I am running RabbitMQ 3.6.1/Erlang 18.3, and find that I am unable to establish a TLSv1 or TLSv1.1 session with the broker using the Spring AMQP 1.5.4.RELEASE Java client. I am, however, able to establish a TLSv1.2 session with the broker. My RabbitMQ broker is configured to support all three of tlsv1, tlsv1.1, and tlsv1.2. I am using Java 1.8.0_77-b03 on OS X.
Here is my RabbitMQ configuration:
https://gist.github.com/ae6rt/de06d1efecf62fbe8cef31774d9be3d7
Erlang on the broker reports ssl versions
# erl
Eshell V7.3 (abort with ^G)
1> ssl:versions().
[{ssl_app,"7.3"},
{supported,['tlsv1.2','tlsv1.1',tlsv1]},
{available,['tlsv1.2','tlsv1.1',tlsv1,sslv3]}]
This is the error RabbitMQ logs upon failure:
=ERROR REPORT==== 22-Apr-2016::03:19:02 ===
SSL: hello: tls_handshake.erl:167:Fatal error: insufficient security
I used tcpdump to sniff the traffic on the secure port 5671 during TLS setup. Here is tshark's formatting of that data:
Frame 4: 210 bytes on wire (1680 bits), 210 bytes captured (1680 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Apr 21, 2016 20:09:38.053439000 PDT
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1461294578.053439000 seconds
[Time delta from previous captured frame: 0.013675000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.013840000 seconds]
Frame Number: 4
Frame Length: 210 bytes (1680 bits)
Capture Length: 210 bytes (1680 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp:ssl]
Ethernet II, Src: 02:42:f5:68:bc:7c (02:42:f5:68:bc:7c), Dst: 02:42:ac:11:00:02 (02:42:ac:11:00:02)
Destination: 02:42:ac:11:00:02 (02:42:ac:11:00:02)
Address: 02:42:ac:11:00:02 (02:42:ac:11:00:02)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: 02:42:f5:68:bc:7c (02:42:f5:68:bc:7c)
Address: 02:42:f5:68:bc:7c (02:42:f5:68:bc:7c)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 10.0.2.2, Dst: 172.17.0.2
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 196
Identification: 0x0a1e (2590)
Flags: 0x00
0... .... = Reserved bit: Not set
.0.. .... = Don't fragment: Not set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 63
Protocol: TCP (6)
Header checksum: 0xb901 [validation disabled]
[Good: False]
[Bad: False]
Source: 10.0.2.2
Destination: 172.17.0.2
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: 39141 (39141), Dst Port: 5671 (5671), Seq: 1, Ack: 1, Len: 156
Source Port: 39141
Destination Port: 5671
[Stream index: 0]
[TCP Segment Len: 156]
Sequence number: 1 (relative sequence number)
[Next sequence number: 157 (relative sequence number)]
Acknowledgment number: 1 (relative ack number)
Header Length: 20 bytes
Flags: 0x018 (PSH, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 1... = Push: Set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: *******AP***]
Window size value: 65535
[Calculated window size: 65535]
[Window size scaling factor: -2 (no window scaling used)]
Checksum: 0x6ef9 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Urgent pointer: 0
[SEQ/ACK analysis]
[iRTT: 0.000165000 seconds]
[Bytes in flight: 156]
Secure Sockets Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 151
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 147
Version: TLS 1.0 (0x0301)
Random
GMT Unix Time: Apr 21, 2016 20:09:38.000000000 PDT
Random Bytes: 742380f15c78a0409bd2817911699637f5c7879f27bf6dc1...
Session ID Length: 0
Cipher Suites Length: 44
Cipher Suites (22 suites)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003)
Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 62
Extension: elliptic_curves
Type: elliptic_curves (0x000a)
Length: 52
Elliptic Curves Length: 50
Elliptic curves (25 curves)
Elliptic curve: secp256r1 (0x0017)
Elliptic curve: sect163k1 (0x0001)
Elliptic curve: sect163r2 (0x0003)
Elliptic curve: secp192r1 (0x0013)
Elliptic curve: secp224r1 (0x0015)
Elliptic curve: sect233k1 (0x0006)
Elliptic curve: sect233r1 (0x0007)
Elliptic curve: sect283k1 (0x0009)
Elliptic curve: sect283r1 (0x000a)
Elliptic curve: secp384r1 (0x0018)
Elliptic curve: sect409k1 (0x000b)
Elliptic curve: sect409r1 (0x000c)
Elliptic curve: secp521r1 (0x0019)
Elliptic curve: sect571k1 (0x000d)
Elliptic curve: sect571r1 (0x000e)
Elliptic curve: secp160k1 (0x000f)
Elliptic curve: secp160r1 (0x0010)
Elliptic curve: secp160r2 (0x0011)
Elliptic curve: sect163r1 (0x0002)
Elliptic curve: secp192k1 (0x0012)
Elliptic curve: sect193r1 (0x0004)
Elliptic curve: sect193r2 (0x0005)
Elliptic curve: secp224k1 (0x0014)
Elliptic curve: sect239k1 (0x0008)
Elliptic curve: secp256k1 (0x0016)
Extension: ec_point_formats
Type: ec_point_formats (0x000b)
Length: 2
EC point formats Length: 1
Elliptic curves point formats (1)
EC point format: uncompressed (0)
Frame 6: 61 bytes on wire (488 bits), 61 bytes captured (488 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Apr 21, 2016 20:09:38.053842000 PDT
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1461294578.053842000 seconds
[Time delta from previous captured frame: 0.000377000 seconds]
[Time delta from previous displayed frame: 0.000403000 seconds]
[Time since reference or first frame: 0.014243000 seconds]
Frame Number: 6
Frame Length: 61 bytes (488 bits)
Capture Length: 61 bytes (488 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp:ssl]
Ethernet II, Src: 02:42:ac:11:00:02 (02:42:ac:11:00:02), Dst: 02:42:f5:68:bc:7c (02:42:f5:68:bc:7c)
Destination: 02:42:f5:68:bc:7c (02:42:f5:68:bc:7c)
Address: 02:42:f5:68:bc:7c (02:42:f5:68:bc:7c)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: 02:42:ac:11:00:02 (02:42:ac:11:00:02)
Address: 02:42:ac:11:00:02 (02:42:ac:11:00:02)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 172.17.0.2, Dst: 10.0.2.2
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 47
Identification: 0x3fb8 (16312)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (6)
Header checksum: 0x42fc [validation disabled]
[Good: False]
[Bad: False]
Source: 172.17.0.2
Destination: 10.0.2.2
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: 5671 (5671), Dst Port: 39141 (39141), Seq: 1, Ack: 157, Len: 7
Source Port: 5671
Destination Port: 39141
[Stream index: 0]
[TCP Segment Len: 7]
Sequence number: 1 (relative sequence number)
[Next sequence number: 8 (relative sequence number)]
Acknowledgment number: 157 (relative ack number)
Header Length: 20 bytes
Flags: 0x018 (PSH, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 1... = Push: Set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: *******AP***]
Window size value: 30016
[Calculated window size: 30016]
[Window size scaling factor: -2 (no window scaling used)]
Checksum: 0xb836 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Urgent pointer: 0
[SEQ/ACK analysis]
[iRTT: 0.000165000 seconds]
[Bytes in flight: 7]
Secure Sockets Layer
TLSv1 Record Layer: Alert (Level: Fatal, Description: Insufficient Security)
Content Type: Alert (21)
Version: TLS 1.0 (0x0301)
Length: 2
Alert Message
Level: Fatal (2)
Description: Insufficient Security (71)
Here is the Spring connection failure:
org.springframework.amqp.AmqpIOException: javax.net.ssl.SSLHandshakeException: Received fatal alert: insufficient_security
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at java.io.DataOutputStream.flush(DataOutputStream.java:123)
at com.rabbitmq.client.impl.SocketFrameHandler.sendHeader(SocketFrameHandler.java:129)
at com.rabbitmq.client.impl.SocketFrameHandler.sendHeader(SocketFrameHandler.java:134)
at com.rabbitmq.client.impl.AMQConnection.start(AMQConnection.java:277)
at com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:647)
at org.springframework.amqp.rabbit.connection.AbstractConnectionFactory.createBareConnection(AbstractConnectionFactory.java:273)
at org.springframework.amqp.rabbit.connection.CachingConnectionFactory.createConnection(CachingConnectionFactory.java:510)
at com.xoom.inf.amqp.TlsTest.contactBrokerOverTLS(TlsTest.java:42)
My RabbitMQ broker is configured to negotiate tlsv1, tlsv1.1, and tlsv1.2. Why does the TLS setup fail for tlsv1 and tlsv1.1 when the broker should support that? The same Java client could negotiate TLSv1 with a RabbitMQ 3.3.1/Erlang R16B02 broker.
Thank you.
There were some regressions in the Erlang ssl application in the 18.3.x series. One of them caused what you are seeing: clients rejected during handshake, with insufficient security logged on the server-side. If I remember correctly, this appeared in patch 18.3.3 and was fixed in 18.3.4. This is not a problem from the client.
There is a regression in 18.3.2, fixed in 18.3.3, which prevented RabbitMQ from starting at all (due to a change in the representation of cipher suites).
Thus it is recommended to stay on 18.3 (the initial release) or update to 19.x.
Related
we have a redis-sentinel cluster consisting of three VMs running redis and sentinel, and I am using redisson library to connect to it.
However we are facing an issue when connecting to it.
It seems that when it gets the list of sentinels, it gets the master as non ssl.
Versions:
redis 6
java 1.8
redisson 3.16.4
here is the sentinel configuration on the VMs,
port 0
tls-port 26379
tls-cert-file "/etc/ssl/redis/redis.crt"
tls-key-file "/etc/ssl/redis/redis.key"
tls-ca-cert-file "/etc/ssl/redis/ca_uat.crt"
tls-replication yes
tls-auth-clients yes
daemonize no
pidfile "/var/run/redis-sentinel.pid"
sentinel myid e93ca95c2bd17723461f3d2a84296934f560c46e
sentinel deny-scripts-reconfig yes
sentinel monitor redis-cluster 182.26.3.54 6379 2
sentinel down-after-milliseconds redis-cluster 5000
logfile "/var/log/redis/sentinel.log"
dir "/tmp"
requirepass password
# Generated by CONFIG REWRITE
protected-mode no
supervised systemd
user default on #1d38e11ad3cff25192a679ae05dd0cebaa746da9185a66f719ff19311472a02f ~* +#all
sentinel failover-timeout redis-cluster 60000
sentinel auth-pass redis-cluster password
sentinel config-epoch redis-cluster 70
sentinel leader-epoch redis-cluster 70
sentinel known-replica redis-cluster 182.26.3.21 6379
sentinel known-replica redis-cluster 182.26.3.51 6379
sentinel known-sentinel redis-cluster 182.26.3.54 26379 2294c0239d9137af32e5d4b0fc2836e12727f13a
sentinel known-sentinel redis-cluster 182.26.3.51 26379 e69c7f50bb633a04981a20f54c7f5edcd46fc0c8
sentinel current-epoch 70
and here is the the non default redis config.
port 0
tls-port 6379
tls-cert-file /etc/ssl/redis/redis.crt
tls-key-file /etc/ssl/redis/redis.key
tls-ca-cert-file /etc/ssl/redis/ca_uat.crt
tls-replication yes
tls-auth-clients yes
masterauth password
requirepass password
here is the redisson yaml config
---
sentinelServersConfig:
idleConnectionTimeout: 100000
connectTimeout: 100000
timeout: 30000
retryAttempts: 3
retryInterval: 1500
password: "password"
subscriptionsPerConnection: 5
sslEnableEndpointIdentification: false
sslProvider: "JDK"
sslTruststore: "file:/resources/redis-cluster.jks"
sslTruststorePassword: "Jpass"
sslKeystore: "file:/resources/redis-cluster.jks"
sslKeystorePassword: "Jpass"
sslProtocols:
- "TLSv1.2"
pingConnectionInterval: 30000
keepAlive: false
tcpNoDelay: true
nameMapper: !<org.redisson.api.DefaultNameMapper> {}
loadBalancer: !<org.redisson.connection.balancer.RoundRobinLoadBalancer> {}
slaveConnectionMinimumIdleSize: 24
slaveConnectionPoolSize: 64
failedSlaveReconnectionInterval: 3000
failedSlaveCheckInterval: 180000
masterConnectionMinimumIdleSize: 24
masterConnectionPoolSize: 64
readMode: "SLAVE"
subscriptionMode: "SLAVE"
subscriptionConnectionMinimumIdleSize: 1
subscriptionConnectionPoolSize: 50
dnsMonitoringInterval: 5000
sentinelAddresses:
- "rediss://redis03.corp.com:26379"
- "rediss://redis02.corp.com:26379"
- "rediss://redis01.corp.com:26379"
natMapper: !<org.redisson.api.DefaultNatMapper> {}
masterName: "redis-cluster"
sentinelPassword: "password"
database: 0
scanInterval: 1000
checkSentinelsList: true
checkSlaveStatusWithSyncing: true
threads: 16
nettyThreads: 32
codec: !<org.redisson.codec.MarshallingCodec> {}
referenceEnabled: true
transportMode: "NIO"
lockWatchdogTimeout: 300000
reliableTopicWatchdogTimeout: 6000000
keepPubSubOrder: true
useScriptCache: false
minCleanUpDelay: 5
maxCleanUpDelay: 1800
cleanUpKeysAmount: 100
nettyHook: !<org.redisson.client.DefaultNettyHook> {}
useThreadClassLoader: true
addressResolverGroupFactory: !<org.redisson.connection.DnsAddressResolverGroupFactory> {}
and here is the code to create the connection
try {
reddisonConfig = Config.fromYAML(configFile);
logger.warn(reddisonConfig.toYAML());
} catch (IOException e) {
logger.warn("Unable to load configuration file");
logger.warn("file location is" + configFile.getAbsolutePath());
setConnected(false);
utilityClass.logMe(logger, e);
}
try {
Rclient = Redisson.create(reddisonConfig);
setConnected(true);
} catch (Exception e) {
logger.warn(
"Problem connecting to redis ");
setConnected(false);
utilityClass.logMe(logger, e);
}
and here is the error I get when I start the service.
2021-11-15 12:36:20.652 [restartedMain] INFO org.redisson.Version : Redisson 3.16.4
2021-11-15 12:36:21.008 [restartedMain] INFO o.r.c.SentinelConnectionManager : master: redis://182.26.3.21:6379 added
2021-11-15 12:36:21.016 [restartedMain] INFO o.r.c.SentinelConnectionManager : slave: rediss://182.26.3.54:6379 added
2021-11-15 12:36:21.016 [restartedMain] INFO o.r.c.SentinelConnectionManager : slave: rediss://182.26.3.51:6379 added
2021-11-15 12:36:21.094 [redisson-netty-11-10] INFO o.r.c.SentinelConnectionManager : sentinel: rediss://182.26.3.51:26379 added
2021-11-15 12:36:21.094 [redisson-netty-11-11] INFO o.r.c.SentinelConnectionManager : sentinel: rediss://182.26.3.54:26379 added
2021-11-15 12:36:21.102 [redisson-netty-11-9] INFO o.r.c.SentinelConnectionManager : sentinel: rediss://182.26.3.21:26379 added
2021-11-15 12:36:51.244 [restartedMain] WARN c.b.p.utilities.CacheUtil : Problem connecting to redis server
2021-11-15 12:36:51.245 [restartedMain] ERROR c.b.p.utilities.CacheUtil : Exception occurred at restartedMain Exception Message
org.redisson.client.RedisConnectionException: Unable to connect to Redis server: 182.26.3.21/182.26.3.21:6379
at org.redisson.connection.pool.ConnectionPool$1.lambda$run$0(ConnectionPool.java:158)
at org.redisson.misc.RedissonPromise.lambda$onComplete$0(RedissonPromise.java:183)
at io.netty.util.concurrent.DefaultPromise.notifyListener0(DefaultPromise.java:578)
at io.netty.util.concurrent.DefaultPromise.notifyListenersNow(DefaultPromise.java:552)
at io.netty.util.concurrent.DefaultPromise.notifyListeners(DefaultPromise.java:491)
at io.netty.util.concurrent.DefaultPromise.setValue0(DefaultPromise.java:616)
at io.netty.util.concurrent.DefaultPromise.setFailure0(DefaultPromise.java:609)
at io.netty.util.concurrent.DefaultPromise.tryFailure(DefaultPromise.java:117)
at org.redisson.misc.RedissonPromise.tryFailure(RedissonPromise.java:96)
at org.redisson.connection.pool.ConnectionPool.promiseFailure(ConnectionPool.java:313)
at org.redisson.connection.pool.ConnectionPool.lambda$createConnection$3(ConnectionPool.java:279)
at org.redisson.misc.RedissonPromise.lambda$onComplete$0(RedissonPromise.java:183)
at io.netty.util.concurrent.DefaultPromise.notifyListener0(DefaultPromise.java:578)
at io.netty.util.concurrent.DefaultPromise.notifyListeners0(DefaultPromise.java:571)
at io.netty.util.concurrent.DefaultPromise.notifyListenersNow(DefaultPromise.java:550)
at io.netty.util.concurrent.DefaultPromise.notifyListeners(DefaultPromise.java:491)
at io.netty.util.concurrent.DefaultPromise.setValue0(DefaultPromise.java:616)
at io.netty.util.concurrent.DefaultPromise.setFailure0(DefaultPromise.java:609)
at io.netty.util.concurrent.DefaultPromise.tryFailure(DefaultPromise.java:117)
at org.redisson.misc.RedissonPromise.tryFailure(RedissonPromise.java:96)
at org.redisson.client.RedisClient$2$1.run(RedisClient.java:242)
at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:164)
at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:472)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:500)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.redisson.client.RedisTimeoutException: Command execution timeout for command: (AUTH), params: (password masked), Redis client: [addr=redis://182.26.3.21:6379]
at org.redisson.client.RedisConnection.lambda$async$1(RedisConnection.java:251)
at io.netty.util.HashedWheelTimer$HashedWheelTimeout.expire(HashedWheelTimer.java:672)
at io.netty.util.HashedWheelTimer$HashedWheelBucket.expireTimeouts(HashedWheelTimer.java:747)
at io.netty.util.HashedWheelTimer$Worker.run(HashedWheelTimer.java:472)
... 2 common frames omitted
I can that it tries to connect to the master redis using redis://182.26.3.21:6379 instead of rediss://182.26.3.21:6379 which I gather is needed for tls connection.
I used ssl scan tool to verify that ssl 1.2 is enabled and here is the output.
D:\Users\03856u\Documents\sslScan>sslscan 182.26.3.21:6379
Version: 2.0.10 Windows 64-bit (Mingw)
OpenSSL 1.1.1e-dev xx XXX xxxx
Connected to 182.26.3.21
Testing SSL server 182.26.3.21 on port 6379 using SNI name 182.26.3.21
SSL/TLS Protocols:
SSLv2 disabled
SSLv3 disabled
TLSv1.0 disabled
TLSv1.1 disabled
TLSv1.2 enabled
TLSv1.3 enabled
TLS Fallback SCSV:
Server supports TLS Fallback SCSV
TLS renegotiation:
Session renegotiation not supported
TLS Compression:
Compression disabled
Heartbleed:
TLSv1.3 not vulnerable to heartbleed
TLSv1.2 not vulnerable to heartbleed
Supported Server Cipher(s):
Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve 25519 DHE 253
Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve 25519 DHE 253
Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve 25519 DHE 253
Accepted TLSv1.3 128 bits TLS_AES_128_CCM_SHA256 Curve 25519 DHE 253
Server Key Exchange Group(s):
TLSv1.3 128 bits secp256r1 (NIST P-256)
TLSv1.3 192 bits secp384r1 (NIST P-384)
TLSv1.3 260 bits secp521r1 (NIST P-521)
TLSv1.3 128 bits x25519
TLSv1.3 224 bits x448
TLSv1.2 128 bits secp256r1 (NIST P-256)
TLSv1.2 192 bits secp384r1 (NIST P-384)
TLSv1.2 260 bits secp521r1 (NIST P-521)
TLSv1.2 128 bits x25519
TLSv1.2 224 bits x448
SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength: 2048
Subject: redis.corp.com
Altnames: DNS:redis.corp.com, DNS:redis03.corp.com, DNS:redis01.corp.com, DNS:redis02.corp.com, IP Address:182.26.3.21, IP Address:182.26.3.54, IP Address:182.26.3.51
Issuer: UAT-CA
Not valid before: Oct 4 05:19:14 2021 GMT
Not valid after: Oct 3 05:19:14 2026 GMT
I have opened an issue in github and I was told that there was no issue with the library in connecting to sentinel on SSL, so I am guessing its an issue in my configuration.
I looked at the documentation on github and couldn't figure it out.
any help is welcome.
EDIT: so it seems that it was a bug with redisson, an issue was opened and a solution was proposed, and the creator created a fix and I tried it and it working.
link to the github issue: https://github.com/redisson/redisson/issues/3950
Here is the situation: SSLServerSocket timeout is set to 10 seconds. Everything works as expected, BUT if client is trying to establish TLS connection and "hangs" during negotiation - socket waits forever, ignores 10 second timeout.. and connection is terminated only by client. This is some hacker activity or some kind of other activity.. Is this Java secure socket vulnerability?
Activity log:
SMTP PID=184 Date=2019-08-26,07:32:45 DEBUG: new connection from host [66.45.239.113] to port 465 (United States)
javax.net.ssl|DEBUG|CE|Thread-191|2019-08-26 07:32:45.547 EEST|HandshakeContext.java:296|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLS13
javax.net.ssl|DEBUG|CE|Thread-191|2019-08-26 07:32:45.548 EEST|HandshakeContext.java:296|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 for TLS13
javax.net.ssl|DEBUG|CE|Thread-191|2019-08-26 07:32:45.548 EEST|HandshakeContext.java:296|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 for TLS13
javax.net.ssl|DEBUG|CE|Thread-191|2019-08-26 07:32:45.548 EEST|HandshakeContext.java:296|Ignore unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLS13
javax.net.ssl|DEBUG|CE|Thread-191|2019-08-26 07:32:45.548 EEST|HandshakeContext.java:296|Ignore unsupported cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384 for TLS13
javax.net.ssl|DEBUG|CE|Thread-191|2019-08-26 07:35:03.253 EEST|SSLSocketInputRecord.java:458|Raw read (
0000: 80 4C 01 03 01 .L...
)
javax.net.ssl|ERROR|CE|Thread-191|2019-08-26 07:35:03.254 EEST|TransportContext.java:312|Fatal (HANDSHAKE_FAILURE): SSLv2Hello is not enabled (
"throwable" : {
javax.net.ssl.SSLHandshakeException: SSLv2Hello is not enabled
at java.base/sun.security.ssl.SSLSocketInputRecord.handleUnknownRecord(SSLSocketInputRecord.java:366)
at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:184)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1180)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1091)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:721)
at java.base/sun.security.ssl.SSLSocketImpl.getSession(SSLSocketImpl.java:331)
at com.xsistema.xmailserver.mail.smtp.session.SMTPConnection.getTLSVersion(SMTPConnection.java:141)
at com.xsistema.xmailserver.mail.smtp.session.SMTPConnection.run(SMTPConnection.java:240)}
)
javax.net.ssl|DEBUG|CE|Thread-191|2019-08-26 07:35:03.254 EEST|SSLSocketOutputRecord.java:71|WRITE: TLS13 alert(handshake_failure), length = 2
javax.net.ssl|DEBUG|CE|Thread-191|2019-08-26 07:35:03.254 EEST|SSLSocketOutputRecord.java:85|Raw write (
0000: 15 03 03 00 02 02 28 ......(
)
javax.net.ssl|DEBUG|CE|Thread-191|2019-08-26 07:35:03.254 EEST|SSLSocketImpl.java:1389|close the underlying socket
javax.net.ssl|DEBUG|CE|Thread-191|2019-08-26 07:35:03.254 EEST|SSLSocketImpl.java:1408|close the SSL connection (initiative)
javax.net.ssl|ERROR|CE|Thread-191|2019-08-26 07:35:03.254 EEST|SSLSocketImpl.java:334|handshake failed (
"throwable" : {
javax.net.ssl.SSLHandshakeException: SSLv2Hello is not enabled
at java.base/sun.security.ssl.SSLSocketInputRecord.handleUnknownRecord(SSLSocketInputRecord.java:366)
at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:184)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:108)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1180)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1091)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:721)
at java.base/sun.security.ssl.SSLSocketImpl.getSession(SSLSocketImpl.java:331)
at com.xsistema.xmailserver.mail.smtp.session.SMTPConnection.getTLSVersion(SMTPConnection.java:141)
at com.xsistema.xmailserver.mail.smtp.session.SMTPConnection.run(SMTPConnection.java:240)}
)
SMTP PID=184 Date=2019-08-26,07:35:03 DEBUG: SSL socket cipher suite: NONE:SSL-NULL-WITH-NULL-NULL
SMTP PID=184 Date=2019-08-26,07:35:03 DEBUG: connection from remote host [66.45.239.113] was closed and removed. Current active or waiting connections: 3
Client connected at 07:32:45, and sent some bytes only after more than 2 minutes, at 07:35:03. So in this scenario it can send first bytes after hour or more, and connection will be opened. And if it sends 1000 requests and waits - 1000 connections will be opened forever?? Perhaps the solution is to measure the time before reading InputStream?
I am having a problem connecting to SQL Server 2012 using TLS1.2. Below is the code,network trace and output from NMap. From the trace and Nmap output I think it looks like there is a cipher problem but I am not sure. The trace tells me the handshake starts with TLS 1.2 but then the connection gets closed and don't know why. If it is a cipher problem, how does the handshake determine which cipher to use and where are the possible ciphers stored?
Using: IBM Java 6, SQL Server 2012, sqljdbc4.jar
Thanks
public static void doConnect2()
{
try
{
System.setProperty("javax.net.debug", "all");
System.setProperty("javax.net.debug","ssl:handshake:verbose");
System.setProperty("com.ibm.jsse2.overrideDefaultTLS","true");
Class.forName("com.microsoft.sqlserver.jdbc.SQLServerDriver").newInstance();
Connection conn = DriverManager.getConnection(
"jdbc:sqlserver://MIMV-DBTE02;databaseName=CMS",
"userid",
"password");
}
catch(Exception e)
{
System.out.println(e.getMessage());
}
}
Network Trace:
IBMJSSE2 will not allow protocol SSLv3 per com.ibm.jsse2.disableSSLv3 set to TRUE or default
IBMJSSEProvider2 Build-Level: -20171020
IBMJSSE2 will set SSLContext per com.ibm.jsse2.overrideDefaultTLS set to true
Installed Providers =
IBMPKCS11Impl
IBMJCE
IBMJSSE2
IBMJGSSProvider
IBMCertPath
IBMCMSProvider
IBMSPNEGO
IBMSASL
IBMXMLCRYPTO
IBMXMLEnc
Policy
keyStore is: C:\IBM\WebSphere85\AppServer\java\jre\lib\security\cacerts
keyStore type is: jks
keyStore provider is:
init keystore
SSLContextImpl: Using X509ExtendedKeyManager com.ibm.jsse2.id
SSLContextImpl: Using X509TrustManager com.microsoft.sqlserver.jdbc.TDSChannel$PermissiveX509TrustManager
JsseJCE: Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.2
trigger seeding of SecureRandom
done seeding SecureRandom
IBMJSSE2 will enable CBC protection
IBMJSSE2 to send SCSV Cipher Suite on initial ClientHello
JsseJCE: Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.2
jdk.tls.client.protocols is defined as null
SSLv3 protocol was requested but was not enabled
SSLv3 protocol was requested but was not enabled
SUPPORTED: [TLSv1, TLSv1.1, TLSv1.2]
SERVER_DEFAULT: [TLSv1, TLSv1.1, TLSv1.2]
CLIENT_DEFAULT: [TLSv1, TLSv1.1, TLSv1.2]
IBMJSSE2 will allow RFC 5746 renegotiation per com.ibm.jsse2.renegotiate set to none or default
IBMJSSE2 will not require renegotiation indicator during initial handshake per com.ibm.jsse2.renegotiation.indicator set to OPTIONAL or default taken
IBMJSSE2 will not perform identity checking against the peer cert check during renegotiation per com.ibm.jsse2.renegotiation.peer.cert.check set to OFF or default
IBMJSSE2 will not allow unsafe server certificate change during renegotiation per jdk.tls.allowUnsafeServerCertChange set to FALSE or default
Is initial handshake: true
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1505038140 bytes = { 3, 147, 184, 179, 43, 30, 167, 241, 216, 122, 188, 126, 82, 179, 249, 106, 59, 94, 84, 130, 211, 236, 170, 210, 180, 91, 234, 57 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RENEGO_PROTECTION_REQUEST]
Compression Methods: { 0 }
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA256withDSA, SHA1withDSA, MD5withRSA
***
main, WRITE: TLSv1.2 Handshake, length = 101
main, called close()
main, called closeInternal(true)
main, SEND TLSv1 ALERT: warning, description = close_notify
main, WRITE: TLSv1 Alert, length = 2
main, called closeSocket(selfInitiated)
main, waiting for close_notify or alert: state 5
main, received EOFException: ignored
main, called closeInternal(false)
main, close invoked again; state = 5
main, handling exception: java.io.IOException: SQL Server did not return a response. The connection has been closed. ClientConnectionId:8d6d75fb-67d7-4114-9f62-cd6886be0557
main, SEND TLSv1 ALERT: fatal, description = unexpected_message
main, WRITE: TLSv1 Alert, length = 2
main, called closeSocket()
Mar 23, 2018 10:29:17 AM com.microsoft.sqlserver.jdbc.TDSChannel enableSSL
INFO: java.security path: C:\IBM\WebSphere85\AppServer\java\jre\lib\security
Security providers: [IBMPKCS11Impl version 1.6, IBMJCE version 1.2, IBMJSSE2 version 1.6, IBMJGSSProvider version 1.6, IBMCertPath version 1.1, IBMCMSProvider version 59.0, IBMSPNEGO version 1.0, IBMSASL version 1.5, IBMXMLCRYPTO version 1.0, IBMXMLEnc version 1.0, Policy version 1.0]
SSLContext provider info: IBM JSSE provider2 (implements IbmX509 key/trust factories, SSLv3, TLSv1)
SSLContext provider services:
[Provider IBMJSSE2 Service SSLContext.SSL com.ibm.jsse2.uc
Aliases []
Attributes {}, Provider IBMJSSE2 Service SSLContext.SSL_TLSv2 com.ibm.jsse2.wc
Aliases []
Attributes {}, Provider IBMJSSE2 Service SSLContext.TLSv1 com.ibm.jsse2.zc
Aliases []
Attributes {}, Provider IBMJSSE2 Service KeyManagerFactory.NewIbmX509 com.ibm.jsse2.rc$b_
Aliases []
Attributes {}, Provider IBMJSSE2 Service SSLContext.SSL_TLS com.ibm.jsse2.vc
Aliases []
Attributes {}, Provider IBMJSSE2 Service TrustManagerFactory.IbmX509 com.ibm.jsse2.fd$b_
Aliases []
Attributes {}, Provider IBMJSSE2 Service SSLContext.TLSv1.1 com.ibm.jsse2.ad
Aliases []
Attributes {}, Provider IBMJSSE2 Service SSLContext.TLS com.ibm.jsse2.yc
Aliases []
Attributes {}, Provider IBMJSSE2 Service KeyManagerFactory.IbmX509 com.ibm.jsse2.rc$a_
Aliases []
Attributes {}, Provider IBMJSSE2 Service SSLContext.TLSv1.2 com.ibm.jsse2.bd
Aliases []
Attributes {}, Provider IBMJSSE2 Service TrustManagerFactory.PKIX com.ibm.jsse2.fd$a_
Aliases [IbmPKIX, X509, X.509]
Attributes {}, Provider IBMJSSE2 Service SSLContext.Default com.ibm.jsse2.tc
Aliases []
Attributes {}]
java.ext.dirs: C:\IBM\WebSphere85\AppServer\java\jre\lib\ext
NMap:
1433/tcp open ms-sql-s
| ssl-enum-ciphers:
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Weak certificate signature: SHA1
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Weak certificate signature: SHA1
|_ least strength: A
Need some help fixing an error for an application that connects to an SMTP Server (Lotus Notes Server). I have already tried several suggestions in SO but none of it worked. The application is able to connect to the SMTP server and do a handshake.
However it gives an error after starttls is initiated. Also comment out a line in java.security file as suggested on Oracle website since we are using Java 8 but its still not working.
Also have some small utility to check which SSL protocols are enabled and SSLv3, TLS, TLSv1, TLSv1.2 are all enabled. Can't understand why the server would want to use SSLv3 and then say could not convert socket to TLS. It doesn't make any sense.
Code Truncated
#Service
public class ManifestEmailService {
private static final Logger logger = Logger.getLogger(ManifestEmailService.class);
#Autowired
private JavaMailSender mailSender;
public void sendManifestMail(MailProperties prop, String recipient, String msgBody) {
logger.info("Creating Email Body");
logger.info("Sender mail: "+ prop.getSender()+ " Sender Subject: "+ prop.getMailSubject());
SimpleMailMessage msg = new SimpleMailMessage();
msg.setFrom(prop.getSender());
msg.setTo(recipient);
msg.setSubject("FHL");
msg.setText(msgBody);
try {
logger.info("Sending mail message");
mailSender.send(msg);
} catch (MailException mEx) {
logger.error("Problem sending email..." + mEx);
}
}
}
#Configuration
public ManifestoConfig {
#Bean
public JavaMailSender getJavaMailSender() {
JavaMailSenderImpl mailSender = new JavaMailSenderImpl();
FileProcessor io = new FileProcessor();
Properties props = io.loadManifestoProperties(manifestoPropPath);
logger.info("Configure Mail Properties ... ");
mailSender.setHost(props.getProperty("sender.mail.host"));
mailSender.setPort(Integer.valueOf(props.getProperty("sender.mail.port")));
mailSender.setUsername(props.getProperty("sender.mail.username"));
mailSender.setPassword(props.getProperty("sender.mail.password"));
mailSender.setJavaMailProperties(io.loadManifestoProperties(manifestoPropPath));
return mailSender;
}
}
Properties File
sender.mail.username=rubbishemail1#lt.com
sender.mail.password=rubbishpassword1
sender.mail.subject=FHL
sender.mail.host=smtp.lotus.server.com
sender.mail.port=25
mail.transport.protocol=smtp
mail.smtp.auth=true
mail.smtp.starttls.enable=true
mail.smtp.timeout=5000
mail.smtp.ssl.enable=false
mail.debug=true
ERROR LOG
2017-05-18 11:53:27.206 INFO 4804 --- [nio-8080-exec-6] org.fhl.service.Manifes
tEmailService : Sending mail message
DEBUG: getProvider() returning javax.mail.Provider[TRANSPORT,smtp,com.sun.mail.s
mtp.SMTPTransport,Oracle]
DEBUG SMTP: useEhlo true, useAuth true
DEBUG SMTP: trying to connect to host "smtp.lotus.server.com", port 25, isSSL fals
e
220 lotus.mail.server ESMTP Service (Lotus Domino Release 8.5.3FP6) read
y at Thu, 18 May 2017 08:53:27 +0100
DEBUG SMTP: connected to host "smtp.lotus.server.com", port: 25
EHLO client_user
250-lotus.mail.server Hello client_user ([10.210.136.6]), pleased
to meet you
250-TLS
250-HELP
250-STARTTLS
250-DSN
250-SIZE 52428800
250 PIPELINING
DEBUG SMTP: Found extension "TLS", arg ""
DEBUG SMTP: Found extension "HELP", arg ""
DEBUG SMTP: Found extension "STARTTLS", arg ""
DEBUG SMTP: Found extension "DSN", arg ""
DEBUG SMTP: Found extension "SIZE", arg "52428800"
DEBUG SMTP: Found extension "PIPELINING", arg ""
STARTTLS
220 Ready to start TLS
2017-05-18 11:53:28.236 ERROR 4804 --- [nio-8080-exec-6] org.fhl.service.Manifes
tEmailService : Problem sending email...org.springframework.mail.MailSendExc
eption: Mail server connection failed; nested exception is javax.mail.MessagingE
xception: Could not convert socket to TLS;
nested exception is:
javax.net.ssl.SSLHandshakeException: Server chose SSLv3, but that protoc
ol version is not enabled or not supported by the client.. Failed messages: java
x.mail.MessagingException: Could not convert socket to TLS;
nested exception is:
javax.net.ssl.SSLHandshakeException: Server chose SSLv3, but that protoc
ol version is not enabled or not supported by the client.; message exceptions (1
) are:
Failed message 1: javax.mail.MessagingException: Could not convert socket to TLS
;
nested exception is:
javax.net.ssl.SSLHandshakeException: Server chose SSLv3, but that protoc
ol version is not enabled or not supported by the client.
SSL Logs
[DEBUG] 2017-06-07 11:27:34.171 [JavaFX Application Thread] ManifestEmailService
- Load Mail Properties in into Javamail Session
DEBUG: getProvider() returning javax.mail.Provider[TRANSPORT,smtp,com.sun.mail.s
mtp.SMTPTransport,Sun Microsystems, Inc]
DEBUG SMTP: useEhlo true, useAuth true
DEBUG SMTP: useEhlo true, useAuth true
DEBUG SMTP: trying to connect to host "164.39.7.92", port 25, isSSL false
220 lotus.mail.server ESMTP Service (Lotus Domino Release 8.5.3FP6) read
y at Wed, 7 Jun 2017 08:27:34 +0100
DEBUG SMTP: connected to host "smtp.lotus.server.com", port: 25
EHLO CHOL162
250-lotus.mail.server Hello CHOL162 ([10.210.136.21]), pleased to meet y
ou
250-TLS
250-HELP
250-STARTTLS
250-DSN
250-SIZE 52428800
250 PIPELINING
DEBUG SMTP: Found extension "TLS", arg ""
DEBUG SMTP: Found extension "HELP", arg ""
DEBUG SMTP: Found extension "STARTTLS", arg ""
DEBUG SMTP: Found extension "DSN", arg ""
DEBUG SMTP: Found extension "SIZE", arg "52428800"
DEBUG SMTP: Found extension "PIPELINING", arg ""
STARTTLS
220 Ready to start TLS
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
EHLO CHOL162
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for T
LSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLS
v1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TL
Sv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv
1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1496754662 bytes = { 245, 148, 158, 245, 226, 89, 218, 187,
38, 214, 67, 188, 66, 204, 91, 194, 210, 37, 14, 168, 255, 103, 89, 232, 246, 99
, 61, 8 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128
_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS
_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WI
TH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3D
ES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_
SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_
DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect28
3k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension server_name, server_name: [type=host_name (0), value=gbahelbv3.gb.tntp
ost.com]
***
JavaFX Application Thread, WRITE: TLSv1 Handshake, length = 140
JavaFX Application Thread, READ: SSLv3 Handshake, length = 58
*** ServerHello, SSLv3
RandomCookie: GMT: 1499415798 bytes = { 174, 160, 140, 96, 215, 83, 21, 198, 21
4, 57, 208, 183, 191, 65, 44, 179, 197, 159, 101, 44, 176, 53, 215, 81, 122, 49,
174, 189 }
Session ID: {193, 186, 187, 85, 52, 17, 137, 84, 154, 122, 240, 123, 100, 244,
27, 22}
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
***
JavaFX Application Thread, handling exception: javax.net.ssl.SSLHandshakeExcepti
on: Server chose SSLv3, but that protocol version is not enabled or not supporte
d by the client.
JavaFX Application Thread, SEND TLSv1.2 ALERT: fatal, description = handshake_f
ailure
JavaFX Application Thread, WRITE: TLSv1.2 Alert, length = 2
JavaFX Application Thread, called closeSocket()
[ERROR] 2017-06-07 11:27:34.911 [JavaFX Application Thread] ManifestEmailService
- Mail Message crap!!!javax.mail.MessagingException: Can't send command to SMTP
host;
nested exception is:
javax.net.ssl.SSLHandshakeException: Server chose SSLv3, but that protoc
ol version is not enabled or not supported by the client.
javax.net.ssl.SSLHandshakeException: Server chose SSLv3
This means that you connected to a server which is using an obsolete and insecure protocol version of SSL/TLS, namely SSL 3.0. This protocol is disabled in Java 8 by default for security reasons.
The best way is to fix the broken server so that it supports newer versions of SSL/TLS. Apart from that a server supporting only SSL 3.0 is probably not only insecure regarding SSL/TLS but also has several other security problems.
If upgrading the server is no option see How to enable SSL 3 in Java how to work around this broken server by allowing the insecure SSL 3.0 protocol.
I'm having a hard time connecting to a service with client authentication. The service ("SecureService") is on AWS. The clients are on a Linux VM on my Mac. Nginx on SecureService enforces Client Authentication on the resource I'm accessing on port 443. I can get a successful response connecting from the same VM to the same SecureService, using a proof of concept Java standalone application (openjdk 1.8.0_60) or other clients (wget, openssl), but not from the same Java code hosted on Websphere AS (admittedly relying on older libraries and IBM J9 VM, build 2.6, JRE 1.6.0). When remapping the SecureService hostname to 127.0.0.1 in /etc/hosts, though, that same java code on Websphere AS connects successfully to a local openSSL server requiring client authentication from the same Certification Authority. The response from SecureServer in the failing connection reports "400 No required SSL certificate was sent"... "400 Bad Request", but tcpdump packet captures show it's NOT sending a Certificate Request, whereas it is in all the other cases. This is puzzling and leads me to think there is something in the ClientHello message that the server doesn't like, though ClientHello messages in successful and failing connections are very similar.
A quite odd detail is also that tcpdump never captures the first TCP SYN packet from my client to the server in the failing communication, while it captures the rest (SYN + ACK from the server, then ACK from the client) and all the packets (SYN, SYN + ACK, ACK) on all other communications.
All communications use TLSv1.2 in all their parts.
Failing connection:
(client <--> server)
<-- SYN, ACK
--> ACK
--> Client Hello
<-- ACK
<-- Server Hello, Certificate, Server Hello Done
--> ACK
--> Client Key Exchange
<-- ACK
--> Change Cypher Spec
<-- ACK
--> Encrypted Handshake Message
<-- ACK
<-- Change Cypher Spec, Encrypted Handshake Message
--> Application Data
...
Successful connection from proof of concept Java app:
(client <--> server)
--> SYN
<-- SYN, ACK
--> ACK
--> Client Hello
<-- ACK
<-- Server Hello
<-- Certificate
<-- Certificate Request, Server Hello Done
--> ACK
--> ACK
--> [TCP segment of a reassembled PDU]
--> Certificate, Client Key Exchange
<-- ACK
--> Certificate Verify
--> Change Cypher Spec
--> Hello Request, Hello Request
<-- ACK
<-- Change Cypher Spec, Encrypted Handshake Message
--> Application Data
...
Successful connection from Websphere AS to local openSSL:
(client <--> server)
--> SYN
<-- SYN, ACK
--> ACK
--> Client Hello
<-- ACK
<-- Server Hello, Certificate, Certificate Request, Server Hello Done
--> ACK
--> Certificate, Client Key Exchange
<-- ACK
--> Certificate Verify
--> Change Cypher Spec
--> Encrypted Handshake Message
<-- ACK
<-- Change Cypher Spec, Encrypted Handshake Message
--> Application Data
...
Failing Client Hello:
Frame 3: 332 bytes on wire (2656 bits), 332 bytes captured (2656 bits)
Encapsulation type: Linux cooked-mode capture (25)
Arrival Time: Feb 25, 2016 13:29:15.353437000 GMT
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1456406955.353437000 seconds
[Time delta from previous captured frame: 0.004839000 seconds]
[Time delta from previous displayed frame: 0.004839000 seconds]
[Time since reference or first frame: 0.004868000 seconds]
Frame Number: 3
Frame Length: 332 bytes (2656 bits)
Capture Length: 332 bytes (2656 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: sll:ethertype:ip:tcp:ssl]
[Coloring Rule Name: TCP]
[Coloring Rule String: tcp]
Linux cooked capture
Packet type: Sent by us (4)
Link-layer address type: 1
Link-layer address length: 6
Source: CadmusCo_67:0a:c1 (08:00:27:67:0a:c1)
Protocol: IPv4 (0x0800)
Internet Protocol Version 4, Src: (OMITTED FOR SECURITY REASONS), Dst: (OMITTED FOR SECURITY REASONS)
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 316
Identification: 0xf29d (62109)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (6)
Header checksum: 0xc7f8 [validation disabled]
[Good: False]
[Bad: False]
Source: (OMITTED FOR SECURITY REASONS)
Destination: (OMITTED FOR SECURITY REASONS)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: 51512 (51512), Dst Port: 443 (443), Seq: 1, Ack: 1, Len: 276
Source Port: 51512
Destination Port: 443
[Stream index: 0]
[TCP Segment Len: 276]
Sequence number: 1 (relative sequence number)
[Next sequence number: 277 (relative sequence number)]
Acknowledgment number: 1 (relative ack number)
Header Length: 20 bytes
Flags: 0x018 (PSH, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 1... = Push: Set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: *******AP***]
Window size value: 14600
[Calculated window size: 14600]
[Window size scaling factor: -2 (no window scaling used)]
Checksum: 0x8054 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Urgent pointer: 0
[SEQ/ACK analysis]
[Bytes in flight: 276]
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 271
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 267
Version: TLS 1.2 (0x0303)
Random
GMT Unix Time: Feb 25, 2016 13:29:15.000000000 GMT
Random Bytes: 2ca99e72b66289fcd3f11bf2dc3ef464709b197e6dd6cdd5...
Session ID Length: 32
Session ID: 28eef056a41440e760eaa9e3358a9cd56d8823fa130e9100...
Cipher Suites Length: 128
Cipher Suites (64 suites)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xfeff)
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
Cipher Suite: TLS_DHE_DSS_WITH_RC4_128_SHA (0x0066)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x0011)
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)
Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)
Cipher Suite: TLS_DHE_DSS_WITH_RC4_128_SHA (0x0066)
Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0014)
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02d)
Cipher Suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002)
Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031)
Cipher Suite: TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c)
Cipher Suite: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
Cipher Suite: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA (0xfeff)
Cipher Suite: SSL_RSA_FIPS_WITH_DES_CBC_SHA (0xfefe)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
Cipher Suite: TLS_RSA_WITH_NULL_MD5 (0x0001)
Cipher Suite: TLS_RSA_WITH_NULL_SHA (0x0002)
Cipher Suite: TLS_RSA_WITH_NULL_SHA256 (0x003b)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 66
Extension: elliptic_curves
Type: elliptic_curves (0x000a)
Length: 24
Elliptic Curves Length: 22
Elliptic curves (11 curves)
Elliptic curve: secp256r1 (0x0017)
Elliptic curve: secp192r1 (0x0013)
Elliptic curve: secp224r1 (0x0015)
Elliptic curve: secp384r1 (0x0018)
Elliptic curve: secp521r1 (0x0019)
Elliptic curve: secp160k1 (0x000f)
Elliptic curve: secp160r1 (0x0010)
Elliptic curve: secp160r2 (0x0011)
Elliptic curve: secp192k1 (0x0012)
Elliptic curve: secp224k1 (0x0014)
Elliptic curve: secp256k1 (0x0016)
Extension: ec_point_formats
Type: ec_point_formats (0x000b)
Length: 2
EC point formats Length: 1
Elliptic curves point formats (1)
EC point format: uncompressed (0)
Extension: signature_algorithms
Type: signature_algorithms (0x000d)
Length: 28
Signature Hash Algorithms Length: 26
Signature Hash Algorithms (13 algorithms)
Signature Hash Algorithm: 0x0603
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Hash Algorithm: 0x0601
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0503
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Hash Algorithm: 0x0501
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0403
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Hash Algorithm: 0x0401
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0303
Signature Hash Algorithm Hash: SHA224 (3)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Hash Algorithm: 0x0301
Signature Hash Algorithm Hash: SHA224 (3)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0203
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Hash Algorithm: 0x0201
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0402
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: DSA (2)
Signature Hash Algorithm: 0x0202
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: DSA (2)
Signature Hash Algorithm: 0x0101
Signature Hash Algorithm Hash: MD5 (1)
Signature Hash Algorithm Signature: RSA (1)
Successful Client Hello from proof of concept to SecureServer:
Frame 62: 306 bytes on wire (2448 bits), 306 bytes captured (2448 bits) on interface 0
Interface id: 0 (en0)
Encapsulation type: Ethernet (1)
Arrival Time: Feb 24, 2016 17:20:21.803009000 GMT
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1456334421.803009000 seconds
[Time delta from previous captured frame: 0.119948000 seconds]
[Time delta from previous displayed frame: 0.119948000 seconds]
[Time since reference or first frame: 17.897514000 seconds]
Frame Number: 62
Frame Length: 306 bytes (2448 bits)
Capture Length: 306 bytes (2448 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp:ssl]
[Coloring Rule Name: TCP]
[Coloring Rule String: tcp]
Ethernet II, Src: Apple_bc:c7:11 (a4:5e:60:bc:c7:11), Dst: CiscoInc_76:28:80 (a4:4c:11:76:28:80)
Destination: CiscoInc_76:28:80 (a4:4c:11:76:28:80)
Address: CiscoInc_76:28:80 (a4:4c:11:76:28:80)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: Apple_bc:c7:11 (a4:5e:60:bc:c7:11)
Address: Apple_bc:c7:11 (a4:5e:60:bc:c7:11)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: (OMITTED FOR SECURITY REASONS), Dst: (OMITTED FOR SECURITY REASONS)
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 292
Identification: 0xa8b7 (43191)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (6)
Header checksum: 0x279c [validation disabled]
[Good: False]
[Bad: False]
Source: (OMITTED FOR SECURITY REASONS)
Destination: (OMITTED FOR SECURITY REASONS)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: 62197 (62197), Dst Port: 443 (443), Seq: 1, Ack: 1, Len: 240
Source Port: 62197
Destination Port: 443
[Stream index: 9]
[TCP Segment Len: 240]
Sequence number: 1 (relative sequence number)
[Next sequence number: 241 (relative sequence number)]
Acknowledgment number: 1 (relative ack number)
Header Length: 32 bytes
Flags: 0x018 (PSH, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 1... = Push: Set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
[TCP Flags: *******AP***]
Window size value: 4122
[Calculated window size: 131904]
[Window size scaling factor: 32]
Checksum: 0xc3c5 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Urgent pointer: 0
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
No-Operation (NOP)
Type: 1
0... .... = Copy on fragmentation: No
.00. .... = Class: Control (0)
...0 0001 = Number: No-Operation (NOP) (1)
No-Operation (NOP)
Type: 1
0... .... = Copy on fragmentation: No
.00. .... = Class: Control (0)
...0 0001 = Number: No-Operation (NOP) (1)
Timestamps: TSval 928661973, TSecr 546145009
Kind: Time Stamp Option (8)
Length: 10
Timestamp value: 928661973
Timestamp echo reply: 546145009
[SEQ/ACK analysis]
[iRTT: 0.016102000 seconds]
[Bytes in flight: 240]
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Length: 235
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 231
Version: TLS 1.2 (0x0303)
Random
GMT Unix Time: Feb 24, 2016 17:20:21.000000000 GMT
Random Bytes: fbb67137e8cde6609cb570685f6c9b5a62eefbc12973b545...
Session ID Length: 0
Cipher Suites Length: 58
Cipher Suites (29 suites)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02d)
Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)
Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003)
Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
Extensions Length: 132
Extension: elliptic_curves
Type: elliptic_curves (0x000a)
Length: 52
Elliptic Curves Length: 50
Elliptic curves (25 curves)
Elliptic curve: secp256r1 (0x0017)
Elliptic curve: sect163k1 (0x0001)
Elliptic curve: sect163r2 (0x0003)
Elliptic curve: secp192r1 (0x0013)
Elliptic curve: secp224r1 (0x0015)
Elliptic curve: sect233k1 (0x0006)
Elliptic curve: sect233r1 (0x0007)
Elliptic curve: sect283k1 (0x0009)
Elliptic curve: sect283r1 (0x000a)
Elliptic curve: secp384r1 (0x0018)
Elliptic curve: sect409k1 (0x000b)
Elliptic curve: sect409r1 (0x000c)
Elliptic curve: secp521r1 (0x0019)
Elliptic curve: sect571k1 (0x000d)
Elliptic curve: sect571r1 (0x000e)
Elliptic curve: secp160k1 (0x000f)
Elliptic curve: secp160r1 (0x0010)
Elliptic curve: secp160r2 (0x0011)
Elliptic curve: sect163r1 (0x0002)
Elliptic curve: secp192k1 (0x0012)
Elliptic curve: sect193r1 (0x0004)
Elliptic curve: sect193r2 (0x0005)
Elliptic curve: secp224k1 (0x0014)
Elliptic curve: sect239k1 (0x0008)
Elliptic curve: secp256k1 (0x0016)
Extension: ec_point_formats
Type: ec_point_formats (0x000b)
Length: 2
EC point formats Length: 1
Elliptic curves point formats (1)
EC point format: uncompressed (0)
Extension: signature_algorithms
Type: signature_algorithms (0x000d)
Length: 26
Signature Hash Algorithms Length: 24
Signature Hash Algorithms (12 algorithms)
Signature Hash Algorithm: 0x0603
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Hash Algorithm: 0x0601
Signature Hash Algorithm Hash: SHA512 (6)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0503
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Hash Algorithm: 0x0501
Signature Hash Algorithm Hash: SHA384 (5)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0403
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Hash Algorithm: 0x0401
Signature Hash Algorithm Hash: SHA256 (4)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0303
Signature Hash Algorithm Hash: SHA224 (3)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Hash Algorithm: 0x0301
Signature Hash Algorithm Hash: SHA224 (3)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0203
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: ECDSA (3)
Signature Hash Algorithm: 0x0201
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: RSA (1)
Signature Hash Algorithm: 0x0202
Signature Hash Algorithm Hash: SHA1 (2)
Signature Hash Algorithm Signature: DSA (2)
Signature Hash Algorithm: 0x0101
Signature Hash Algorithm Hash: MD5 (1)
Signature Hash Algorithm Signature: RSA (1)
Extension: server_name
Type: server_name (0x0000)
Length: 36
Server Name Indication extension
Server Name list length: 34
Server Name Type: host_name (0)
Server Name length: 31
Server Name: (OMITTED FOR SECURITY REASONS - IT CORRESPONDS TO THE DESTINATION HOSTNAME)
Tcpdump command line:
sudo tcpdump -s 0 -n "port 443" -w /Repo/security/capture.cap -i any
Has anyone got any idea what could be going wrong? I don't have administration rights or even an account to log in on the server, at the moment.
SOLVED - I have found that the Nginx server requires a "server_name" extension to be specified in the Client Hello. In fact the following openssl command prompts the server to issue a Certificate Request...
/usr/local/Cellar/openssl/1.0.2e/bin/openssl s_client -cert client_identity.crt -key client_identity.key -connect SecureServerHostName:443 -debug <post_request.txt -tls1_2 -servername SecureServerHostName
...while omitting the "-servername" option doesn't.
How I will force WebsphereAS to add that extension is another pair of shoes. Perhaps upgrading the version of Java will help, by updating the implementation of the TLS protocol.
Update: Yes, upgrading the IBM JDK from 1.6 to 1.7.1 worked, generating Client Hello messages with Server Name Indication, as mentioned here (By default Java SE 7 enables Server Name Indication (SNI).).