continuum-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brent N Atkinson (JIRA)" <j...@codehaus.org>
Subject [jira] (CONTINUUM-2501) Exception while downloading pom from https url
Date Sun, 01 Feb 2015 02:25:18 GMT

    [ https://jira.codehaus.org/browse/CONTINUUM-2501?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=362270#comment-362270
] 

Brent N Atkinson commented on CONTINUUM-2501:
---------------------------------------------

After reading http://blog.yuriytkach.com/2011/10/javaxnetsslsslexception-badrecordmac.html,
I was able to reproduce this error locally using an Apache Httpd server configured only for
SSLv3. The problem as the article states, is not with certificates, but with attempting to
negotiate an unsupported protocol to a server that only supports SSLv3. Though this behavior
is no longer present in later versions of the JDK (I tried on 6 & 7) I could repeat the
problem through manual configuration of the security subsystem (using {{-Dhttps.protocols}}).

The version of httpd for reference:
{code}
$ apache2 -version
Server version: Apache/2.4.7 (Ubuntu)
Server built:   Jul 22 2014 14:36:38
{code}

I enabled only the SSLv3 protocol by changing the apache configuration to read:
{code}
# Enable only the SSLv3 protocol
SSLProtocol SSLv3
{code}

Using the attached tryssl program, I was able to confirm that the problem was no longer the
same under Java 6. This is apparently because SSLv3 is now disabled due to security vulnerabilities:

{code}
$ /usr/lib/jvm/java-6-oracle/bin/java -jar tryssl-1.0-SNAPSHOT.jar "https://192.168.11.15/pom.xml"
Exception in thread "main" javax.net.ssl.SSLHandshakeException: Remote host closed connection
during handshake
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:882)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1188)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1215)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1199)
	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1195)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
	at TrySSL.main(TrySSL.java:40)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
	at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:462)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:863)
	... 8 more
{code}

The error given by Java 7 is more descriptive:

{code}
$ /usr/lib/jvm/java-7-oracle/bin/java -jar tryssl-1.0-SNAPSHOT.jar "https://192.168.11.15/pom.xml"
Exception in thread "main" javax.net.ssl.SSLHandshakeException: Server chose SSLv3, but that
protocol version is not enabled or not supported by the client.
	at sun.security.ssl.ClientHandshaker.serverHello(ClientHandshaker.java:445)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:199)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:901)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:837)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343)
	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1301)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
	at TrySSL.main(TrySSL.java:40)
{code}

Using the {{https.protocols}} system property, I was able to successfully fetch content by
enabling the SSLv3 protocol (it does the same thing as the attached patch, without requiring
code changes):

{code}
/usr/lib/jvm/java-6-oracle/bin/java -Dhttps.protocols=SSLv3 -jar tryssl-1.0-SNAPSHOT.jar "https://192.168.11.15/pom.xml"
<?xml version="1.0" encoding="windows-1252"?>
<!--
   Licensed to the Apache Software Foundation (ASF) under one or more
   contributor license agreements.  See the NOTICE file distributed with
....
{code}

Finally, I was able to reproduce the exact error message by specifying both TLSv1 and SSLv3,
which causes the java security subsystem to attempt negotiation to the SSLv3 server using
TLS:

{code}
$ /usr/lib/jvm/java-6-oracle/bin/java -Dhttps.protocols=TLSv1,SSLv3 -jar tryssl-1.0-SNAPSHOT.jar
"https://192.168.11.15/pom.xml"
Exception in thread "main" javax.net.ssl.SSLException: Received fatal alert: bad_record_mac
	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)
	at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1822)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1004)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1188)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1215)
	at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1199)
	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
	at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1195)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:234)
	at TrySSL.main(TrySSL.java:40)
{code}

Given that this can be configured using system properties, the patch essentially forces using
SSLv3 and nothing else, and no one should be using SSLv3 for security reasons, I'm going to
reject this.

> Exception while downloading pom from https url
> ----------------------------------------------
>
>                 Key: CONTINUUM-2501
>                 URL: https://jira.codehaus.org/browse/CONTINUUM-2501
>             Project: Continuum
>          Issue Type: Bug
>          Components: Core system
>    Affects Versions: 1.2.3, 1.3.6, 1.4.0 (Beta), 1.4.1
>            Reporter: Vlado Pesov
>            Assignee: Brent N Atkinson
>            Priority: Minor
>             Fix For: 1.5.0
>
>         Attachments: EasySSLSocketFactory.patch, tryssl.tgz
>
>
> The exception is because the http client cannot handle certificates for SSLv3 protocol,
so this support must be explicitly enabled. Here is the exception:
> Could not download the URL: https://xxxxxx:*****@hostname.com/project/pom.xml
> javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException:
Received fatal alert: bad_record_mac
>        at com.sun.net.ssl.internal.ssl.
>  SSLSocketImpl.checkEOF(SSLSocketImpl.java:1267)
>         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.checkWrite(SSLSocketImpl.java:1279)
>         at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:43)
>         at org.apache.http.impl.io.AbstractSessionOutputBuffer.flushBuffer(AbstractSessionOutputBuffer.java:87)
>         at org.apache.http.impl.io.AbstractSessionOutputBuffer.flush(AbstractSessionOutputBuffer.java:94)
>         at org.apache.http.impl.AbstractHttpClientConnection.doFlush(AbstractHttpClientConnection.java:171)
>         at org.apache.http.impl.SocketHttpClientConnection.close(SocketHttpClientConnection.java:192)
>         at org.apache.http.impl.conn.DefaultClientConnection.close(DefaultClientConnection.java:161)
>         at org.apache.http.impl.conn.AbstractPooledConnAdapter.close(AbstractPooledConnAdapter.java:158)
>         at org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:125)
>         at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:410)
>         at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
>         at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
>         at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:465)
>         at org.apache.maven.continuum.project.builder.AbstractContinuumProjectBuilder.createMetadataFile(AbstractContinuumProjectBuilder.java:122)
>         at org.apache.maven.continuum.project.builder.AbstractContinuumProjectBuilder.createMetadataFile(AbstractContinuumProjectBuilder.java:244)
>         at org.apache.maven.continuum.project.builder.maven.MavenTwoContinuumProjectBuilder.readModules(MavenTwoContinuumProjectBuilder.java:149)
>         at org.apache.maven.continuum.project.builder.maven.MavenTwoContinuumProjectBuilder.buildProjectsFromMetadata(MavenTwoContinuumProjectBuilder.java:124)
>         at org.apache.maven.continuum.core.action.CreateProjectsFromMetadataAction.execute(CreateProjectsFromMetadataAction.java:152)
>         at org.apache.maven.continuum.DefaultContinuum.executeAction(DefaultContinuum.java:2759)
>         at org.apache.maven.continuum.DefaultContinuum.executeAddProjectsFromMetadataActivity(DefaultContinuum.java:1569)
>         at org.apache.maven.continuum.DefaultContinuum.executeAddProjectsFromMetadataActivity(DefaultContinuum.java:1815)
>         at org.apache.maven.continuum.DefaultContinuum.addMavenTwoProject(DefaultContinuum.java:1365)
>         at org.apache.maven.continuum.web.action.AddMavenTwoProjectAction.doExecute(AddMavenTwoProjectAction.java:109)
>         at org.apache.maven.continuum.web.action.AddMavenProjectAction.execute(AddMavenProjectAction.java:189)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>         at java.lang.reflect.Method.invoke(Method.java:597)
>         at com.opensymphony.xwork2.DefaultActionInvocation.invokeAction(DefaultActionInvocation.java:404)
>         at com.opensymphony.xwork2.DefaultActionInvocation.invokeActionOnly(DefaultActionInvocation.java:267)
>         at org.apache.struts2.interceptor.BackgroundProcess$1.run(BackgroundProcess.java:56)
>         at java.lang.Thread.run(Thread.java:619)
>  Caused by: javax.net.ssl.SSLException: Received fatal alert: bad_record_mac
>         at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190)
>         at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
>         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1694)
>         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:939)
>         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1120)
>         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:623)
>         at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
>         at org.apache.http.impl.io.AbstractSessionOutputBuffer.flushBuffer(AbstractSessionOutputBuffer.java:87)
>         at org.apache.http.impl.io.AbstractSessionOutputBuffer.flush(AbstractSessionOutputBuffer.java:94)
>         at org.apache.http.impl.AbstractHttpClientConnection.doFlush(AbstractHttpClientConnection.java:171)
>         at org.apache.http.impl.AbstractHttpClientConnection.flush(AbstractHttpClientConnection.java:176)
>         at org.apache.http.impl.conn.AbstractClientConnAdapter.flush(AbstractClientConnAdapter.java:221)
>         at org.apache.http.protocol.HttpRequestExecutor.doSendRequest(HttpRequestExecutor.java:240)
>         at org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:119)
>         ... 23 more



--
This message was sent by Atlassian JIRA
(v6.1.6#6162)

Mime
View raw message