While using Okhttp3 to request(get and post) HTTPS urls from Dataflow jobs, the program is throwing SSL handshake Exception and failing. Exact message is "javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure"
The same code was working earlier like 3-4 weeks(Before Nov-23) back in Dataflow. Now it's failing with the above exception. Will this be an issue arrise because of some changes in the server (HTTPS URL provider) ? Or is it something to do with the my dataflow/beam setup.
SDK and lib versions -
Apache Beam SDK for Java 2.16.0
com.squareup.okhttp3:okhttp:4.2.2
Looks like a change in the SSL configuration of your server. Try this site to confirm your server and device are compatible.
https://www.ssllabs.com/ssltest/
Like I explain in my answer here, GCP disables GCM algos by default, and most probably your server only supports GCM and POLY.
To re-enable GCM in the pipeline, you need to register a JvmInitializer and change the security settings.
Please look at my other answer on how to do this.
Related
Here's my code:
wireMockServer = new WireMockServer(wireMockConfig().httpsPort(8443).keystorePath("/Users/me/keystore.jks").keystorePassword("password"));
wireMockServer.start();
The problem is that when I'm trying to connect I'm getting:
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext
connection?
It seems that WireMock operates on HTTP mode rather than on HTTPS mode.
Why?
wiremock is running in https mode when you specify .httpsPort(8443). but the problem is, the library you are using to make https call is not trusting the ssl certificates.
There are multiple ways to do it. however you should make sure that you do this only in the testing environment but not in production.
Here are few resources to disable ssl check.
https://stackoverflow.com/a/21257694/3892213
https://stackoverflow.com/a/2703233/3892213
I tried connecting to Google cloud IOT MQTT Brocker. I am getting Not authorized to connect (5) as Exception in Java client.
The device_id and other details are correct.The public key set for the device in the cloud iot.
using the example code for the below repo.
https://github.com/GoogleCloudPlatform/java-docs-samples/tree/master/iot/api-client/mqtt_example
Another point to look at is the configured GCP IoT Core cloud region.
Had similar problem with this. I configured GCP IoT Core cloud region as "asia-east1" while on the client application side, its default cloud region is "us-central1".
If the cloud region is not configured correctly, the python/NodeJS IoT Core examples (mqtt, http, end2end) would return errors such as
Creating JWT using RS256 from private key file rsa_private.pem
Publishing message 1/100: 'test/test_1-payload-1'
('on_connect', 'Connection Refused: not authorised.')
('on_disconnect', '5: The connection was refused.')
To solve this, just pass the correct cloud region parameter to the command --cloud_region=asia-east1
Example:
python cloudiot_mqtt_example.py --project_id=project_id --registry_id=registry_id --device_id=device_id --private_key_file=rsa_private.pem --algorithm=RS256 --cloud_region=asia-east1
Couple things to check:
1) Are you sure the format of the SSL key matches what you registered? RS256 vs. RS256 with X509, etc?
2) Did you setup the TLS on the mqtt client and grab the Google root certificate?
2a) >=TLS 1.2?
3) Verify the JWT has the correct 'aud' value (project-id, not project-name), and that it's got a proper issue and expiry time?
I am trying to implement DynamoDBMapper from AWS but the application crashes when I try to connect to the AWS servers.
To start, I am running Android 4.4.2 on an Android Studio emulator and everything seems to be working fine. No problems there. Nonetheless, when I try to run on an actual device (running 4.4.2 on a Tablet... don't know the manufacturer), I get the following error:
Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x6bffcdf0:
Failure in SSL library, usually a protocol error error:140740B5:SSL
routines:SSL23_CLIENT_HELLO:no ciphers available (external/openssl/ssl/s23_clnt.c:486 0x68474ce0:0x00000000)
Here is the full stack trace:
Caused by: com.amazonaws.AmazonClientException: Unable to execute HTTP request: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x6bffcdf0: Failure in SSL library, usually a protocol error error:140740B5:SSL routines:SSL23_CLIENT_HELLO:no ciphers available (external/openssl/ssl/s23_clnt.c:486 0x68474ce0:0x00000000)
com.amazonaws.http.AmazonHttpClient.executeHelper AmazonHttpClient.java:421
com.amazonaws.http.AmazonHttpClient.execute AmazonHttpClient.java:196
com.amazonaws.services.dynamodbv2.AmazonDynamoDBClient.invoke AmazonDynamoDBClient.java:3257
com.amazonaws.services.dynamodbv2.AmazonDynamoDBClient.getItem AmazonDynamoDBClient.java:904
com.amazonaws.mobileconnectors.dynamodbv2.dynamodbmapper.DynamoDBMapper.load DynamoDBMapper.java:393
com.amazonaws.mobileconnectors.dynamodbv2.dynamodbmapper.DynamoDBMapper.load DynamoDBMapper.java:466
com.amazonaws.mobileconnectors.dynamodbv2.dynamodbmapper.DynamoDBMapper.load DynamoDBMapper.java:340
####.#####.####$####.doInBackground MainActivity.java:1259
####.#####.####$####.doInBackground MainActivity.java:1237
android.os.AsyncTask$2.call AsyncTask.java:288
java.util.concurrent.FutureTask.run FutureTask.java:237
... 4 more
Followed by:
Caused by: javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x6bffcdf0: Failure in SSL library, usually a protocol error error:140740B5:SSL routines:SSL23_CLIENT_HELLO:no ciphers available (external/openssl/ssl/s23_clnt.c:486 0x68474ce0:0x00000000)
com.android.org.conscrypt.NativeCrypto.SSL_do_handshake Native Method
com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake OpenSSLSocketImpl.java:406
com.android.okhttp.Connection.upgradeToTls Connection.java:146
com.android.okhttp.Connection.connect Connection.java:107
com.android.okhttp.internal.http.HttpEngine.connect HttpEngine.java:294
com.android.okhttp.internal.http.HttpEngine.sendSocketRequest HttpEngine.java:255
com.android.okhttp.internal.http.HttpEngine.sendRequest HttpEngine.java:206
com.android.okhttp.internal.http.HttpURLConnectionImpl.execute HttpURLConnectionImpl.java:345
com.android.okhttp.internal.http.HttpURLConnectionImpl.connect HttpURLConnectionImpl.java:89
com.android.okhttp.internal.http.HttpURLConnectionImpl.getOutputStream HttpURLConnectionImpl.java:197
com.android.okhttp.internal.http.HttpsURLConnectionImpl.getOutputStream HttpsURLConnectionImpl.java:254
com.amazonaws.http.UrlHttpClient.writeContentToConnection UrlHttpClient.java:128
com.amazonaws.http.UrlHttpClient.execute UrlHttpClient.java:65
com.amazonaws.http.AmazonHttpClient.executeHelper AmazonHttpClient.java:353
... 14 more
And here is my sourcecode:
BasicAWSCredentials awsCredentials = new BasicAWSCredentials("abcdef12345","blahblahblah");
AmazonDynamoDBClient dynamoDBClient = new AmazonDynamoDBClient(awsCredentials);
DynamoDbMapper dbMapper = new DynamoDBMapper(dynamoDBClient);
//.... then eventually .....
AWSDriverNameTable awsDriverNameTable = dbMapper.load(AWSDriverNameTable.class, merchantID);
It is that last line of code where the error begins.
Now, I have looked around on SO and a few search engines and have learned that some Android devices fall back to SSL v3, while the server I am trying to connect to uses TLS v1.0 (went to www.ssllabs.com and found out that it does use TLS 1.0). Here is another SO question where someone seems to have solved an issue very similiar to this:
How to disable SSLv3 in android for HttpsUrlConnection?
Thus, if this is what is causing the issue (SSLv3 needing to be removed), how can I go about configuring the AmazonDynamoDbClient to use only TLS 1.0? I noticed you can create a ClientConfiguration and use:
clientConfiguration.getApacheHttpClientConfig().setSslSocketFactory(NoSSLv3SocketFactory);
and supply it with the awsCredentials in the AmazonDynamoDbClient constructor. But, it accepts:
org.apache.http.conn.ssl.SSLSocketFactory
not
javax.net.ssl.SSLSocketFactory
which is what is used in the answer from the link I provided (not to mention Android Studio is informing me that org.apache.http.conn.ssl.SSLSocketFactory is deprecated).
At any rate, any help with this matter would be much appreciated. Thanks!
You can use org.apache.http.conn.ssl.SSLConnectionSocketFactory instead of org.apache.http.conn.ssl.SSLSocketFactory.
From the JavaDoc of SSLSocketFactory (https://hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/apache/http/conn/ssl/SSLSocketFactory.html) -
Deprecated.
(4.3) use SSLConnectionSocketFactory
Some services like Cognito support TLSv1.0+, while some say DynamoDB supports only TLSv1.0 (not above). If your device supports TLSv1.0, it should work then. Since you said the code works on emulator but not on the tablet, it's hard to say where the problem is. I suggest you try these:
Visit https://dynamodb.us-west-2.amazonaws.com in your browser. If your device can handle TLSv1.0, you should see healthy: dynamodb.us-west-2.amazonaws.com.
Run the same code on a different device.
Some notes from comments:
SSLv3 has been deprecated on all AWS services.
Remove aws-java-sdk and use aws-android-sdk. The latter has lots of optimizations for Android.
aws-android-sdk uses HttpURLConnection as the default HTTP library.
To test what protocols a service supports, use this command:
openssl s_client -connect dynamodb.us-west-2.amazonaws.com:443
I had the following error when calling a service that requests at least TLS (no SSL3 for you Poodle!).
com.ibm.websphere.sca.ServiceUnavailableException: Could not obtain a connection to the destination or Exception was happened on the connection. Failed to process the request. Unsupported record version Unknown-0.0
at com.ibm.ws.http.imprt.handler.HTTPImportService.sendHTTPRequest(HTTPImportService.java:254)
at com.ibm.ws.http.imprt.handler.HTTPImportHandler.processMessage(HTTPImportHandler.java:261)
at com.ibm.ws.sca.internal.message.impl.MessageDispatcherImpl.processMessageWithPCI(MessageDispatcherImpl.java:785)
at com.ibm.ws.sca.internal.message.impl.MessageDispatcherImpl.processMessage(MessageDispatcherImpl.java:1626)
at com.ibm.ws.sca.internal.message.impl.ManagedMessageImpl.process(ManagedMessageImpl.java:999)
at com.ibm.ws.sca.uow.handler.UOWNativeWASStrategyImpl.transactionImportExport(UOWNativeWASStrategyImpl.java:455)
at com.ibm.ws.sca.uow.handler.JoinUOWNativeHandler.processMessage(JoinUOWNativeHandler.java:168)
at com.ibm.ws.sca.internal.message.impl.MessageDispatcherImpl.processMessageWithPCI(MessageDispatcherImpl.java:785)
at com.ibm.ws.sca.internal.message.impl.MessageDispatcherImpl.processMessage(MessageDispatcherImpl.java:1626)
at com.ibm.ws.sca.internal.message.impl.ManagedMessageImpl.process(ManagedMessageImpl.java:990)
at com.ibm.ws.sibx.mediation.flowaction.impl.sca.SCAInvocationAction.invokeSync(SCAInvocationAction.java:554)
at com.ibm.ws.sibx.mediation.flowaction.impl.sca.RetryControl.invokeByStyle(RetryControl.java:379)
at com.ibm.ws.sibx.mediation.flowaction.impl.sca.RetryControl.invokeWithRetry(RetryControl.java:253)
at com.ibm.ws.sibx.mediation.flowaction.impl.sca.ServiceInvocation.complete(ServiceInvocation.java:127)
at com.ibm.ws.sibx.mediation.flowaction.impl.sca.FlowActionFactoryImpl.create(FlowActionFactoryImpl.java:750)
at com.ibm.ws.sibx.mediation.primitives.serviceinvoke.ServiceInvokeMediation.invokeFlowAction(ServiceInvokeMediation.java:651)
at com.ibm.ws.sibx.mediation.primitives.serviceinvoke.ServiceInvokeMediation.mediate(ServiceInvokeMediation.java:564)
at com.ibm.ws.sibx.scax.mediation.engine.JavaMediationPrimitive.performInvocation(JavaMediationPrimitive.java:741)
at com.ibm.ws.sibx.scax.mediation.engine.JavaMediationPrimitive.performInvocationWithCatch(JavaMediationPrimitive.java:577)
at com.ibm.ws.sibx.scax.mediation.engine.JavaMediationPrimitive.invoke(JavaMediationPrimitive.java:397)
at com.ibm.ws.sibx.scax.mediation.engine.SIBXJavaMediationPrimitive.invoke(SIBXJavaMediationPrimitive.java:108)
at com.ibm.ws.sibx.scax.mediation.engine.MediationPrimitive.invokeConnections(MediationPrimitive.java:344)
at com.ibm.ws.sibx.scax.mediation.engine.JavaMediationPrimitive.fireOutputTerminals(JavaMediationPrimitive.java:843)
at com.ibm.ws.sibx.scax.mediation.engine.JavaMediationPrimitive.performInvocation(JavaMediationPrimitive.java:763)
at com.ibm.ws.sibx.scax.mediation.engine.JavaMediationPrimitive.performInvocationWithCatch(JavaMediationPrimitive.java:577)
at com.ibm.ws.sibx.scax.mediation.engine.JavaMediationPrimitive.invoke(JavaMediationPrimitive.java:397)
at com.ibm.ws.sibx.scax.mediation.engine.MediationPrimitive.invokeConnections(MediationPrimitive.java:344)
at com.ibm.ws.sibx.scax.mediation.engine.JavaMediationPrimitive.fireOutputTerminals(JavaMediationPrimitive.java:843)
at com.ibm.ws.sibx.scax.mediation.engine.JavaMediationPrimitive.performInvocation(JavaMediationPrimitive.java:763)
at com.ibm.ws.sibx.scax.mediation.engine.JavaMediationPrimitive.performInvocationWithCatch(JavaMediationPrimitive.java:577)
at com.ibm.ws.sibx.scax.mediation.engine.JavaMediationPrimitive.invoke(JavaMediationPrimitive.java:397)
at com.ibm.ws.sibx.scax.mediation.engine.MediationPrimitive.invokeConnections(MediationPrimitive.java:344)
at com.ibm.ws.sibx.scax.mediation.engine.Input.invoke(Input.java:245)
The config was Websphere 8.0.0.7 with Websphere Process Server 8.0.1.2 and I was calling to an HTTP service using an HTTP import through https, the WAS was already using a SSL configuration with TLS (tried several options, all same error) and the ssl.client.props file is already following the IBM recommendations (tried several combinations).
Then we moved to FIPS with transitional support but another issue appeared
com.ibm.websphere.sca.ServiceUnavailableException: Could not obtain a
connection to the destination or Exception was happened on the
connection. Failed to process the request. SSL protocol cannot be
enabled in FIPS/SP800_131/suiteb mode
at com.ibm.ws.http.imprt.handler.HTTPImportService.sendHTTPRequest(HTTPImportService.java:254)
at com.ibm.ws.http.imprt.handler.HTTPImportHandler.processMessage(HTTPImportHandler.java:261)
at com.ibm.ws.sca.internal.message.impl.MessageDispatcherImpl.processMessageWithPCI(MessageDispatcherImpl.java:785)
at com.ibm.ws.sca.internal.message.impl.MessageDispatcherImpl.processMessage(MessageDispatcherImpl.java:1626)
at com.ibm.ws.sca.internal.message.impl.ManagedMessageImpl.process(ManagedMessageImpl.java:999)
at com.ibm.ws.sca.uow.handler.UOWNativeWASStrategyImpl.transactionImportExport(UOWNativeWASStrategyImpl.java:455)
at com.ibm.ws.sca.uow.handler.JoinUOWNativeHandler.processMessage(JoinUOWNativeHandler.java:168)
The problem was within the HTTP import internal component (was using SSL as a hardcoded configuration) so I wrote my own HTTP client in a custom Java and called it a day. No fix pack at that moment.
When I try to connect to my EC2 server, using Netbeans(Git-Remote-Push), I get "incorrect credentials coonecting to repository at SSH://xx.xx.xxx.xx/git-repo"
In my ide.log, I get the following message:
"WARNING [org.netbeans.modules.progress.spi.InternalHandle]: Cannot call progress on a task that was never started at org.netbeans.modules.git.client.GitProgressSupport.setProgressMessage(GitProgressSupport.java:247)
INFO [org.netbeans.modules.git.ui.repository.remote.SelectUriStep]: Auth failed when accessing ssh://54.77.226.97/git-repo
com.jcraft.jsch.JSchException: Algorithm negotiation fail"
Steps I have taken to overcome the problem.
I can connect using git-bash OK
I have ussed ssh-keygen to generate the keys
I have downloaded JCE 8 unlimited strength policy files.
Any help much appreciated, thanks
"Algorithm negotiation fail" means that the SSH-Client implementation netbeans uses and the server implementation, cannot find a mutual algorithm to encrypt/compress.
Reason could be that an administrator doesn't want the server to support insecure or doubtful algorithms from now on. So you have to find an update for Netbeans.