geode-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Anthony Baker <aba...@pivotal.io>
Subject Re: trying to implement SSL configuration
Date Mon, 11 Jun 2018 23:21:01 GMT
You may want to enable ssl debugging:  -Djavax.net.debug=all

https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html


Anthony


> On Jun 11, 2018, at 3:49 PM, Udo Kohlmeyer <ukohlmeyer@pivotal.io> wrote:
> 
> Hi there,
> 
> Have you tried the following?
> 
> https://docs.oracle.com/cd/E19798-01/821-1841/gjrgy/index.html
> 
> I have not tried to use a PKCS12 keystore type. Was there a particular reason why you
are using it? Could you try with a JKS?
> 
> --Udo
> 
> On 6/11/18 03:31, Liron Ben Ari wrote:
>> Hello team.
>> I am trying to move my Client server to work with SSL as part of Security POC we
are running .
>> I was moving on GEODE documents  (there are a lot! :)) and there was a lot of different
options...
>> 
>> 
>> 
>> This is the configuration  I used:
>> 
>> I've generated Keystore & certificate using a private tool (that uses the openssl
+ Keytools)
>> 
>> For client:
>>  A file containing PEM encoded X.509 certificate and PEM encoded PKCS#8 encrypted
private key
>> For server:
>> PKCS#12  - this part works
>> as we could see openssl s_client to return the chain
>> 
>> 
>> 
>> On the gemfire.proerties file - I used:
>> 
>> ssl-enabled-components=all
>> ssl-protocols=any
>> ssl-ciphers=SSL_RSA_WITH_NULL_SHA       //I've tries both option (empty as well)
>> ssl-keystore-type=PKCS12
>> ssl-keystore=/users/xpiwrk1/Amdocs-Test-CA/pki/private/server4.p12
>> ssl-keystore-password=changeme
>> ssl-truststore-type=JKS
>> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.jks
>> ssl-truststore-password=changeit
>> 
>> 
>> 
>> on the Client Side I used the PEM format:
>> gfcpp1.properties:
>> ssl-enabled=true
>> ssl-keystore=/tmp/server4.pem
>> ssl-keystore-password=changeme
>> ssl-truststore=/users/xpiwrk1/Amdocs-Test-CA/AmdocsTestCA-Trust.pem
>> 
>> 
>> this is the error I am getting from the server when client is trying to connect 
(locator):
>> [info 2018/06/11 11:46:40.907 IDT eaasrt-locator <locator request thread[16]>
tid=0x55] Exception in processing request from 192.168.2.100
>> javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX
path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification
>> path to requested target
>>         at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
>>         at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
>>         at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
>>         at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
>>         at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1906)
>>         at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:233)
>>         at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
>>         at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
>>         at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
>>         at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
>>         at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
>>         at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
>>         at org.apache.geode.internal.net.SocketCreator.configureServerSSLSocket(SocketCreator.java:1013)
>>         at org.apache.geode.distributed.internal.tcpserver.TcpServer.lambda$processRequest$0(TcpServer.java:366)
>>         at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>>         at java.lang.Thread.run(Thread.java:748)
>> Caused by: sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification
path to requested target
>>         at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
>>         at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
>>         at sun.security.validator.Validator.validate(Validator.java:260)
>>         at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
>>         at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:227)
>>         at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:118)
>>         at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1888)
>>         ... 12 more
>> Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
>>         at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
>> :
>> 
>> this are the errors I am getting from the client:
>> 
>> ACE_SSL (45715|140151217246912) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3
alert certificate unknown
>> ACE_SSL (45715|140151217246912) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3
alert certificate unknown
>> ACE_SSL (45715|140151217246912) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3
alert certificate unknown
>> ACE_SSL (45715|140147953735424) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3
alert certificate unknown
>> ACE_SSL (45715|140148921374464) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3
alert certificate unknown
>> ACE_SSL (45715|140148896196352) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3
alert certificate unknown
>> ACE_SSL (45715|140148004091648) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3
alert certificate unknown
>> ACE_SSL (45715|140147978913536) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3
alert certificate unknown
>> ACE_SSL (45715|140148398352128) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3
alert certificate unknown
>> ACE_SSL (45715|140148373174016) error code: 336151574 - error:14094416:SSL routines:SSL3_READ_BYTES:sslv3
alert certificate unknown
>> 
>> 
>> 
>> 
>> 
>> 
>> Any help will be appreciated !!
>> 
>> Thanks.
>> 
>> 
>> This message and the information contained herein is proprietary and confidential
and subject to the Amdocs policy statement,
>> 
>> you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>
>> 
> 


Mime
View raw message