This question is unlikely to help any future visitors; it is only relevant to a small geographic area, a specific moment in time, or an extraordinarily narrow situation that is not generally applicable to the worldwide audience of the internet. For help making this question more broadly applicable, visit the help center.
Closed 9 years ago.
How do i configure my Java Application for using Port 993 with TLS to read Mails from IMAP Postbox.
I store the certificate for my mailserver in the default javakeystore cacerts.
After trying to connect to the postbox. I got this stacktrace (it's a full trace):
javax.mail.MessagingException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty;
nested exception is:
javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:670)
at javax.mail.Service.connect(Service.java:317)
at javax.mail.Service.connect(Service.java:176)
at javax.mail.Service.connect(Service.java:125)
at imap.IMAP.receive(IMAP.java:77)
at imap.IMAP.main(IMAP.java:46)
Caused by: javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1764)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1725)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1708)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1237)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1214)
at com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:548)
at com.sun.mail.util.SocketFetcher.createSocket(SocketFetcher.java:352)
at com.sun.mail.util.SocketFetcher.getSocket(SocketFetcher.java:207)
at com.sun.mail.iap.Protocol.<init>(Protocol.java:113)
at com.sun.mail.imap.protocol.IMAPProtocol.<init>(IMAPProtocol.java:111)
at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:637)
... 5 more
Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:57)
at sun.security.validator.Validator.getInstance(Validator.java:161)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:108)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:204)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1185)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:958)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1203)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1230)
... 12 more
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:183)
at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:103)
at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:87)
at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:55)
... 23 more
15.03.2013 13:54:50 imap.IMAP main
SCHWERWIEGEND: null
java.lang.NullPointerException
at imap.IMAP.receive(IMAP.java:123)
at imap.IMAP.main(IMAP.java:46)
And this are my proporties:
System.setProperty("javax.net.ssl.trustStore", "/usr/java/jdk_1.6.0_35/jre/lib/security/cacerts");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
Properties props = System.getProperties();
props.setProperty("mail.imaps.host", server);
props.setProperty("mail.imaps.user", user);
props.setProperty("mail.imaps.password", password);
props.setProperty("mail.imaps.auth", "true");
props.setProperty("mail.imaps.starttls.enable", "true");
props.setProperty("mail.imaps.socketFactory.port", "993");
props.setProperty("mail.imaps.socketFactory.class", "javax.net.ssl.SSLSocketFactory");
props.setProperty("mail.imaps.socketFactory.fallback", "false");
MailAuthenticator auth = new MailAuthenticator(user, password);
Session session = Session.getDefaultInstance(props, auth);
store = session.getStore("imaps");
store.connect();
Is something missing? In the internet there are so many posts about this problem. But the most are for SMTP. I haven't found something which really explain, which properties do you really need to get this case working.
I hope someone can help me to find my mistake.
Thanks a lot.
First a few comments, that aren't the cause of your problem, but will simplify your program...
Get rid of the socketFactory properties, you don't need them.
Use Session.getInstance instead of Session.getDefaultInstance.
Get rid of the MailAuthenticator and call store.connect(user, password).
See the JavaMail FAQ for details.
As for the exception you're getting, it seems to be some problem related to your certificate or your trust store. This JavaMail FAQ entry has pointers to tips for debugging these kinds of problems. You may need a Java SSL/networking/security expert to explain what's wrong.
You say you've already added your certificate to your trust store, but just in case you might want to check this JavaMail FAQ entry.
Related
Kind Attn Moderators: Before marking this query as duplicate, please note I have checked these questions...
java.net.SocketException: Connection reset
What's causing my java.net.SocketException: Connection reset?
Getting error "java.net.SocketException: Connection reset"
...and was unable to fix the issue. Also I believe the context & error is different from those, thus seeking help here.
Context: Download a csv file from NSEIndia website to a local folder (Note: Am able to download CSV files from other random websites).
Issue: Returns an error - javax.net.ssl.SSLException: Connection reset (Full error pasted below)
Observation: I am perplexed, as I faced this same issue yesterday, but after a couple of retries, it worked. I made no changes to code or settings.
Question: Is there anything I can do from my end to ensure this error is not seen with this specific website ?
Code:
// Using FileUtils from -> import org.apache.commons.io.FileUtils;
try {
FileUtils.copyURLToFile(new URL("https://www.nseindia.com/content/fo/fo_mktlots.csv"),new File("D:\\Download\\t1.csv"));
} catch (IOException e) {
e.printStackTrace();
}
Error:
javax.net.ssl.SSLException: Connection reset
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:127)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:324)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:262)
at java.base/sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1652)
at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:1038)
at java.base/java.io.BufferedInputStream.fill(BufferedInputStream.java:245)
at java.base/java.io.BufferedInputStream.read1(BufferedInputStream.java:285)
at java.base/java.io.BufferedInputStream.read(BufferedInputStream.java:344)
at java.base/sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:746)
at java.base/sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:689)
at java.base/sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:717)
at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1610)
at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1515)
at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:224)
at java.base/java.net.URL.openStream(URL.java:1162)
at org.apache.commons.io.FileUtils.copyURLToFile(FileUtils.java:1456)
at main.Test.dummy3(Test.java:327)
at main.Test.main(Test.java:59)
Suppressed: java.net.SocketException: Connection reset by peer
at java.base/sun.nio.ch.NioSocketImpl.implWrite(NioSocketImpl.java:421)
at java.base/sun.nio.ch.NioSocketImpl.write(NioSocketImpl.java:441)
at java.base/sun.nio.ch.NioSocketImpl$2.write(NioSocketImpl.java:825)
at java.base/java.net.Socket$SocketOutputStream.write(Socket.java:1007)
at java.base/sun.security.ssl.SSLSocketOutputRecord.encodeAlert(SSLSocketOutputRecord.java:82)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:355)
... 17 more
Caused by: java.net.SocketException: Connection reset
at java.base/sun.nio.ch.NioSocketImpl.implRead(NioSocketImpl.java:324)
at java.base/sun.nio.ch.NioSocketImpl.read(NioSocketImpl.java:351)
at java.base/sun.nio.ch.NioSocketImpl$1.read(NioSocketImpl.java:802)
at java.base/java.net.Socket$SocketInputStream.read(Socket.java:937)
at java.base/sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:450)
at java.base/sun.security.ssl.SSLSocketInputRecord.bytesInCompletePacket(SSLSocketInputRecord.java:68)
at java.base/sun.security.ssl.SSLSocketImpl.readApplicationRecord(SSLSocketImpl.java:1409)
at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:1022)
... 13 more
I'm trying to connect to an Oracle DB using Java and SSL. For now I have the Java program on the server with the database.
I'm getting this error when I try to run it (full error in comment):
java.sql.SQLRecoverableException: IO Error: Inbound closed before receiving peer's close_notify: possible truncation attack?, connect lapse 15 ms., Authentication lapse 0 ms.
This is my java code:
public static void main(String[] args) {
Security.addProvider(new oracle.security.pki.OraclePKIProvider());
String url = "jdbc:oracle:thin:#(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=localhost)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=ORCL)))";
Properties props = new Properties();
props.setProperty("javax.net.ssl.trustStore",
"C:\\app\\Administrator\\virtual\\product\\12.2.0\\dbhome_1\\bin\\wallets\\Administrator\\cwallet.sso");
props.setProperty("javax.net.ssl.trustStoreType","SSO");
props.setProperty("javax.net.ssl.keyStore",
"C:\\app\\Administrator\\virtual\\product\\12.2.0\\dbhome_1\\bin\\wallets\\Administrator\\cwallet.sso");
props.setProperty("javax.net.ssl.keyStoreType","SSO");
try {
Connection conn = DriverManager.getConnection(url, props);
} catch (SQLException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
I added this to listener.ora and tnsnames.ora (I also tried with the sso file and just linking to the directory)
WALLET_LOCATION=(SOURCE=(METHOD=FILE) (METHOD_DATA=(DIRECTORY=C:\app\Administrator\virtual\product\12.2.0\dbhome_1\bin\wallets\Administrator\ewallet.p12 ))
SSL_CLIENT_AUTHENTICATION=TRUE
I also added this to java.security:
security.provider.11=oracle.security.pki.OraclePKIProvider
edit: I didn't realize the length limit on comments was so short. Here's the full error:
Caused by: java.io.IOException: Inbound closed before receiving peer's close_notify: possible truncation attack?, connect lapse 11 ms., Authentication lapse 0 ms.
at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:790)
... 6 more
Caused by: java.io.IOException: Inbound closed before receiving peer's close_notify: possible truncation attack?, connect lapse 11 ms.
at oracle.net.ns.NSProtocolNIO.negotiateConnection(NSProtocolNIO.java:138)
at oracle.net.ns.NSProtocol.connect(NSProtocol.java:317)
at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1438)
at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:518)
... 6 more
Caused by: javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)
at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)
at sun.security.ssl.SSLEngineImpl.closeInbound(Unknown Source)
at oracle.net.nt.SSLSocketChannel.fill(SSLSocketChannel.java:534)
at oracle.net.nt.SSLSocketChannel.unwrap(SSLSocketChannel.java:434)
at oracle.net.nt.SSLSocketChannel.handshake(SSLSocketChannel.java:350)
at oracle.net.nt.SSLSocketChannel.write(SSLSocketChannel.java:238)
at oracle.net.ns.NIOPacket.writeToSocketChannel(NIOPacket.java:211)
at oracle.net.ns.NIOConnectPacket.writeToSocketChannel(NIOConnectPacket.java:232)
at oracle.net.ns.NSProtocolNIO.negotiateConnection(NSProtocolNIO.java:108)
... 9 more
Can you make sure to have oraclepki.jar, osdt_core.jar and osdt_cert.jar in the classpath? You don't need to use keystore and truststore properties. Use oracle.net.wallet_location and oracle.net.ssl_server_dn_match=true. Check out the blog for more details.
This question already has answers here:
Why does SSL handshake give 'Could not generate DH keypair' exception?
(22 answers)
Closed 4 years ago.
I have a java program and it send mails to the users. Since 1 week the mails doesn't been send anymore. I didn't change anything, but now I get this error:
connexion failed: Exception reading response;
nested exception is:
javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
Exception in thread "main" java.lang.RuntimeException: javax.mail.MessagingException: Exception reading response;
nested exception is:
javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
at Launcher$Connexion.<init>(Launcher.java:33)
at Launcher.main(Launcher.java:52)
Caused by: javax.mail.MessagingException: Exception reading response;
nested exception is:
javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
at com.sun.mail.smtp.SMTPTransport.readServerResponse(SMTPTransport.java:1407)
at com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:1205)
at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:322)
at javax.mail.Service.connect(Service.java:236)
at javax.mail.Service.connect(Service.java:137)
at Launcher$Connexion.<init>(Launcher.java:28)
I contacted fastmail (mailing server) and they say that the insecure cert is self-signed, and does not expire until 2021.
So I don't know what the problem is.
Please add DH parameter limits to the certificate of target server. Custom DH parameters by using openssl dhparam command should be generated and applied with the SSLCertificateFile directive. Please note that the custom DH parameters with a 1024-bit prime will always have precedence over any of the built-in DH parameters.
You should update your Java version to at least version 8 as the 1024-bit restriction should have been lifted to accept 2048-bit parameters.
Please see: Java: Why does SSL handshake give 'Could not generate DH keypair' exception?
I have issue to accept all certs while using the VCloud SDK.
The problem is that there is a self signed cert on the machine and even with the FakeSSL object it is not working, it cannot accept all certs, how do I make a workaround to make it work?
VcloudClient.setLogLevel(Level.OFF);
vcloudClient = new VcloudClient(arg[0], Version.V5_5);
vcloudClient.registerScheme("<https>", 443, FakeSSLSocketFactory.getInstance());
vcloudClient.login(arg[1], arg[2]);
extension = vcloudClient.getVcloudAdminExtension();
Exception in thread "main" com.vmware.vcloud.sdk.VCloudRuntimeException: com.vmware.vcloud.sdk.VCloudRuntimeException: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.vmware.vcloud.sdk.VcloudClient.getSupportedVersions(VcloudClient.java:231)
at com.vmware.vcloud.sdk.VcloudClient.login(VcloudClient.java:329)
at sdt.ericsson.capacity.main.Main.main(Main.java:155)
Caused by: com.vmware.vcloud.sdk.VCloudRuntimeException: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.vmware.vcloud.sdk.RestUtil.getSupportedVersions(RestUtil.java:431)
at com.vmware.vcloud.sdk.VcloudClient.getSupportedVersions(VcloudClient.java:227)
... 2 more
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(Unknown Source)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:151)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:125)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:641)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:480)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:784)
at com.vmware.vcloud.sdk.RestUtil.getSupportedVersions(RestUtil.java:408)
... 3 more
There is my FakeSSLSocketFactory object (from the VMWere samples).
http://wklej.to/2nIV7/text
Any advice?
I switched to use the PERL SDK since it is working perfectly without http/s and API handling is even working for IP address instead, perfectly documented as well, and it pretty fast.
I'm running the following tutorial:
http://download.oracle.com/javase/6/docs/technotes/guides/security/jgss/tutorials/BasicClientServer.html
I'm getting the following prompts:
Connected to server localhost/127.0.0.1
Kerberos username [login]: {I enter my username here}
Kerberos password for login: {I enter my password here}
I get the following error:
Can you ascertain the root cause of this?
Exception in thread "main" GSSException: No valid credentials provided (Mechanism level: Attempt to obtain new INITIATE credentials failed! (null))
at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:333)
at sun.security.jgss.krb5.Krb5InitCredential.getInstance(Krb5InitCredential.java:128)
at sun.security.jgss.krb5.Krb5MechFactory.getCredentialElement(Krb5MechFactory.java:106)
at sun.security.jgss.krb5.Krb5MechFactory.getMechanismContext(Krb5MechFactory.java:172)
at sun.security.jgss.GSSManagerImpl.getMechanismContext(GSSManagerImpl.java:209)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:195)
at sun.security.jgss.GSSContextImpl.initSecContext(GSSContextImpl.java:162)
at demo.SampleClient.main(SampleClient.java:145)
Caused by: javax.security.auth.login.LoginException: Message stream modified (41)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:696)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$5.run(LoginContext.java:706)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)
at javax.security.auth.login.LoginContext.login(LoginContext.java:575)
at sun.security.jgss.GSSUtil.login(GSSUtil.java:246)
at sun.security.jgss.krb5.Krb5Util.getTicket(Krb5Util.java:136)
at sun.security.jgss.krb5.Krb5InitCredential$1.run(Krb5InitCredential.java:328)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.jgss.krb5.Krb5InitCredential.getTgt(Krb5InitCredential.java:325)
... 7 more
Caused by: KrbException: Message stream modified (41)
at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:53)
at sun.security.krb5.KrbAsRep.<init>(KrbAsRep.java:96)
at sun.security.krb5.KrbAsReq.getReply(KrbAsReq.java:449)
at sun.security.krb5.Credentials.sendASRequest(Credentials.java:410)
at sun.security.krb5.Credentials.acquireTGT(Credentials.java:378)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:662)
... 23 more
I got exceptions “Message stream modified (41)”, when the Kerberos realm didn’t match. The realm (in system property java.security.krb5.realm) has to match exactly, including upper/lower case.
I'm wondering if this is a possibility (ie even if registry key is set, locked out for local administrators):
http://cr.openjdk.java.net/~weijun/special/krb5winguide-2/raw_files/new/kwin
Known Issues
If an AD account is also added into local administrator group on the
client PC, Microsoft restricts such client from getting the session key
for tickets (even if you set the allowtgtsessionkey registry key to 1).
The workaround is: Just forget you're a logged in user, call kinit.exe.
Do not depends on LSA credential cache.
I cannot confirm that issue. I do have admin rights on my machine and still are able to obtain the session key from the LSA. You should enable full debug ouput on JGSS and the Krb5LoginModule. Share your krb5.ini and login.conf too. I hope your are aware that the above example cannot work because your client cannot obtain a ticket for a local host. It has to be a FQDN with an appropriate SPN set in the Active Directory.