javax.net.ssl.SSLHandshakeException when connecting via Cajo over SSL issue

Question

I am working on a Cajo implementation and need to make it run over SSL. For whatever reason a javax.net.ssl.SSLHandshakeException is thrown. Can anyone please provide some help on how to get Cajo to work via SSL? I am using Cajo v1.175.

I am certain this is a simple issue with a simple fix, but I am a noob when it comes to RMI...

Full code, certs and error messages are at http://www.mikebryant.com/misc/cajo/cajossl.zip

Any help is greatly appreciated!

As requested, here is some code examples and the error messages.... The server socket code I got from http://www.cs.columbia.edu/~akonstan/rmi-ssl/

Server.java

private static int port = 61354;

@SuppressWarnings("javadoc")
public static void main(String args[]) throws Exception {
    String ip = InetAddress.getLocalHost().getHostAddress();
    Remote.config(ip, Constants.PORT, null, 0);

    java.rmi.server.RMISocketFactory.setSocketFactory(new cajotest.rmi.SecureRMISocketFactory());
    Cajo cajo = new Cajo();
    cajo.export(new ServiceImpl());

    System.out.println("Server running on " + InetAddress.getLocalHost() + ":" + Constants.PORT);
}

Client.java

private static String host = "192.168.56.1";


public static void main(String args[]) throws Exception {
    System.out.println("Client using " + host + ":" + Constants.PORT);

    java.rmi.server.RMISocketFactory.setSocketFactory(new cajotest.rmi.SecureRMISocketFactory());

    Cajo cajo = new Cajo();
    cajo.register(host, Constants.PORT);

    Object refs[] = cajo.lookup(Service.class);
    if (refs.length > 0) {
        Service svc = (Service) cajo.proxy(refs[0], Service.class);
        String helloResponse = svc.sayHello("Mike");
        System.out.println(helloResponse);
    } else {
        System.out.println("No server objects found");
    }

    System.exit(0);
}

Server Output

keyStore is : E:/tmp/keys/server.keystore keyStore type is : jks keyStore provider is : init keystore init keymanager of type SunX509

---

found key for : mykey chain [0] = [ [ Version: V3 Subject: CN=Server, OU=Bar, O=Foo, L=Some, ST=Where, C=UN Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

Key: Sun RSA public key, 2048 bits modulus: public exponent: 65537 Validity: [From: Wed Apr 16 08:53:44 EDT 2014, To: Tue Jul 15 08:53:44 EDT 2014] Issuer: CN=Server, OU=Bar, O=Foo, L=Some, ST=Where, C=UN SerialNumber: [ 4f991afd]

Certificate Extensions: 1 [1]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: FA 7D 37 D8 66 14 CC 5B A6 BF EA 53 74 63 91 8F ..7.f..[...Stc.. 0010: EA 55 82 8F .U.. ] ]

] Algorithm: [SHA256withRSA] Signature: 0000: 54 67 10 1F 22 79 9F C1 39 02 B3 99 31 4E 4F B7 Tg.."y..9...1NO. 0010: 86 5B 6C B6 35 95 97 77 A0 49 80 EC 53 A4 7E C1 .[l.5..wI.S... 0020: 3F B0 0F 20 7B 80 D3 6B 32 C2 4B E4 E2 53 C0 59 ?.. ...k2.K..SY 0030: 53 98 C3 4D 93 5E F7 10 E5 51 19 DF A5 B8 27 90 S..M.^...Q....'. 0040: 58 AC 91 FA 5A 9A A0 73 CA C1 A0 08 A2 96 8E E2 X...Z..s........ 0050: DE C6 0D 63 9A 66 52 BD F4 22 3C 29 21 15 36 6F ...c.fR.."<)!.6o 0060: 87 E5 EE 49 86 28 E4 67 30 11 BD CB B5 70 AD D0 ...I.(.g0....p.. 0070: 22 AD 03 78 3D 9B 7D 65 DE 28 44 3E 4F BB 80 72 "..x=..e.(D>O..r 0080: 0E 3C 29 7D C2 18 4E DB D5 F7 C3 A0 32 D9 E9 07 .<)...N.....2... 0090: 7D 84 A6 23 38 8E 63 F6 F2 A1 9B 1E AC DF BD 1A ...#8.c......... 00A0: 9F 5A CA 9F 49 32 01 94 B3 F5 F6 64 6F 43 6D 35 .Z..I2.....doCm5 00B0: B5 71 E1 2E 6C FC C3 99 23 DE F9 EB A9 E8 FB 02 .q..l...#....... 00C0: 4F 7D 77 DE 9A F2 FF C2 2E F3 B3 A0 CF 5C 6F 23 Ow.........\\o# 00D0: D1 B1 93 7B 55 BC C6 A6 2F 07 C2 0D E5 55 8D DD ....U.../....U.. 00E0: 54 74 2C 85 12 6C E6 7A B0 63 6A 10 72 F9 39 38 Tt,..lzcj.r.98 00F0: 99 7C F4 C4 95 2E 79 48 C0 70 A9 B7 57 A9 55 46 ......yH.p..W.UF

]

---

trustStore is: E:\\tmp\\keys\\server.keystore trustStore type is : jks trustStore provider is : init truststore adding as trusted cert: Subject: CN=Server, OU=Bar, O=Foo, L=Some, ST=Where, C=UN Issuer: CN=Server, OU=Bar, O=Foo, L=Some, ST=Where, C=UN Algorithm: RSA; Serial number: 0x4f991afd Valid from Wed Apr 16 08:53:44 EDT 2014 until Tue Jul 15 08:53:44 EDT 2014

adding as trusted cert: Subject: CN=Client, OU=Bar, O=Foo, L=Some, ST=Where, C=UN Issuer: CN=Client, OU=Bar, O=Foo, L=Some, ST=Where, C=UN Algorithm: RSA; Serial number: 0x34f4b1a1 Valid from Wed Apr 16 08:54:40 EDT 2014 until Tue Jul 15 08:54:40 EDT 2014

trigger seeding of SecureRandom done seeding SecureRandom Server running on Coruscant/192.168.56.1:61354

Client Output

Client using 192.168.56.1:61354 keyStore is : E:/tmp/keys/client.keystore keyStore type is : jks keyStore provider is : init keystore init keymanager of type SunX509

---

found key for : mykey chain [0] = [ [ Version: V3 Subject: CN=Client, OU=Bar, O=Foo, L=Some, ST=Where, C=UN Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

Key: Sun RSA public key, 2048 bits modulus: public exponent: 65537 Validity: [From: Wed Apr 16 08:54:40 EDT 2014, To: Tue Jul 15 08:54:40 EDT 2014] Issuer: CN=Client, OU=Bar, O=Foo, L=Some, ST=Where, C=UN SerialNumber: [ 34f4b1a1]

Certificate Extensions: 1 [1]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 76 5E 19 97 98 E4 33 E9 9B B9 31 E9 B6 D0 F0 F2 v^....3...1..... 0010: 56 37 CE 18 V7.. ] ]

] Algorithm: [SHA256withRSA] Signature: 0000: 7D 63 DA B3 ED 5A 32 DB 48 66 80 89 5B 05 1C 36 .c...Z2.Hf..[..6 0010: 93 7D 47 75 D6 F1 74 82 7F 12 04 8C CB 20 AB E5 ..Gu..t...... .. 0020: 90 4A 5D B7 90 1E 98 5D CF 7E 86 EA DC 3B 64 4A .J]....].....;dJ 0030: 5D B3 DB 76 DE C0 65 1F AB 07 22 08 D9 F3 F1 CF ]..v..e..."..... 0040: 4D 73 A8 E6 BC 94 44 02 39 0D 32 84 78 1E 32 DD Ms....D.9.2.x.2. 0050: 42 4D 6C 53 B7 00 EE 3C CE 3C 68 DA FA AA 28 A0 BMlS...<.

]

---

trustStore is: E:\\tmp\\keys\\client.keystore trustStore type is : jks trustStore provider is : init truststore adding as trusted cert: Subject: CN=Server, OU=Bar, O=Foo, L=Some, ST=Where, C=UN Issuer: CN=Server, OU=Bar, O=Foo, L=Some, ST=Where, C=UN Algorithm: RSA; Serial number: 0x4f991afd Valid from Wed Apr 16 08:53:44 EDT 2014 until Tue Jul 15 08:53:44 EDT 2014

adding as trusted cert: Subject: CN=Client, OU=Bar, O=Foo, L=Some, ST=Where, C=UN Issuer: CN=Client, OU=Bar, O=Foo, L=Some, ST=Where, C=UN Algorithm: RSA; Serial number: 0x34f4b1a1 Valid from Wed Apr 16 08:54:40 EDT 2014 until Tue Jul 15 08:54:40 EDT 2014

trigger seeding of SecureRandom done seeding SecureRandom Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 Allow unsafe renegotiation: false Allow legacy hello messages: true Is initial handshake: true Is secure renegotiation: false %% No cached client session * ClientHello, TLSv1 RandomCookie: GMT: 1397762666 bytes = { 92, 155, 95, 199, 227, 200, 183, 73, 110, 151, 210, 240, 190, 70, 181, 238, 2, 129, 136, 117, 166, 211, 25, 2, 235, 239, 76, 228 } Session ID: {} Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS _RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] Compression Methods: { 0 } Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1} Extension ec_point_for mats, formats: [uncompressed]

---

main, WRITE: TLSv1 Handshake, length = 149 main, received EOFException: error main, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake main, SEND TLSv1 ALERT: fatal, description = handshake_failure main, WRITE: TLSv1 Alert, length = 2 main, called closeSocket() Exception in thread "main" java.rmi.ConnectIOException: error during JRMP connection establishment; nested exception is: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:304) at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:202) at sun.rmi.server.UnicastRef.newCall(UnicastRef.java:341) at sun.rmi.registry.RegistryImpl_Stub.lookup(Unknown Source) at java.rmi.Naming.lookup(Naming.java:101) at gnu.cajo.invoke.Remote.getItem(Unknown Source) at gnu.cajo.Cajo.register(Unknown Source) at cajotest.client.Client.main(Client.java:22) Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:946) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:702) at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122) at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream .java:82) at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) at java.io.DataOutputStream.flush(DataOutputStream.java:123) at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:229) ... 7 more Caused by: java.io.EOFException: SSL peer shut down incorrectly at sun.security.ssl.InputRecord.read(InputRecord.java:482) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:927) ... 14 more

Answer 1

In the client, set the global socket factory after doing the lookup. Otherwise it applies to that too, and requires the Registry to be using SSL, which not clearly isn't.

You shouldn't use RMISocketFactory. It was deprecated in 1998, or at least obsoleted by RMIServerSocketFactory and RMIClientSocketFactory.