Return-Path: Delivered-To: apmail-hc-dev-archive@www.apache.org Received: (qmail 14712 invoked from network); 10 Mar 2011 22:57:22 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 10 Mar 2011 22:57:22 -0000 Received: (qmail 63802 invoked by uid 500); 10 Mar 2011 22:57:22 -0000 Delivered-To: apmail-hc-dev-archive@hc.apache.org Received: (qmail 63751 invoked by uid 500); 10 Mar 2011 22:57:22 -0000 Mailing-List: contact dev-help@hc.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "HttpComponents Project" Delivered-To: mailing list dev@hc.apache.org Received: (qmail 63743 invoked by uid 99); 10 Mar 2011 22:57:22 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 10 Mar 2011 22:57:22 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED,T_RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 10 Mar 2011 22:57:21 +0000 Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116]) by hel.zones.apache.org (Postfix) with ESMTP id CC9FE3A310A for ; Thu, 10 Mar 2011 22:57:00 +0000 (UTC) Date: Thu, 10 Mar 2011 22:57:00 +0000 (UTC) From: "Oleg Kalnichevski (JIRA)" To: dev@hc.apache.org Message-ID: <2128195996.12086.1299797820834.JavaMail.tomcat@hel.zones.apache.org> In-Reply-To: <671655417.12013.1299796805816.JavaMail.tomcat@hel.zones.apache.org> Subject: [jira] Closed: (HTTPCLIENT-1070) misleading javax.net.ssl.SSLPeerUnverifiedException thrown when cause is due to non SSL related IOException (e.g. java.net.SocketException: Connection reset) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HTTPCLIENT-1070?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Oleg Kalnichevski closed HTTPCLIENT-1070. ----------------------------------------- > misleading javax.net.ssl.SSLPeerUnverifiedException thrown when cause is due to non SSL related IOException (e.g. java.net.SocketException: Connection reset) > ------------------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: HTTPCLIENT-1070 > URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1070 > Project: HttpComponents HttpClient > Issue Type: Bug > Components: HttpClient > Affects Versions: 4.1 Final > Environment: mac os x > Reporter: Thuy Tran > Labels: security > > I have code that continually executes an http get request to a web server that requires server side authentication. I have the appropriate certificate in the truststore and generally, it executes without a problem. > System.setProperty("javax.net.ssl.trustStore", sslTrustStore); > HttpGet httpGet = new HttpGet(uri); > DefaultHttpClient client = new DefaultHttpClient(); > HttpResponse response = null; > try { > response = httpClient.execute(httpGet); > //do something with response > } catch (IOException e) { > // have caught SSLPeerUnverifiedException > } catch (ClientProtocolException e) { > //log it > } > However, even after many successful requests, it can still get a javax.net.ssl.SSLPeerUnverifiedException. I turned ssl debug on (-Djavax.net.debug=ssl) and noticed that this can occur if during the ssl handshake, it gets a "java.net.SocketException: Connection reset": > Thread-1, WRITE: TLSv1 Handshake, length = 113 > Thread-1, handling exception: java.net.SocketException: Connection reset > Thread-1, SEND TLSv1 ALERT: fatal, description = unexpected_message > Thread-1, WRITE: TLSv1 Alert, length = 2 > Thread-1, Exception sending alert: java.net.SocketException: Broken pipe > Thread-1, called closeSocket() > Thread-1, IOException in getSession(): java.net.SocketException: Connection reset > Thread-1, called close() > Thread-1, called closeInternal(true) > The stack trace shows that it's due to the use of com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(): > 03/01/11 15:48:56 PM EST [Thread-1] WARN - IOException sending request to server > javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated > at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352) > at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128) > at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:390) > at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148) > at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:149) > at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121) > at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:562) > at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:415) > at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820) > at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:754) > at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:732) > at mil.disa.common.http.HttpUtil.executeHttpRequest(HttpUtil.java:253) > So I swapped out the code to use java.net.URLConnection class to send the request rather than HttpClient and noticed that if a SocketException occurs during the handshake, I get the appropriate SocketException error rather than SSLPeerUnverifiedException: > Thread-12, WRITE: TLSv1 Handshake, length = 113 > Thread-12, handling exception: java.net.SocketException: Connection reset > Thread-12, SEND TLSv1 ALERT: fatal, description = unexpected_message > Thread-12, WRITE: TLSv1 Alert, length = 2 > Thread-12, Exception sending alert: java.net.SocketException: Broken pipe > Thread-12, called closeSocket() > Thread-12, called close() > Thread-12, called closeInternal(true) > 03/10/11 13:29:59 PM EST [Thread-12] FATAL - IOException sending request to server > java.net.SocketException: Connection reset > at java.net.SocketInputStream.read(SocketInputStream.java:168) > at com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:293) > at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:331) > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:798) > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138) > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1165) > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1149) > at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434) > at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166) > at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1019) > at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230) > at mil.disa.common.http.HttpUtil.executeHttpRequest2(HttpUtil.java:589) > The SSLPeerUnverifiedException is misleading since if an IOException occurs, I want to retry sending the request if it's not SSL related. This makes it difficult in debugging the error and I would only know that it's not SSLPeerUnverifiedException if I set -Djavax.net.debug=ssl. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org For additional commands, e-mail: dev-help@hc.apache.org