> To: "Simple support and user issues"
>> <sim...@li...>
>> Date: Sunday, August 1, 2010, 7:26 PM
>>
>> Hi All,
>>
>> I'm having a problem with using SSL in SimpleHTTP. I'm sure i'm
>> doing something dumb but am at a loss as to where to start.
>>
>> All works fine on my Windows development machine, but when I
>> deploy to an Ubuntu server (Sun VM 1.6) I get a "Connection
>> interrupted" error in firefox. I've confirmed connectivity on
>> port 443 to the server.
>>
>> When using the SimpleSSLHelloWorld (adapted for my own
>> certificate and password) there is no output from logging and the
>> handle method doesnt get called.
>>
>> When i modify the code to directly setup the ContainerServer in
>> my code I can see that the process method does indeed get called
>> on the ContainerServer for a https request, which then calls
>> process on the wrapped processor, but then there is no more
>> console output, there are no exceptions thrown, nothing is
>> returned to the browser and the handle method doesnt get called.
>>
>> I'm a bit unsure about the ssl config. If there was a
>> configuration error, should I expect to see an error on startup?
>> Is there some particular class in simple web that I can add
>> logging to to see whats going wrong?
>>
>> I've attached my slightly modified form of the
>> SimpleSSLHelloWorld and also my own implementation
>> SslSimpletonServer, both of which show the same results.
>>
>> Any help would be greatly appreciated. I'm happy to the digging
>> myself but need to know where to stick my shovel!
>>
>> Cheers,
>> Brad
>>
>> BTW: this is all part of a project to integrate simpleweb with
>> milton (see http://milton.ettrema.com) for a very light weight
>> webdav server
>>
>>
>> Andrew Barlow wrote:
>>> Thanks Niall - works like a charm on Safari 5 now...
>>>
>>> AndyB
>>> On 26 Jul 2010, at 20:48, Niall Gallagher wrote:
>>>
>>>> Hi,
>>>>
>>>> I have released 4.1.21 which fixes this issue by not requesting
>>>> client authentication. If client authentication is needed it
>>>> can be done just before the handshake begins by setting it on
>>>> the SSLEngine associated with the
>>>> org.simpleframework.transport.Socket.
>>>>
>>>> Regards,
>>>> Niall
>>>>
>>>> --- On *Thu, 7/8/10, Andrew Barlow
>>>> /<and...@sd...
>>>> </mc/compose?to=...@sd...>>/* wrote:
>>>>
>>>>
>>>> From: Andrew Barlow <and...@sd...
>>>> </mc/compose?to=...@sd...>>
>>>> Subject: [Simpleweb-Support] SSL client certificate
>>>> request: Safari 5 problem?
>>>> To: sim...@li...
>>>> </mc/compose?to=...@li...>
>>>> Date: Thursday, July 8, 2010, 1:14 AM
>>>>
>>>> Niall and Fabio kindly sent me links to example code for
>>>> delivering web content over SSL, see
>>>> http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpleweb-support
>>>> <http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpleweb-support>.
>>>>
>>>>
>>>> As I need to use an existing signed certificate inside a
>>>> Java keystore I've adopted/adapted Fabio's example which
>>>> reads from the keystore file.
>>>>
>>>> I have set the SSLContext to "TLS".
>>>>
>>>> I've tested against a keystore containing a bona-fide
>>>> signed certificate issued by Thawte and all is well across
>>>> a range of browsers: Internet Explorer on Windows and
>>>> Firefox, Opera, Chrome on Windows and Mac.
>>>>
>>>> However on Safari 5 (but NOT 4) on the Mac I encounter a
>>>> message asking for a client certificate, see screenshot:
>>>> <clientcertificate.png>
>>>>
>>>>
>>>> Upon selecting a certificate (doesn't matter which), Safari
>>>> then gives a message:
>>>>
>>>> "Safari can’t open the page “xxxx” because Safari can’t
>>>> establish a secure connection to the server “xxxx”.
>>>>
>>>> On Windows behaviour is slightly different, Safari 5 simply
>>>> displays the message without prompting for client certificate.
>>>>
>>>> As this works fine with other browsers, including earlier
>>>> version of Safari could this be an Safari 5 issue that
>>>> needs to be addressed by Apple?
>>>>
>>>> Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP
>>>>
>>>> e: and...@sd...
>>>> t: +44 (0)7830 302 268
>>>>
>>>> /The information in this email or facsimile is confidential
>>>> and is intended solely for the addressee(s) and access to
>>>> this email or facsimile by anyone else is unauthorised. If
>>>> you are not the intended recipient then any disclosure,
>>>> copying, distribution or any action taken or omitted to be
>>>> taken in reliance on it, is prohibited and may be unlawful.
>>>> Information expressed in this email or facsimile is not
>>>> given or endorsed by my firm or employer unless otherwise
>>>> indicated by an authorised representative independent of
>>>> this message./
>>>>
>>>>
>>>> -----Inline Attachment Follows-----
>>>>
>>>> ------------------------------------------------------------------------------
>>>> This SF.net <http://SF.net> email is sponsored by Sprint
>>>> What will you do first with EVO, the first 4G phone?
>>>> Visit sprint.com/first <http://sprint.com/first> --
>>>> http://p.sf.net/sfu/sprint-com-first
>>>>
>>>> -----Inline Attachment Follows-----
>>>>
>>>> _______________________________________________
>>>> Simpleweb-Support mailing list
>>>> Sim...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> The Palm PDK Hot Apps Program offers developers who use the
>>>> Plug-In Development Kit to bring their C/C++ apps to Palm for a
>>>> share
>>>> of $1 Million in cash or HP Products. Visit us here for more
>>>> details:
>>>> http://ad.doubleclick.net/clk;226879339;13503038;l?
>>>> http://clk.atdmt.com/CRS/go/247765532/direct/01/_______________________________________________
>>>> Simpleweb-Support mailing list
>>>> Sim...@li...
>>>> </mc/compose?to=...@li...>
>>>> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>>>
>>> Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP
>>>
>>> e: and...@sd...
>>> </mc/compose?to=...@sd...>
>>> t: +44 (0)7830 302 268
>>>
>>> /The information in this email or facsimile is confidential and
>>> is intended solely for the addressee(s) and access to this email
>>> or facsimile by anyone else is unauthorised. If you are not the
>>> intended recipient then any disclosure, copying, distribution or
>>> any action taken or omitted to be taken in reliance on it, is
>>> prohibited and may be unlawful. Information expressed in this
>>> email or facsimile is not given or endorsed by my firm or
>>> employer unless otherwise indicated by an
>>> authorised representative independent of this message./
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> The Palm PDK Hot Apps Program offers developers who use the
>>> Plug-In Development Kit to bring their C/C++ apps to Palm for a share
>>> of $1 Million in cash or HP Products. Visit us here for more details:
>>> http://ad.doubleclick.net/clk;226879339;13503038;l?
>>> http://clk.atdmt.com/CRS/go/247765532/direct/01/
>>>
>>>
>>> _______________________________________________
>>> Simpleweb-Support mailing list
>>> Sim...@li... </mc/compose?to=...@li...>
>>> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>>>
>>
>>
>> -----Inline Attachment Follows-----
>>
>> ------------------------------------------------------------------------------
>> The Palm PDK Hot Apps Program offers developers who use the
>> Plug-In Development Kit to bring their C/C++ apps to Palm for a share
>> of $1 Million in cash or HP Products. Visit us here for more details:
>> http://p.sf.net/sfu/dev2dev-palm
>>
>> -----Inline Attachment Follows-----
>>
>> _______________________________________________
>> Simpleweb-Support mailing list
>> Sim...@li...
>> </mc/compose?to=...@li...>
>> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>>
>>
>>
>> ------------------------------------------------------------------------------
>> The Palm PDK Hot Apps Program offers developers who use the
>> Plug-In Development Kit to bring their C/C++ apps to Palm for a share
>> of $1 Million in cash or HP Products. Visit us here for more details:
>> http://p.sf.net/sfu/dev2dev-palm
>>
>>
>> _______________________________________________
>> Simpleweb-Support mailing list
>> Sim...@li...
>> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>>
>
>
> ------------------------------------------------------------------------------
> The Palm PDK Hot Apps Program offers developers who use the
> Plug-In Development Kit to bring their C/C++ apps to Palm for a share
> of $1 Million in cash or HP Products. Visit us here for more details:
> http://p.sf.net/sfu/dev2dev-palm
>
>
> _______________________________________________
> Simpleweb-Support mailing list
> Sim...@li...
> https://lists.sourceforge.net/lists/listinfo/simpleweb-support
>
|
|
From: Niall G. <gal...@ya...> - 2010-08-04 11:49:32
|
Hi, I really must add better support for logging. This is my next goal. Glad you found the issue. Niall --- On Mon, 8/2/10, Brad McEvoy <br...@br...> wrote: From: Brad McEvoy <br...@br...> Subject: Re: [Simpleweb-Support] Getting started with SSL To: "Simple support and user issues" <sim...@li...> Date: Monday, August 2, 2010, 4:32 AM Got it. Added some logging and found this exception which was being caught but not logged in Task.run() Now to figure out why there's no cipher suites... javax.net.ssl.SSLHandshakeException: no cipher suites in common at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:938) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:465) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:701) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:669) at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:607) at org.simpleframework.transport.Handshake.read(Handshake.java:272) at org.simpleframework.transport.Handshake.read(Handshake.java:256) at org.simpleframework.transport.Handshake.exchange(Handshake.java:240) at org.simpleframework.transport.Handshake.process(Handshake.java:203) at org.simpleframework.transport.Handshake.resume(Handshake.java:182) at org.simpleframework.transport.Task.execute(Task.java:130) at org.simpleframework.transport.Task.run(Task.java:90) at org.simpleframework.transport.Handshake.resume(Handshake.java:186) at org.simpleframework.transport.Handshake.begin(Handshake.java:166) at org.simpleframework.transport.Handshake.run(Handshake.java:137) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:885) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:907) at java.lang.Thread.run(Thread.java:619) Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1366) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:189) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:177) at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:638) at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:425) at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:139) at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516) at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:458) at java.security.AccessController.doPrivileged(Native Method) at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:875) at org.simpleframework.transport.Handshake.execute(Handshake.java:346) at org.simpleframework.transport.Handshake.read(Handshake.java:284) ... 12 more Brad McEvoy wrote: I've checked and have the same issue with .21 I've done the same check with xlightweb and it also works on my windows box and fails silently on the linux server, so it is definitely something I'm doing wrong. Just a couple of specific things: - should the ssl protocol be SSL or TLS? - if i've built the certificate incorrectly, should I expect to see a program error on startup (or at any time)? - should the keystore type be JKS? - should the keystore algorithm be SunX509? - do any of these vary between windows and linux? - should I expect the same certificate file to work on windows and linux? Thanks in advance. Brad Niall Gallagher wrote: Hi, Are you using 4.1.21 to test HTTPS? There have been a number of bugs fixed recently for HTTPS/SSL. I would advise you use 4.1.21. Niall --- On Sun, 8/1/10, Brad McEvoy <br...@br...> wrote: From: Brad McEvoy <br...@br...> Subject: [Simpleweb-Support] Getting started with SSL To: "Simple support and user issues" <sim...@li...> Date: Sunday, August 1, 2010, 7:26 PM Hi All, I'm having a problem with using SSL in SimpleHTTP. I'm sure i'm doing something dumb but am at a loss as to where to start. All works fine on my Windows development machine, but when I deploy to an Ubuntu server (Sun VM 1.6) I get a "Connection interrupted" error in firefox. I've confirmed connectivity on port 443 to the server. When using the SimpleSSLHelloWorld (adapted for my own certificate and password) there is no output from logging and the handle method doesnt get called. When i modify the code to directly setup the ContainerServer in my code I can see that the process method does indeed get called on the ContainerServer for a https request, which then calls process on the wrapped processor, but then there is no more console output, there are no exceptions thrown, nothing is returned to the browser and the handle method doesnt get called. I'm a bit unsure about the ssl config. If there was a configuration error, should I expect to see an error on startup? Is there some particular class in simple web that I can add logging to to see whats going wrong? I've attached my slightly modified form of the SimpleSSLHelloWorld and also my own implementation SslSimpletonServer, both of which show the same results. Any help would be greatly appreciated. I'm happy to the digging myself but need to know where to stick my shovel! Cheers, Brad BTW: this is all part of a project to integrate simpleweb with milton (see http://milton.ettrema.com) for a very light weight webdav server Andrew Barlow wrote: Thanks Niall - works like a charm on Safari 5 now... AndyB On 26 Jul 2010, at 20:48, Niall Gallagher wrote: Hi, I have released 4.1.21 which fixes this issue by not requesting client authentication. If client authentication is needed it can be done just before the handshake begins by setting it on the SSLEngine associated with the org.simpleframework.transport.Socket. Regards, Niall --- On Thu, 7/8/10, Andrew Barlow <and...@sd...> wrote: From: Andrew Barlow <and...@sd...> Subject: [Simpleweb-Support] SSL client certificate request: Safari 5 problem? To: sim...@li... Date: Thursday, July 8, 2010, 1:14 AM Niall and Fabio kindly sent me links to example code for delivering web content over SSL, see http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpleweb-support. As I need to use an existing signed certificate inside a Java keystore I've adopted/adapted Fabio's example which reads from the keystore file. I have set the SSLContext to "TLS". I've tested against a keystore containing a bona-fide signed certificate issued by Thawte and all is well across a range of browsers: Internet Explorer on Windows and Firefox, Opera, Chrome on Windows and Mac. However on Safari 5 (but NOT 4) on the Mac I encounter a message asking for a client certificate, see screenshot: <clientcertificate.png> Upon selecting a certificate (doesn't matter which), Safari then gives a message: "Safari can’t open the page “xxxx” because Safari can’t establish a secure connection to the server “xxxx”. On Windows behaviour is slightly different, Safari 5 simply displays the message without prompting for client certificate. As this works fine with other browsers, including earlier version of Safari could this be an Safari 5 issue that needs to be addressed by Apple? Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP e: and...@sd... t: +44 (0)7830 302 268 The information in this email or facsimile is confidential and is intended solely for the addressee(s) and access to this email or facsimile by anyone else is unauthorised. If you are not the intended recipient then any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Information expressed in this email or facsimile is not given or endorsed by my firm or employer unless otherwise indicated by an authorised representative independent of this message. -----Inline Attachment Follows----- ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first -----Inline Attachment Follows----- _______________________________________________ Simpleweb-Support mailing list Sim...@li... https://lists.sourceforge.net/lists/listinfo/simpleweb-support ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://ad.doubleclick.net/clk;226879339;13503038;l? http://clk.atdmt.com/CRS/go/247765532/direct/01/_______________________________________________ Simpleweb-Support mailing list Sim...@li... https://lists.sourceforge.net/lists/listinfo/simpleweb-support Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP e: and...@sd... t: +44 (0)7830 302 268 The information in this email or facsimile is confidential and is intended solely for the addressee(s) and access to this email or facsimile by anyone else is unauthorised. If you are not the intended recipient then any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Information expressed in this email or facsimile is not given or endorsed by my firm or employer unless otherwise indicated by an authorised representative independent of this message. ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://ad.doubleclick.net/clk;226879339;13503038;l? http://clk.atdmt.com/CRS/go/247765532/direct/01/ _______________________________________________ Simpleweb-Support mailing list Sim...@li... https://lists.sourceforge.net/lists/listinfo/simpleweb-support -----Inline Attachment Follows----- ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm -----Inline Attachment Follows----- _______________________________________________ Simpleweb-Support mailing list Sim...@li... https://lists.sourceforge.net/lists/listinfo/simpleweb-support ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm _______________________________________________ Simpleweb-Support mailing list Sim...@li... https://lists.sourceforge.net/lists/listinfo/simpleweb-support ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm _______________________________________________ Simpleweb-Support mailing list Sim...@li... https://lists.sourceforge.net/lists/listinfo/simpleweb-support -----Inline Attachment Follows----- ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm -----Inline Attachment Follows----- _______________________________________________ Simpleweb-Support mailing list Sim...@li... https://lists.sourceforge.net/lists/listinfo/simpleweb-support |
|
From: Brad M. <br...@br...> - 2010-08-04 19:53:37
|
yeah, from googling it looks like thats a common problem for people setting up ssl. Once you know the error its straight forward Very nice code, by the way :) Cheers, Brad Niall Gallagher wrote: > Hi, > I really must add better support for logging. This is my next goal. > Glad you found the issue. > Niall > > --- On *Mon, 8/2/10, Brad McEvoy /<br...@br...>/* wrote: > > > From: Brad McEvoy <br...@br...> > Subject: Re: [Simpleweb-Support] Getting started with SSL > To: "Simple support and user issues" > <sim...@li...> > Date: Monday, August 2, 2010, 4:32 AM > > Got it. Added some logging and found this exception which was > being caught but not logged in Task.run() > > Now to figure out why there's no cipher suites... > > javax.net.ssl.SSLHandshakeException: no cipher suites in common > at > com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:938) > at > com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:465) > at > com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:701) > at > com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:669) > at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:607) > at > org.simpleframework.transport.Handshake.read(Handshake.java:272) > at > org.simpleframework.transport.Handshake.read(Handshake.java:256) > at > org.simpleframework.transport.Handshake.exchange(Handshake.java:240) > at > org.simpleframework.transport.Handshake.process(Handshake.java:203) > at > org.simpleframework.transport.Handshake.resume(Handshake.java:182) > at org.simpleframework.transport.Task.execute(Task.java:130) > at org.simpleframework.transport.Task.run(Task.java:90) > at > org.simpleframework.transport.Handshake.resume(Handshake.java:186) > at > org.simpleframework.transport.Handshake.begin(Handshake.java:166) > at > org.simpleframework.transport.Handshake.run(Handshake.java:137) > at > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:885) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:907) > at java.lang.Thread.run(Thread.java:619) > Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites > in common > at > com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174) > at > com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1366) > at > com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:189) > at > com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:177) > at > com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:638) > at > com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:425) > at > com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:139) > at > com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516) > at > com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:458) > at java.security.AccessController.doPrivileged(Native Method) > at > com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:875) > at > org.simpleframework.transport.Handshake.execute(Handshake.java:346) > at > org.simpleframework.transport.Handshake.read(Handshake.java:284) > ... 12 more > > > > Brad McEvoy wrote: >> I've checked and have the same issue with .21 >> >> I've done the same check with xlightweb and it also works on my >> windows box and fails silently on the linux server, so it is >> definitely something I'm doing wrong. >> >> Just a couple of specific things: >> - should the ssl protocol be SSL or TLS? >> - if i've built the certificate incorrectly, should I expect to >> see a program error on startup (or at any time)? >> - should the keystore type be JKS? >> - should the keystore algorithm be SunX509? >> - do any of these vary between windows and linux? >> - should I expect the same certificate file to work on windows >> and linux? >> >> Thanks in advance. >> >> Brad >> >> Niall Gallagher wrote: >>> Hi, >>> >>> Are you using 4.1.21 to test HTTPS? There have been a number of >>> bugs fixed recently for HTTPS/SSL. I would advise you use 4.1.21. >>> >>> Niall >>> >>> --- On *Sun, 8/1/10, Brad McEvoy /<br...@br...> >>> <http://us.mc331.mail.yahoo.com/mc/compose?to...@br...>/* >>> wrote: >>> >>> >>> From: Brad McEvoy <br...@br...> >>> <http://us.mc331.mail.yahoo.com/mc/compose?to...@br...> >>> Subject: [Simpleweb-Support] Getting started with SSL >>> To: "Simple support and user issues" >>> <sim...@li...> >>> <http://us.mc331.mail.yahoo.com/mc/compose?to=...@li...> >>> Date: Sunday, August 1, 2010, 7:26 PM >>> >>> Hi All, >>> >>> I'm having a problem with using SSL in SimpleHTTP. I'm sure >>> i'm doing something dumb but am at a loss as to where to start. >>> >>> All works fine on my Windows development machine, but when I >>> deploy to an Ubuntu server (Sun VM 1.6) I get a "Connection >>> interrupted" error in firefox. I've confirmed connectivity >>> on port 443 to the server. >>> >>> When using the SimpleSSLHelloWorld (adapted for my own >>> certificate and password) there is no output from logging >>> and the handle method doesnt get called. >>> >>> When i modify the code to directly setup the ContainerServer >>> in my code I can see that the process method does indeed get >>> called on the ContainerServer for a https request, which >>> then calls process on the wrapped processor, but then there >>> is no more console output, there are no exceptions thrown, >>> nothing is returned to the browser and the handle method >>> doesnt get called. >>> >>> I'm a bit unsure about the ssl config. If there was a >>> configuration error, should I expect to see an error on >>> startup? Is there some particular class in simple web that I >>> can add logging to to see whats going wrong? >>> >>> I've attached my slightly modified form of the >>> SimpleSSLHelloWorld and also my own implementation >>> SslSimpletonServer, both of which show the same results. >>> >>> Any help would be greatly appreciated. I'm happy to the >>> digging myself but need to know where to stick my shovel! >>> >>> Cheers, >>> Brad >>> >>> BTW: this is all part of a project to integrate simpleweb >>> with milton (see http://milton.ettrema.com >>> <http://milton.ettrema.com/>) for a very light weight webdav >>> server >>> >>> >>> Andrew Barlow wrote: >>>> Thanks Niall - works like a charm on Safari 5 now... >>>> >>>> AndyB >>>> On 26 Jul 2010, at 20:48, Niall Gallagher wrote: >>>> >>>>> Hi, >>>>> >>>>> I have released 4.1.21 which fixes this issue by not >>>>> requesting client authentication. If client authentication >>>>> is needed it can be done just before the handshake begins >>>>> by setting it on the SSLEngine associated with the >>>>> org.simpleframework.transport.Socket. >>>>> >>>>> Regards, >>>>> Niall >>>>> >>>>> --- On *Thu, 7/8/10, Andrew Barlow >>>>> /<and...@sd...>/* wrote: >>>>> >>>>> >>>>> From: Andrew Barlow <and...@sd...> >>>>> Subject: [Simpleweb-Support] SSL client certificate >>>>> request: Safari 5 problem? >>>>> To: sim...@li... >>>>> Date: Thursday, July 8, 2010, 1:14 AM >>>>> >>>>> Niall and Fabio kindly sent me links to example code >>>>> for delivering web content over SSL, see >>>>> http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpleweb-support >>>>> <http://sourceforge.net/mailarchive/forum.php?thread_name=AANLkTilp2LqrCGMJ5Io6hxFOJMLZqIYGNutDmYslm-gP%40mail.gmail.com&forum_name=simpleweb-support>. >>>>> >>>>> >>>>> As I need to use an existing signed certificate >>>>> inside a Java keystore I've adopted/adapted Fabio's >>>>> example which reads from the keystore file. >>>>> >>>>> I have set the SSLContext to "TLS". >>>>> >>>>> I've tested against a keystore containing a bona-fide >>>>> signed certificate issued by Thawte and all is well >>>>> across a range of browsers: Internet Explorer on >>>>> Windows and Firefox, Opera, Chrome on Windows and Mac. >>>>> >>>>> However on Safari 5 (but NOT 4) on the Mac I encounter >>>>> a message asking for a client certificate, see screenshot: >>>>> <clientcertificate.png> >>>>> >>>>> >>>>> Upon selecting a certificate (doesn't matter which), >>>>> Safari then gives a message: >>>>> >>>>> "Safari can’t open the page “xxxx” because Safari >>>>> can’t establish a secure connection to the server “xxxx”. >>>>> >>>>> On Windows behaviour is slightly different, Safari 5 >>>>> simply displays the message without prompting for >>>>> client certificate. >>>>> >>>>> As this works fine with other browsers, including >>>>> earlier version of Safari could this be an Safari 5 >>>>> issue that needs to be addressed by Apple? >>>>> >>>>> Andy Barlow - Chief Technology Officer - MBCS CENG >>>>> EURING CITP >>>>> >>>>> e: and...@sd... >>>>> t: +44 (0)7830 302 268 >>>>> >>>>> /The information in this email or facsimile is >>>>> confidential and is intended solely for the >>>>> addressee(s) and access to this email or facsimile by >>>>> anyone else is unauthorised. If you are not the >>>>> intended recipient then any disclosure, copying, >>>>> distribution or any action taken or omitted to be >>>>> taken in reliance on it, is prohibited and may be >>>>> unlawful. Information expressed in this email or >>>>> facsimile is not given or endorsed by my firm or >>>>> employer unless otherwise indicated by an >>>>> authorised representative independent of this message./ >>>>> >>>>> >>>>> -----Inline Attachment Follows----- >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> This SF.net <http://sf.net/> email is sponsored by Sprint >>>>> What will you do first with EVO, the first 4G phone? >>>>> Visit sprint.com/first <http://sprint.com/first> -- >>>>> http://p.sf.net/sfu/sprint-com-first >>>>> >>>>> -----Inline Attachment Follows----- >>>>> >>>>> _______________________________________________ >>>>> Simpleweb-Support mailing list >>>>> Sim...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/simpleweb-support >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> The Palm PDK Hot Apps Program offers developers who use the >>>>> Plug-In Development Kit to bring their C/C++ apps to Palm >>>>> for a share >>>>> of $1 Million in cash or HP Products. Visit us here for >>>>> more details: >>>>> http://ad.doubleclick.net/clk;226879339;13503038;l? >>>>> http://clk.atdmt.com/CRS/go/247765532/direct/01/_______________________________________________ >>>>> Simpleweb-Support mailing list >>>>> Sim...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/simpleweb-support >>>> >>>> Andy Barlow - Chief Technology Officer - MBCS CENG EURING CITP >>>> >>>> e: and...@sd... >>>> t: +44 (0)7830 302 268 >>>> >>>> /The information in this email or facsimile is confidential >>>> and is intended solely for the addressee(s) and access to >>>> this email or facsimile by anyone else is unauthorised. If >>>> you are not the intended recipient then any disclosure, >>>> copying, distribution or any action taken or omitted to be >>>> taken in reliance on it, is prohibited and may be unlawful. >>>> Information expressed in this email or facsimile is not >>>> given or endorsed by my firm or employer unless otherwise >>>> indicated by an authorised representative independent of >>>> this message./ >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> The Palm PDK Hot Apps Program offers developers who use the >>>> Plug-In Development Kit to bring their C/C++ apps to Palm for a share >>>> of $1 Million in cash or HP Products. Visit us here for more details: >>>> http://ad.doubleclick.net/clk;226879339;13503038;l? >>>> http://clk.atdmt.com/CRS/go/247765532/direct/01/ >>>> >>>> >>>> _______________________________________________ >>>> Simpleweb-Support mailing list >>>> Sim...@li... >>>> https://lists.sourceforge.net/lists/listinfo/simpleweb-support >>>> >>> >>> >>> -----Inline Attachment Follows----- >>> >>> ------------------------------------------------------------------------------ >>> The Palm PDK Hot Apps Program offers developers who use the >>> Plug-In Development Kit to bring their C/C++ apps to Palm >>> for a share >>> of $1 Million in cash or HP Products. Visit us here for more >>> details: >>> http://p.sf.net/sfu/dev2dev-palm >>> >>> -----Inline Attachment Follows----- >>> >>> _______________________________________________ >>> Simpleweb-Support mailing list >>> Sim...@li... >>> https://lists.sourceforge.net/lists/listinfo/simpleweb-support >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> The Palm PDK Hot Apps Program offers developers who use the >>> Plug-In Development Kit to bring their C/C++ apps to Palm for a share >>> of $1 Million in cash or HP Products. Visit us here for more details: >>> http://p.sf.net/sfu/dev2dev-palm >>> >>> >>> _______________________________________________ >>> Simpleweb-Support mailing list >>> Sim...@li... <http://us.mc331.mail.yahoo.com/mc/compose?to=...@li...> >>> https://lists.sourceforge.net/lists/listinfo/simpleweb-support >>> >> >> >> ------------------------------------------------------------------------------ >> The Palm PDK Hot Apps Program offers developers who use the >> Plug-In Development Kit to bring their C/C++ apps to Palm for a share >> of $1 Million in cash or HP Products. Visit us here for more details: >> http://p.sf.net/sfu/dev2dev-palm >> >> >> _______________________________________________ >> Simpleweb-Support mailing list >> Sim...@li... <http://us.mc331.mail.yahoo.com/mc/compose?to=...@li...> >> https://lists.sourceforge.net/lists/listinfo/simpleweb-support >> > > > -----Inline Attachment Follows----- > > ------------------------------------------------------------------------------ > The Palm PDK Hot Apps Program offers developers who use the > Plug-In Development Kit to bring their C/C++ apps to Palm for a share > of $1 Million in cash or HP Products. Visit us here for more details: > http://p.sf.net/sfu/dev2dev-palm > > -----Inline Attachment Follows----- > > _______________________________________________ > Simpleweb-Support mailing list > Sim...@li... > <http://us.mc331.mail.yahoo.com/mc/compose?to=...@li...> > https://lists.sourceforge.net/lists/listinfo/simpleweb-support > > > > ------------------------------------------------------------------------------ > The Palm PDK Hot Apps Program offers developers who use the > Plug-In Development Kit to bring their C/C++ apps to Palm for a share > of $1 Million in cash or HP Products. Visit us here for more details: > http://p.sf.net/sfu/dev2dev-palm > > > _______________________________________________ > Simpleweb-Support mailing list > Sim...@li... > https://lists.sourceforge.net/lists/listinfo/simpleweb-support > |
Thanks for helping keep SourceForge clean.
X