stackoom
  简体   繁体   中英

Jboss AS 6.1.0 Handshake timeout with Java7

 原文  2014-11-10 09:37:03       java/ ssl/ jboss/ socketexception/ sslhandshakeexception

Question

I have a problem with SSL in Jboss 6.1.0. I use CLIEN-CERT to restrict certain security constraint with client certificate. I configured all needed places( web.xml, jboss-web.xml, jboss-loggin, server.xml, jboss-service ). When I start server with JDK6 everything works fine, but when i start server with JDK7 and try to access the security constraint i get the error Exception getting SSL attributes: java.net.SocketException: SSL Cert handshake timeout . Here is stacktrace: 

2014-10-16 17:39:10,184 WARN  [org.apache.coyote.http11.Http11Processor] (http-0.0.0.0-8443-2) Exception getting SSL attributes: java.net.SocketException: SSL Cert handshake timeout  
  at org.apache.tomcat.util.net.jsse.JSSESupport.handShake(JSSESupport.java:178) [:6.1.0.Final]  
  at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:138) [:6.1.0.Final]  
  at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1144) [:6.1.0.Final]  
  at org.apache.coyote.Request.action(Request.java:352) [:6.1.0.Final]  
  at org.apache.catalina.connector.Request.getCertificateChain(Request.java:1112) [:6.1.0.Final]  
  at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:132) [:6.1.0.Final]  
  at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:559) [:6.1.0.Final]  
  at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:88) [:6.1.0.Final]  
  at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:100) [:6.1.0.Final]  
  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:159) [:6.1.0.Final]  
  at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158) [:6.1.0.Final]  
  at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:567) [:6.1.0.Final]  
  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [:6.1.0.Final]  
  at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:631) [:6.1.0.Final]  
  at org.jboss.web.rewrite.RewriteValve.invoke(RewriteValve.java:273) [:6.1.0.Final]  
  at org.jboss.web.tomcat.service.request.ActiveRequestResponseCacheValve.invoke(ActiveRequestResponseCacheValve.java:53) [:6.1.0.Final]  
  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:362) [:6.1.0.Final]  
  at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [:6.1.0.Final]  
  at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:654) [:6.1.0.Final]  
  at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:951) [:6.1.0.Final]  
  at java.lang.Thread.run(Thread.java:745) [:1.7.0_71]

When i switch clientAuth="true" or "want" it's work, but with "false" and accessing security constraint with CLIENT-CERT doesn't work with JDK7. I tried to debug JSSESupport.java and saw that there is for cycle in handshake method and with JDK6 when enter for first time in that cycle and read bytes from InputStream browser window is opened and request my client certificate, but with JDK7 this doesn't happend, the error is thrown at the end of the method because client didn't send his certificate. Actually this browser window is opened later and when i submit my certificate nothing happens, because handshake is completed with false result. I tried with Firefox, IE, Chrome and result is the same. If someone can help me or give me a advice, it would be greatfull.

2 answers

solution1
 0  2014-11-10 09:45:38

In our project we have the simmilar error comes from jboss but I can't remember right now the exact error. In our case we skiped it and applications works fine.

solution2
 0  2014-11-11 14:36:06

So, I debug more and find that with Java 7 in JSSESupport.java:178 when It tries to read AppInputStream from the SSLSocket nothing is happened. It tries to read 60 times and finally if client not confirm his choice for certificate this " Handhake timeout " error is thrown, and after that tomcat check for certificate and if it's not presented i have log " No certificates included with this request " and response send me error with code 401 SC_UNAUTHORIZED and process stop and my filters aren't invoked. In difference with Java 6 , at the first time when it tries to read from AppInputStream , i'm asked for choice my client certificate. I think that the problem may have connection with changes in Java 7 in security area and implementation of SSL(TLS) , or some synchronization problem with reading from this AppInputStream , because this request for certificate comes later, after the error is thrown, but error code is already set in response.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question SNI Java 1.8 and Jboss SSL Handshake how to handle exception “javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure” in java7 error deploy struts on jboss 6.1.0 Exception “The connection manager is shutdown” Java7 / JBoss 6.2 EAP (Server not shutting down) JEditorPane linewrap in Java7 CodeCahe is full java7 Conditional Statement on Java7 Deploying SOAP web-service on JBOSS 6.1.0 Persisting thread after redeploy JBoss 6.1.0 How to install jboss-eap-6.1.0.GA
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM