I am trying to connect to an MBean Server on another machine with a ssl keystore but im seeing this error. I have a keystore and truststore on the other server as well. I also noticed that both machines have different java versions. Im not sure if thats the problem or if im missing something.
java.rmi.ConnectIOException: Exception creating connection to: 10.1.7.259; nested exception is:
java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
at sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:631)
at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:216)
at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:202)
at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:130)
at javax.management.remote.rmi.RMIServerImpl_Stub.newClient(Unknown Source)
at javax.management.remote.rmi.RMIConnector.getConnection(RMIConnector.java:2432)
at javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:308)
at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:270)
at com.stop.monitor.giab.JMXListenerClient.connect(JMXListenerClient.java:153)
at com.stop.monitor.giab.JMXListenerClient.main(JMXListenerClient.java:72)
Caused by: java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
at javax.net.ssl.DefaultSSLSocketFactory.throwException(SSLSocketFactory.java:248)
at javax.net.ssl.DefaultSSLSocketFactory.createSocket(SSLSocketFactory.java:262)
at javax.rmi.ssl.SslRMIClientSocketFactory.createSocket(SslRMIClientSocketFactory.java:121)
at sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:613)
... 9 more
Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
at java.security.Provider$Service.newInstance(Provider.java:1617)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156)
at javax.net.ssl.SSLContext.getDefault(SSLContext.java:96)
at javax.net.ssl.SSLSocketFactory.getDefault(SSLSocketFactory.java:122)
at javax.rmi.ssl.SslRMIClientSocketFactory.getDefaultClientSocketFactory(SslRMIClientSocketFactory.java:207)
at javax.rmi.ssl.SslRMIClientSocketFactory.createSocket(SslRMIClientSocketFactory.java:117)
at sun.rmi.transport.tcp.TCPEndpoint.newSocket(TCPEndpoint.java:613)
at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:216)
at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:202)
at sun.rmi.server.UnicastRef.newCall(UnicastRef.java:342)
at sun.rmi.transport.DGCImpl_Stub.dirty(Unknown Source)
at sun.rmi.transport.DGCClient$EndpointEntry.makeDirtyCall(DGCClient.java:361)
at sun.rmi.transport.DGCClient$EndpointEntry.registerRefs(DGCClient.java:303)
at sun.rmi.transport.DGCClient.registerRefs(DGCClient.java:139)
at sun.rmi.transport.ConnectionInputStream.registerRefs(ConnectionInputStream.java:94)
at sun.rmi.transport.StreamRemoteCall.releaseInputStream(StreamRemoteCall.java:157)
at sun.rmi.transport.StreamRemoteCall.done(StreamRemoteCall.java:313)
at sun.rmi.server.UnicastRef.done(UnicastRef.java:451)
at sun.rmi.registry.RegistryImpl_Stub.lookup(Unknown Source)
at com.sun.jndi.rmi.registry.RegistryContext.lookup(RegistryContext.java:118)
at com.sun.jndi.toolkit.url.GenericURLContext.lookup(GenericURLContext.java:205)
at javax.naming.InitialContext.lookup(InitialContext.java:417)
at javax.management.remote.rmi.RMIConnector.findRMIServerJNDI(RMIConnector.java:1957)
at javax.management.remote.rmi.RMIConnector.findRMIServer(RMIConnector.java:1924)
at javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:287)
... 3 more
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:772)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
at java.security.KeyStore.load(KeyStore.java:1445)
at sun.security.ssl.TrustManagerFactoryImpl.getCacertsKeyStore(TrustManagerFactoryImpl.java:226)
at sun.security.ssl.SSLContextImpl$DefaultSSLContext.getDefaultTrustManager(SSLContextImpl.java:767)
at sun.security.ssl.SSLContextImpl$DefaultSSLContext.<init>(SSLContextImpl.java:733)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
at java.security.Provider$Service.newInstance(Provider.java:1595)
... 29 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:770)
... 39 more
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
from TrustManagerFactoryImpl
from SSLContextImpl$DefaultSSLContext.getDefaultTrustManager
Make sure your truststore is valid by doing keytool -list with password (don't hit return to bypass it). I don't think it's possible to create trustedcert entries in a JKS that are incompatible between Java versions (it is in some cases for privatekey entries) but to be on the safe side use the keytool of the JRE the problematic client uses -- and of course the same file.
Make sure system property javax.net.ssl.trustStore has the filename (if not the default, JRE/lib/security/[jsse]cacerts) and javax.net.ssl.trustStorePassword has the correct password (always).
Also if the truststore format is not JKS (or PKCS12 in a sufficiently recent Java 8 JRE with keystore.type.compat left at its default) specify javax.net.ssl.trustStoreType. But people who know how to create unusual stores like that don't ask questions like yours.
The Problem was an issue with the firewall. It was because the url used to connect did not specify the second port. So, it just used a random port.
//did not use second port. resulted in using random second port
String url = "service:jmx:rmi://somehost:9010/jndi/rmi://somehost/jmxrmi";
final JMXConnector jmxConnector = JMXConnectorFactory.connect(url);
//this worked because now we are using 1 port
String url="service:jmx:rmi://somehost:9010/jndi/rmi://somehost:9010/jmxrmi";
final JMXConnector jmxConnector = JMXConnectorFactory.connect(url);
Related
I am using bouncyCastle library with FIPS mode enabled for SSL communication. So, I have only 3 providers in java.security file as follows:
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider fips:BCFIPS
security.provider.3=SUN
I have written a simple program to test connection with one of our sites:
// enable revocation check
System.setProperty("com.sun.net.ssl.checkRevocation", "true");
// enable CDP
System.setProperty("com.sun.security.enableCRLDP", "true");
System.setProperty("org.bouncycastle.x509.enableCRLDP", "true");
// disable OCSP
Security.setProperty("ocsp.enable", "false");
URL url = new URL("<my-web-site>");
HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();
connection.connect();
However the connection is failing with following error:
org.bouncycastle.tls.TlsFatalAlert: certificate_unknown(46)
at org.bouncycastle.jsse.provider.ProvSSLSocketDirect.checkServerTrusted(ProvSSLSocketDirect.java:134)
at org.bouncycastle.jsse.provider.ProvTlsClient$1.notifyServerCertificate(ProvTlsClient.java:335)
at org.bouncycastle.tls.TlsUtils.processServerCertificate(TlsUtils.java:4544)
at org.bouncycastle.tls.TlsClientProtocol.handleServerCertificate(TlsClientProtocol.java:842)
at org.bouncycastle.tls.TlsClientProtocol.handleHandshakeMessage(TlsClientProtocol.java:728)
at org.bouncycastle.tls.TlsProtocol.processHandshakeQueue(TlsProtocol.java:652)
at org.bouncycastle.tls.TlsProtocol.processRecord(TlsProtocol.java:548)
at org.bouncycastle.tls.RecordStream.readRecord(RecordStream.java:232)
at org.bouncycastle.tls.TlsProtocol.safeReadRecord(TlsProtocol.java:800)
at org.bouncycastle.tls.TlsProtocol.blockForHandshake(TlsProtocol.java:396)
at org.bouncycastle.tls.TlsClientProtocol.connect(TlsClientProtocol.java:91)
at org.bouncycastle.jsse.provider.ProvSSLSocketDirect.startHandshake(ProvSSLSocketDirect.java:430)
at org.bouncycastle.jsse.provider.ProvSSLSocketDirect.startHandshake(ProvSSLSocketDirect.java:411)
at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:567)
at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:171)
at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:142)
at com.test.TestConnection.main(TestConnection.java:153)
Caused by: java.security.cert.CertificateException: Unable to construct a valid chain
at org.bouncycastle.jsse.provider.ProvX509TrustManager.validateChain(ProvX509TrustManager.java:308)
at org.bouncycastle.jsse.provider.ProvX509TrustManager.checkTrusted(ProvX509TrustManager.java:267)
at org.bouncycastle.jsse.provider.ProvX509TrustManager.checkServerTrusted(ProvX509TrustManager.java:174)
at org.bouncycastle.jsse.provider.ProvSSLSocketDirect.checkServerTrusted(ProvSSLSocketDirect.java:130)
... 16 more
Caused by: java.security.cert.CertPathBuilderException: Certification path could not be validated.
at org.bouncycastle.jcajce.provider.PKIXCertPathBuilderSpi.engineBuild(Unknown Source)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at org.bouncycastle.jsse.provider.ProvX509TrustManager.buildCertPath(ProvX509TrustManager.java:240)
at org.bouncycastle.jsse.provider.ProvX509TrustManager.validateChain(ProvX509TrustManager.java:295)
... 19 more
Caused by: java.security.cert.CertPathValidatorException: No CRLs found for issuer "CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US"
at org.bouncycastle.jcajce.provider.RFC3280CertPathUtilities.processCertA(Unknown Source)
at org.bouncycastle.jcajce.provider.PKIXCertPathValidatorSpi.engineValidate(Unknown Source)
at org.bouncycastle.jcajce.provider.PKIXCertPathBuilderSpi.build(Unknown Source)
at org.bouncycastle.jcajce.provider.PKIXCertPathBuilderSpi.build(Unknown Source)
at org.bouncycastle.jcajce.provider.PKIXCertPathBuilderSpi.build(Unknown Source)
... 23 more
Caused by: org.bouncycastle.jcajce.provider.AnnotatedException: No CRLs found for issuer "CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US"
at org.bouncycastle.jcajce.provider.CertPathValidatorUtilities.getCompleteCRLs(Unknown Source)
at org.bouncycastle.jcajce.provider.RFC3280CertPathUtilities.checkCRL(Unknown Source)
at org.bouncycastle.jcajce.provider.RFC3280CertPathUtilities.checkCRLs(Unknown Source)
... 28 more
I have checked that a valid CRLDP is configured in each of the certificate in certificate chain. Here is how certificate chain looks like (The blue-highlighted CA certificate is present in my JDK truststore) :
The same code is working fine (connection successful) WITHOUT bouncyCastle (using default JDK providers). However, to make it work with bouncyCastle, I need to put entire certificate chain into my truststore (including end-entity certificate) - which is quite impractical.
Can anyone help me figuring out the problem here?
Error occure when I run java com.ncipher.provider.InstallationTest for chek correct instalation provider nCipherKM.
> java com.ncipher.provider.InstallationTest
talled providers:
nCipherKM
SUN
SunRsaSign
SunEC
SunJSSE
SunJCE
SunJGSS
SunSASL
XMLDSig
SunPCSC
SunMSCAPI
Exception in thread "main" java.lang.ExceptionInInitializerError
at javax.crypto.JceSecurity.loadPolicies(JceSecurity.java:378)
at javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecurity.java:323)
at javax.crypto.JceSecurity.access$000(JceSecurity.java:50)
at javax.crypto.JceSecurity$1.run(JceSecurity.java:85)
at java.security.AccessController.doPrivileged(Native Method)
at javax.crypto.JceSecurity.<clinit>(JceSecurity.java:82)
at javax.crypto.JceSecurityManager.<clinit>(JceSecurityManager.java:65)
at javax.crypto.Cipher.getConfiguredPermission(Cipher.java:2586)
at javax.crypto.Cipher.getMaxAllowedKeyLength(Cipher.java:2610)
at com.ncipher.provider.InstallationTest.unlimitedStrengthJurisdictionPolicyFilesInstalled(InstallationTest.java:130)
at com.ncipher.provider.InstallationTest.main(InstallationTest.java:70)
Caused by: java.lang.SecurityException: Framework jar verification can not be initialized
at javax.crypto.JarVerifier.<clinit>(JarVerifier.java:228)
... 11 more
Caused by: com.ncipher.provider.nCCommunicationException: Error NoUsableModules while opening channel for MessageDigest mech 44 (SHA1Hash)
at com.ncipher.provider.nCHash.openChannel(nCHash.java:208)
at com.ncipher.provider.nCHash.updateChannel(nCHash.java:215)
at com.ncipher.provider.nCHash.flush(nCHash.java:175)
at com.ncipher.provider.nCHash.engineDigest(nCHash.java:91)
at java.security.MessageDigest$Delegate.engineDigest(Unknown Source)
at java.security.MessageDigest.digest(Unknown Source)
at javax.crypto.JarVerifier.getSystemEntropy(JarVerifier.java:857)
at javax.crypto.JarVerifier.testSignatures(JarVerifier.java:744)
at javax.crypto.JarVerifier.access$400(JarVerifier.java:37)
at javax.crypto.JarVerifier$1.run(JarVerifier.java:222)
at javax.crypto.JarVerifier$1.run(JarVerifier.java:187)
at java.security.AccessController.doPrivileged(Native Method)
at javax.crypto.JarVerifier.<clinit>(JarVerifier.java:186)
... 11 more
What I do:
Copy the nCipherKM.jar file from /java/classes to /jre/lib/ext.
Download Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from oracle and copy local_policy.jar and US_export_policy.jar to у jre/lib/security
Add to jre/lib/security/java.security nCipherKM provider as first:
security.provider.1=com.ncipher.provider.km.mCipherKM
security.provider.2=sun.security.provider.Sun
security.provider.3=sun.security.rsa.SunRsaSign
...
Run:
java com.ncipher.provider.InstallationTest
And get eror.
The issue is that your HSM(s) are not Usable, which means they're not reachable, are in the wrong mode, or in an otherwise unusable state:
Caused by: com.ncipher.provider.nCCommunicationException: Error
NoUsableModules while opening channel for MessageDigest mech 44
(SHA1Hash)
Run /opt/nfast/bin/enquiry to find out what the state of your module(s) is and fix accordingly.
You have nCipherKM as first in the list (as it says you should in the manual) which means your JVM will go to it for all crypto operations including hashing.
I want to send my Error-Logs to my Graylog2 server with ssl. Unfortunately, I always get exceptions. I have installed my ssl/tls certificates in Java's cacerts. Also the certificate exists on my Graylog-Server.
Exceptions:
log4j:ERROR General SSLEngine problem
java.io.IOException: Cannot send data to 192.168.10.74:12202
at biz.paluch.logging.gelf.intern.sender.GelfTCPSender.sendMessage(GelfTCPSender.java:126)
at biz.paluch.logging.gelf.log4j.GelfLogAppender.append(GelfLogAppender.java:92)
at org.apache.log4j.AppenderSkeleton.doAppend(AppenderSkeleton.java:251)
at org.apache.log4j.helpers.AppenderAttachableImpl.appendLoopOnAppenders(AppenderAttachableImpl.java:66)
at org.apache.log4j.Category.callAppenders(Category.java:206)
at org.apache.log4j.Category.forcedLog(Category.java:391)
at org.apache.log4j.Category.error(Category.java:322)
at logging.J2Graylog.main(J2Graylog.java:19)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1336)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:519)
at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1197)
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1169)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
at biz.paluch.logging.gelf.intern.sender.GelfTCPSSLSender.doHandshake(GelfTCPSSLSender.java:200)
at biz.paluch.logging.gelf.intern.sender.GelfTCPSSLSender.connect(GelfTCPSSLSender.java:61)
at biz.paluch.logging.gelf.intern.sender.GelfTCPSender.sendMessage(GelfTCPSender.java:103)
... 7 more
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1703)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:281)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:901)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:841)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:839)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1273)
at biz.paluch.logging.gelf.intern.sender.GelfTCPSSLSender.doHandshake(GelfTCPSSLSender.java:240)
... 9 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:283)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:138)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1433)
... 16 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
... 22 more
log4j.properties:
log4j.appender.graylog2=biz.paluch.logging.gelf.log4j.GelfLogAppender
log4j.appender.graylog2.Host=ssl:myGraylogHost
log4j.appender.graylog2.Port=myPort
log4j.appender.graylog2.originHost=localhost
log4j.appender.graylog2.layout=org.apache.log4j.PatternLayout
log4j.appender.graylog2.layout.ConversionPattern=%d |%t|%c{1}| %-5p - %m%n
log4j.appender.graylog2.additionalFields={'environment': 'DEV', 'application': 'MyAPP'}
log4j.appender.graylog2.extractStackTrace=true
log4j.appender.graylog2.addExtendedInformation=true
log4j.appender.graylog2.Facility=gelf-java
Can someone tell me, why it throws so many exceptions?
Check following points
the code which is giving this exception is using which jre installation.go there and put certificate for your url.
you are using root certificate.
In addition to #jaydeep's post:
Verify the basic interoperability of your SSL setup. You can use a rather simple tool, see https://gist.github.com/4ndrej/4547029.
logstash-gelf provides some configuration options regarding SSL, see TCP Sender SSL documentation.
I noticed you're using IP addresses for the host name. Make sure your certificate contains the IP address as subject or Subject Alternative Name (IP SANs).
I am writing a program for work and I have been stumped on this issue for almost a week now. The program keeps throwing the same exception no matter what I do.
I have looked up every known resource and every question related to this problem and every attempt and suggestion has failed. According to 90% of posts I've come across, it says that I should use keytool to add the certificate to my keystore. This is what I have attempted:
keytool -import -alias abc -file ~/Downloads/\*.gcsip.nl #=> gcsip.nl is the certificate I downloaded from the browser.
It asked me for a password, I added it, and my app still doesn't work when I run it. I looked into "How to import certificates into Eclipse project" and they recommended that I do the same command. I have never dealt with Java certificates before, but it's been a true absolute nightmare.
The weird part was that the app was working perfectly fine one day, and when I came into work, this exception started happening. I literally changed nothing.
I've also looked into the other Caused by: exceptions including Invalid keystore format and have had no luck solving that either. Honestly, even after reading the Oracle docs throughly, I still have no idea what a keystore is, does, and is supposed to look like.
I am just looking for someone who's had experience with this issue who can elaborate (like I'm 5) on how keystore works and how I can fix it. Any help is extremely appreciated.
I should note that I am not very Java savvy.
Here's my StackTrace:
java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
at javax.net.ssl.DefaultSSLSocketFactory.throwException(SSLSocketFactory.java:248)
at javax.net.ssl.DefaultSSLSocketFactory.createSocket(SSLSocketFactory.java:255)
at sun.net.www.protocol.https.HttpsClient.createSocket(HttpsClient.java:409)
at sun.net.NetworkClient.doConnect(NetworkClient.java:162)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:432)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:527)
at sun.net.www.protocol.https.HttpsClient.<init>(HttpsClient.java:275)
at sun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:371)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1104)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:998)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
at GCollect.authorize(GCollect.java:102)
at TestCase.main(TestCase.java:20)
Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)
at java.security.Provider$Service.newInstance(Provider.java:1617)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:236)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:164)
at javax.net.ssl.SSLContext.getInstance(SSLContext.java:156)
at javax.net.ssl.SSLContext.getDefault(SSLContext.java:96)
at javax.net.ssl.SSLSocketFactory.getDefault(SSLSocketFactory.java:122)
at javax.net.ssl.HttpsURLConnection.getDefaultSSLSocketFactory(HttpsURLConnection.java:332)
at javax.net.ssl.HttpsURLConnection.<init>(HttpsURLConnection.java:289)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.<init>(HttpsURLConnectionImpl.java:85)
at sun.net.www.protocol.https.Handler.openConnection(Handler.java:62)
at sun.net.www.protocol.https.Handler.openConnection(Handler.java:57)
at java.net.URL.openConnection(URL.java:972)
at GCollect.authorize(GCollect.java:100)
... 1 more
Caused by: java.io.IOException: Invalid keystore format
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:650)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
at java.security.KeyStore.load(KeyStore.java:1445)
at sun.security.ssl.TrustManagerFactoryImpl.getCacertsKeyStore(TrustManagerFactoryImpl.java:226)
at sun.security.ssl.SSLContextImpl$DefaultSSLContext.getDefaultTrustManager(SSLContextImpl.java:767)
at sun.security.ssl.SSLContextImpl$DefaultSSLContext.<init>(SSLContextImpl.java:733)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
at java.security.Provider$Service.newInstance(Provider.java:1595)
... 13 more
I have run into an issue after updating my JRE to 7u51. Prior to this, things were working fine.
I have a web application that runs on Tomcat and it uses the mozilla NSS libraries to achieve FIPS 140-2 compliance when using SSL/TLS. To do this, I had to change the default SunJSSE provider to my custom SunPKCS11-NSSFIPS provider.
Everything starts up fine. The server shows it is ready, but when I try to hit it from a web browser, I get a "The connection was interrupted" error.
Looking at the logs on the server, I see this:
Feb 09, 2014 3:00:16 AM org.apache.tomcat.util.net.NioEndpoint$SocketProcessor run
SEVERE:
java.lang.RuntimeException: Could not generate dummy secret
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1287)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:790)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:758)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:335)
at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:193)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1642)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:744)
Caused by: java.lang.RuntimeException: Could not generate dummy secret
at sun.security.ssl.RSAClientKeyExchange.generatePreMasterSecret(RSAClientKeyExchange.java:281)
at sun.security.ssl.RSAClientKeyExchange.polishPreMasterSecretKey(RSAClientKeyExchange.java:245)
at sun.security.ssl.RSAClientKeyExchange.<init>(RSAClientKeyExchange.java:167)
at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:190)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:808)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:806)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1227)
at org.apache.tomcat.util.net.SecureNioChannel.tasks(SecureNioChannel.java:285)
at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:343)
... 5 more
Caused by: java.security.NoSuchAlgorithmException: no such algorithm: SunTls12RsaPremasterSecret for provider SunPKCS11-NSSFIPS
at sun.security.jca.GetInstance.getService(GetInstance.java:100)
at javax.crypto.JceSecurity.getInstance(JceSecurity.java:109)
at javax.crypto.KeyGenerator.getInstance(KeyGenerator.java:287)
at sun.security.ssl.JsseJce.getKeyGenerator(JsseJce.java:269)
at sun.security.ssl.RSAClientKeyExchange.generatePreMasterSecret(RSAClientKeyExchange.java:270)
... 15 more
I belive this is happening because the browser is trying to perform the handshake with TLSv1.2 but my security provider can't handle it. Is there a way to resolve this while still using my custom provider?
Immediately after that stack trace, there is another in the log file:
Feb 09, 2014 3:00:16 AM org.apache.tomcat.util.net.NioEndpoint$SocketProcessor run
SEVERE:
java.lang.RuntimeException: java.security.InvalidAlgorithmParameterException: init() failed
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1287)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:790)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:758)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:335)
at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:193)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1642)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:744)
Caused by: java.security.ProviderException: java.security.InvalidAlgorithmParameterException: init() failed
at sun.security.ssl.Handshaker.calculateMasterSecret(Handshaker.java:1064)
at sun.security.ssl.Handshaker.calculateKeys(Handshaker.java:999)
at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:234)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:808)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:806)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1227)
at org.apache.tomcat.util.net.SecureNioChannel.tasks(SecureNioChannel.java:285)
at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:343)
... 5 more
Caused by: java.security.InvalidAlgorithmParameterException: init() failed
at sun.security.pkcs11.P11TlsMasterSecretGenerator.engineInit(P11TlsMasterSecretGenerator.java:89)
at javax.crypto.KeyGenerator.init(KeyGenerator.java:431)
at javax.crypto.KeyGenerator.init(KeyGenerator.java:414)
at sun.security.ssl.Handshaker.calculateMasterSecret(Handshaker.java:1052)
... 14 more
Caused by: java.security.InvalidKeyException: Could not create key
at sun.security.pkcs11.P11SecretKeyFactory.createKey(P11SecretKeyFactory.java:270)
at sun.security.pkcs11.P11SecretKeyFactory.convertKey(P11SecretKeyFactory.java:175)
at sun.security.pkcs11.P11SecretKeyFactory.convertKey(P11SecretKeyFactory.java:111)
at sun.security.pkcs11.P11TlsMasterSecretGenerator.engineInit(P11TlsMasterSecretGenerator.java:87)
... 17 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_ATTRIBUTE_VALUE_INVALID
at sun.security.pkcs11.wrapper.PKCS11.C_CreateObject(Native Method)
at sun.security.pkcs11.P11SecretKeyFactory.createKey(P11SecretKeyFactory.java:265)
... 20 more
Any help will be appreciated.
If i am not wrong NSS donot support tls1.2 yet. So you shouldnot initialize the handshake for tls1.2. Some browsers have changed the default TLS version to 1.2. You have to change that to TLS 1.1 and try again.