cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: CXF using SSL: Remote host closed connection during handshake
Date Tue, 22 May 2012 14:12:03 GMT
There are three places you need to change 443 to 4443 - have you
changed all of them?

Colm.

On Tue, May 22, 2012 at 3:07 PM, Thomas Pischulski
<nephix0r@googlemail.com> wrote:
> Hey,
>
> when I change the port from 443 to 4443 I get
> 'java.lang.RuntimeException: Protocol mismatch for port 4443: engine's
> protocol is http, the url protocol is https' running under windows.
>
> I'm also using Eclipse 3.7.2. I just upgraded to JDK 1.7.04 and made
> sure 1.7.04 is used by both OSGi bundles in their build-path and in
> their MANIFEST.FM and I get the same exception I really don't know
> what to do right now.
>
> Here's the complete stacktrace after I invoked the webservice:
> http://nopaste.info/c0108621d5.html
>
> On 5/22/2012 3:40 PM, Colm O hEigeartaigh wrote:
>> Ok that works fine for me if I change the 3 instance of "443" to
>> "4443". It also works with a clean JDK 1.7.04 install with no
>> unlimited security policies installed. What version of eclipse are
>> you using? I'm using 3.7.2.
>>
>> Colm.
>>
>> On Tue, May 22, 2012 at 12:29 PM, Thomas Pischulski
>> <nephix0r@googlemail.com> wrote:
>>> Heyho,
>>>
>>> ok I put the current version I have out there:
>>> http://www1.inf.tu-dresden.de/~s9494545/ssl_minimal_example.zip
>>>
>>>> What 1.7 revision are you using? Have you checked to see that
>>>> the same JDK instance is being used by eclipse?
>>>
>>> Not sure, where can I see my current revision? In Eclipse the JRE
>>> 1.7 (C:\Program Files\Java\jre7) was running, that came by
>>> installing the JDK 1.7 (C:\Program Files\Java\jdk1.7.0) I
>>> configured both in Eclipse and ran the project within both
>>> environments, both failed.
>>>
>>>>
>>>> Colm.
>>>>
>>>> On Tue, May 22, 2012 at 11:54 AM, Thomas Pischulski
>>>> <nephix0r@googlemail.com> wrote:
>>>>> I didn't change much, I just added this filter that you've
>>>>> posted and I'm pretty sure it will still run properly on your
>>>>> workstation. I think my java environment is wrongly
>>>>> configured.
>>>>>
>>>>> I just cleaned up all JREs/JDKs and reinstalled JDK 1.7 with
>>>>> JRE 1.7
>>>>>
>>>>> I copied
>>>>>
>>>>> local_policy.jar and US_export_policy.jar
>>>>>
>>>>> from the UnlimitedJCEPolicyJDK7
>>>>>
>>>>> to C:\Program Files\Java\jdk1.7.0\jre\lib\security and
>>>>> C:\Program Files\Java\jre7\lib\security
>>>>>
>>>>> then restarted Eclipse and ran my bundles again to get the
>>>>> same SSLException and all those 'Ignoring unsupported cipher
>>>>> suite' messages.
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Thomas
>>>>>
>>>>> On 5/22/2012 12:40 PM, Colm O hEigeartaigh wrote:
>>>>>> What JDK are you using? As a sanity check, could you create
>>>>>> a new zip that includes the AES cipher filter and changes
>>>>>> the port from 443 -> 4443 (I'm using linux)? I'll try again
>>>>>> to see if it works without any changes.
>>>>>>
>>>>>> Colm.
>>>>>>
>>>>>> On Tue, May 22, 2012 at 11:33 AM, Thomas Pischulski
>>>>>> <nephix0r@googlemail.com> wrote:
>>>>>>> Heyho,
>>>>>>>
>>>>>>>
>>>>>>>>> by copying all jar's into <jdk-home>/lib/security
>>>>>>>> You need to copy them into <jdk.home>/jre/lib/security
>>>>>>>
>>>>>>> Hm ok I did that too, still the same error :( I also
>>>>>>> tried including both jar-files from JCE into my build
>>>>>>> path, same results.
>>>>>>>
>>>>>>>>
>>>>>>>>> Did you mean that? Does my example work on your
>>>>>>>>> workstation?
>>>>>>>>
>>>>>>>> Yes (with the cipher-suite changes).
>>>>>>>>
>>>>>>>> Colm.
>>>>>>>>
>>>>>>>> On Tue, May 22, 2012 at 11:19 AM, Thomas Pischulski
>>>>>>>> <nephix0r@googlemail.com> wrote:
>>>>>>>>> I installed that:
>>>>>>>>> http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
> by copying all jar's into <jdk-home>/lib/security
>>>>>>>>>
>>>>>>>>> Did you mean that? Does my example work on your
>>>>>>>>> workstation?
>>>>>>>>>
>>>>>>>>> On 5/22/2012 12:11 PM, Colm O hEigeartaigh wrote:
>>>>>>>>>> Have you installed the unrestricted security
>>>>>>>>>> policies in your JDK?
>>>>>>>>>>
>>>>>>>>>> Colm.
>>>>>>>>>>
>>>>>>>>>> On Tue, May 22, 2012 at 11:02 AM, Thomas
>>>>>>>>>> Pischulski <nephix0r@googlemail.com> wrote:
>>>>>>>>>>> Hey Colm,
>>>>>>>>>>>
>>>>>>>>>>> thanks for your efforts. That's indeed simple
but
>>>>>>>>>>> I still get the same SSLException. Does that
>>>>>>>>>>> require some third-party jar files in my
>>>>>>>>>>> java-environment? I also get a bunch of "ignoring
>>>>>>>>>>> unsupported cipher suite" messages like:
>>>>>>>>>>>
>>>>>>>>>>> Ignoring unsupported cipher suite:
>>>>>>>>>>> TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 Ignoring
>>>>>>>>>>> unsupported cipher suite:
>>>>>>>>>>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 Ignoring
>>>>>>>>>>> unsupported cipher suite:
>>>>>>>>>>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 Ignoring
>>>>>>>>>>> unsupported cipher suite:
>>>>>>>>>>> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 Ignoring
>>>>>>>>>>> unsupported cipher suite:
>>>>>>>>>>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 Ignoring
>>>>>>>>>>> unsupported cipher suite:
>>>>>>>>>>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Ignoring
>>>>>>>>>>> unsupported cipher suite:
>>>>>>>>>>> TLS_RSA_WITH_NULL_SHA256 Ignoring unsupported
>>>>>>>>>>> cipher suite:
>>>>>>>>>>> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring
>>>>>>>>>>> unsupported cipher suite:
>>>>>>>>>>> TLS_RSA_WITH_AES_256_CBC_SHA256 Ignoring
>>>>>>>>>>> unsupported cipher suite:
>>>>>>>>>>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Ignoring
>>>>>>>>>>> unsupported cipher suite:
>>>>>>>>>>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring
>>>>>>>>>>> unsupported cipher suite:
>>>>>>>>>>> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 Ignoring
>>>>>>>>>>> unsupported cipher suite:
>>>>>>>>>>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 Ignoring
>>>>>>>>>>> unsupported cipher suite:
>>>>>>>>>>> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 Ignoring
>>>>>>>>>>> unsupported cipher suite:
>>>>>>>>>>> TLS_RSA_WITH_AES_128_CBC_SHA256
>>>>>>>>>>>
>>>>>>>>>>> that all include "AES". Seems like I'm still
>>>>>>>>>>> missing something?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Cheers,
>>>>>>>>>>>
>>>>>>>>>>> Thomas
>>>>>>>>>>>
>>>>>>>>>>> On 5/22/2012 11:54 AM, Colm O hEigeartaigh
>>>>>>>>>>> wrote:
>>>>>>>>>>>> Hi Thomas,
>>>>>>>>>>>>
>>>>>>>>>>>> Great, I was able to reproduce the problem.
The
>>>>>>>>>>>> fix is quite simple, you need to add the
>>>>>>>>>>>> following ciphersuite filter to both the
>>>>>>>>>>>> webservice and webservice-consumer:
>>>>>>>>>>>>
>>>>>>>>>>>> filter.getInclude().add(".*_WITH_AES_.*");
>>>>>>>>>>>>
>>>>>>>>>>>> JDK 1.7 does not include DES cipher suites
and
>>>>>>>>>>>> so you need to add AES.
>>>>>>>>>>>>
>>>>>>>>>>>> Colm.
>>>>>>>>>>>>
>>>>>>>>>>>> On Tue, May 22, 2012 at 9:55 AM, Thomas
>>>>>>>>>>>> Pischulski <nephix0r@googlemail.com>
wrote:
>>>>>>>>>>>>> Hey Colm,
>>>>>>>>>>>>>
>>>>>>>>>>>>> I'll try, it's quite a lot to set up.
(This
>>>>>>>>>>>>> is made with eclipse btw)
>>>>>>>>>>>>>
>>>>>>>>>>>>> 1) Download
>>>>>>>>>>>>> http://search.maven.org/remotecontent?filepath=org/apache/cxf/dosgi/cxf-dosgi-ri-singlebundle-distribution/1.3/cxf-dosgi-ri-singlebundle-distribution-1.3.jar
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
> 2) Right-click package explorer -> Import -> Plug-ins and Fragments ->
>>>>>>>>>>>>> Import From Directory where the jar is
>>>>>>>>>>>>> located -> Next -> Select
>>>>>>>>>>>>> single-bundle-distribution -> Add
-> Finish
>>>>>>>>>>>>>
>>>>>>>>>>>>> 3) Download & unzip
>>>>>>>>>>>>> http://www1.inf.tu-dresden.de/~s9494545/ssl_minimal_example.zip
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
> 4) Right-click package explorer -> Import -> Plug-ins and Fragments ->
>>>>>>>>>>>>> Import From Directory where the extracted
>>>>>>>>>>>>> directory is located -> Next ->
Select
>>>>>>>>>>>>> "webservice" & "webservice-consumer"
-> Add
>>>>>>>>>>>>> -> Finish
>>>>>>>>>>>>>
>>>>>>>>>>>>> 5) Right-click on webservice bundle ->
Run As
>>>>>>>>>>>>> -> Run Configurations
>>>>>>>>>>>>>
>>>>>>>>>>>>> 6) Select OSGi-Framework and click "New
>>>>>>>>>>>>> Launch Configuration" on the upper left
>>>>>>>>>>>>>
>>>>>>>>>>>>> 7) In the bundles-tab click "Deselect
All",
>>>>>>>>>>>>> select all three bundles "cxf-dosgi-*",
>>>>>>>>>>>>> "webservice" and "webservice-consumer"
and
>>>>>>>>>>>>> make sure that Auto-start is set to "true"
in
>>>>>>>>>>>>> all three.
>>>>>>>>>>>>>
>>>>>>>>>>>>> 6) Click "Add required bundles"
>>>>>>>>>>>>>
>>>>>>>>>>>>> 7) Go to "Arguments"-tab and add
>>>>>>>>>>>>> "-Djavax.net.debug=all" to VM arguments
(this
>>>>>>>>>>>>> will give you a more detailled output
about
>>>>>>>>>>>>> the SSL stuff happening)
>>>>>>>>>>>>>
>>>>>>>>>>>>> 8) Click apply and run
>>>>>>>>>>>>>
>>>>>>>>>>>>> It now takes some time to start everything,
>>>>>>>>>>>>> also some small GUI should popup sooner
or
>>>>>>>>>>>>> later for invoking the webservice.
>>>>>>>>>>>>>
>>>>>>>>>>>>> You should also get some debug-output
like
>>>>>>>>>>>>> '[SSLWebService] Service published at
>>>>>>>>>>>>> https://localhost:443/hello' If I try
to
>>>>>>>>>>>>> access this site I get an 'SSL connection
>>>>>>>>>>>>> error'
>>>>>>>>>>>>>
>>>>>>>>>>>>> If I try to invoke the webservice with
the
>>>>>>>>>>>>> popped up GUI and I get the 'Unrecognized
SSL
>>>>>>>>>>>>> message, plaintext
>>>>>>>>>>>>> connection?'-SSLException.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Your OSGi-Run Configuration is now still
>>>>>>>>>>>>> available if you click this green "play"
>>>>>>>>>>>>> button in eclipse.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Hope that helps
>>>>>>>>>>>>>
>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thomas
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 5/22/2012 10:34 AM, Colm O hEigeartaigh
>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>> Hi Thomas,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Can you give me more detailed instructions
>>>>>>>>>>>>>> about how to reproduce the error
given the
>>>>>>>>>>>>>> sample? I know little about dosgi.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Colm.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Tue, May 22, 2012 at 7:36 AM,
Thomas
>>>>>>>>>>>>>> Pischulski <nephix0r@googlemail.com>
>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>> Bump.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>
>>>>
>>
>>
>>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
View raw message