Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 2B5AD200C44 for ; Mon, 27 Mar 2017 19:20:52 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 2A2FD160B99; Mon, 27 Mar 2017 17:20:52 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 46C0E160B85 for ; Mon, 27 Mar 2017 19:20:51 +0200 (CEST) Received: (qmail 84522 invoked by uid 500); 27 Mar 2017 17:20:50 -0000 Mailing-List: contact dev-help@brooklyn.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@brooklyn.apache.org Delivered-To: mailing list dev@brooklyn.apache.org Received: (qmail 84483 invoked by uid 99); 27 Mar 2017 17:20:50 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 27 Mar 2017 17:20:50 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 12D40C0D5B for ; Mon, 27 Mar 2017 17:20:50 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -99.202 X-Spam-Level: X-Spam-Status: No, score=-99.202 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id JLKHd3lUWVhI for ; Mon, 27 Mar 2017 17:20:48 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 892575FACC for ; Mon, 27 Mar 2017 17:20:48 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 7034BE0B33 for ; Mon, 27 Mar 2017 17:20:42 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id F1D5D24072 for ; Mon, 27 Mar 2017 17:20:41 +0000 (UTC) Date: Mon, 27 Mar 2017 17:20:41 +0000 (UTC) From: "Mark McKenna (JIRA)" To: dev@brooklyn.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (BROOKLYN-456) "SSLException: internal_error" upon trying to connect to site requiring SNI MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Mon, 27 Mar 2017 17:20:52 -0000 [ https://issues.apache.org/jira/browse/BROOKLYN-456?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15943671#comment-15943671 ] Mark McKenna commented on BROOKLYN-456: --------------------------------------- [~geomacy] I just tried the below test code pointing at https://httpbin.org/get and it worked ... Although i believe there is something up with the ssl cert as i had to trust all certs {code} public void testApacheHttpClent() throws IOException, KeyStoreException, NoSuchAlgorithmException, KeyManagementException { final CloseableHttpClient httpclient = HttpClients.custom() .setSSLContext(new SSLContextBuilder().loadTrustMaterial((chain, authType) -> true).build()) .setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE).build(); try { final HttpGet httpget = new HttpGet("https://httpbin.org/get"); System.out.println("Executing request " + httpget.getRequestLine()); // Create a custom response handler final ResponseHandler responseHandler = response -> { int status = response.getStatusLine().getStatusCode(); if (status >= 200 && status < 300) { final HttpEntity entity = response.getEntity(); return entity != null ? EntityUtils.toString(entity) : null; } else { throw new ClientProtocolException("Unexpected response status: " + status); } }; String responseBody = httpclient.execute(httpget, responseHandler); System.out.println("----------------------------------------"); System.out.println(responseBody); } finally { httpclient.close(); } } {code} cc [~aled.sage@gmail.com] > "SSLException: internal_error" upon trying to connect to site requiring SNI > --------------------------------------------------------------------------- > > Key: BROOKLYN-456 > URL: https://issues.apache.org/jira/browse/BROOKLYN-456 > Project: Brooklyn > Issue Type: Bug > Reporter: Geoff Macartney > Priority: Minor > > On 17th March brooklyn-server builds began failing, such as https://builds.apache.org/view/Brooklyn/job/brooklyn-server-master/492/. > The errors were failures in tests > {quote} > org.apache.brooklyn.camp.brooklyn.HttpCommandEffectorYamlRebindTest.testRebindWhenHealthy > org.apache.brooklyn.camp.brooklyn.HttpCommandEffectorYamlTest.testHttpCommandEffectorWithParameters > org.apache.brooklyn.camp.brooklyn.CompositeEffectorYamlRebindTest.testRebindWhenHealthy > org.apache.brooklyn.camp.brooklyn.CompositeEffectorYamlTest.testCompositeEffector > {quote} > all of which issued requests to "https://httpbin.org" for test purposes. > There seems to have been a change in configuration on httpbin.org on the 16h of March, see [here|https://lists.apache.org/thread.html/2d7bfb556b5459590d266d079043861bc34c0b921a2b5346ae9fd8ae@%3Cdev.brooklyn.apache.org%3E]. > However the certificate changes appear not to be the problem, as far as I can tell, as the certificate chain from the site has root "Let's Encrypt Authority X3" (SHA1 Fingerprint=E6:A3:B4:5B:06:2D:50:9B:33:82:28:2D:19:6E:FE:97:D5:95:6C:CB), which is signed by CA "DST Root CA X3" (Certificate fingerprint DA:C9:02:4F:54:D8:F6:DF:94:93:5F:B1:73:26:38:CA:6A:D7:7C:13), which is in the cacerts file of Java 8 by default. > I believe the problem lies on the Java SSL client side, specifically that the client is not including the SNI (Server Naming Indicator) extension in the SSL handshake. httpbin requires this, compare > {code} > openssl s_client -showcerts -connect httpbin.org:443 CONNECTED(00000003) > 7944:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.60.1/src/ssl/s23_lib.c:185: > {code} > with the output from > {code} > openssl s_client -servername httpbin.org -showcerts -connect httpbin.org:443 {code} > The result is that the connection attempt fails with > {code} > SSLException: Received fatal alert: internal_error > {code} > Searching around the web there seem to be a number of other people who have encountered this problem, e.g. https://forums.aws.amazon.com/message.jspa?messageID=669911. The issue seems to be fixed only in Java 9, but there may be workarounds on 7 and 8. I haven't tried these out yet. > I will look at adding a test in Brooklyn to record this. -- This message was sent by Atlassian JIRA (v6.3.15#6346)