Return-Path: X-Original-To: apmail-hc-dev-archive@www.apache.org Delivered-To: apmail-hc-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 4EBB81060D for ; Tue, 23 Apr 2013 09:05:22 +0000 (UTC) Received: (qmail 30359 invoked by uid 500); 23 Apr 2013 09:05:22 -0000 Delivered-To: apmail-hc-dev-archive@hc.apache.org Received: (qmail 30032 invoked by uid 500); 23 Apr 2013 09:05:16 -0000 Mailing-List: contact dev-help@hc.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "HttpComponents Project" Delivered-To: mailing list dev@hc.apache.org Received: (qmail 30000 invoked by uid 99); 23 Apr 2013 09:05:15 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 23 Apr 2013 09:05:15 +0000 Date: Tue, 23 Apr 2013 09:05:15 +0000 (UTC) From: "Pasi Eronen (JIRA)" To: dev@hc.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Created] (HTTPCLIENT-1346) SSL handshake exceptions are hidden from application MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 Pasi Eronen created HTTPCLIENT-1346: --------------------------------------- Summary: SSL handshake exceptions are hidden from application Key: HTTPCLIENT-1346 URL: https://issues.apache.org/jira/browse/HTTPCLIENT-1346 Project: HttpComponents HttpClient Issue Type: Bug Components: HttpClient Affects Versions: 4.2.3 Reporter: Pasi Eronen When the SSL handshake fails for some reason, (e.g. TCP connection reset, socket read timeout, no common cipher suite found, expired certificate, untrusted certificate, server sends non-SSL garbage, etc.), all the application sees is "javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated" (without any cause chain). This is rather unhelpful for troubleshooting SSL errors. According to the SSLSocket Javadocs, the SSL handshake can be initiated in three ways: calling startHandshake(), attempting to read or write data, or calling getSession(). The first two of these throw appropriate exceptions on failure (usually with cause chains indicating the root cause), while the third just returns a special session handshake with invalid ciphersuite SSL_NULL_WITH_NULL_NULL (and the actual cause of handshake failure is lost). Currently org.apache.http.conn.ssl.SSLSocketFactory uses the third approach (and does not even check for the invalid ciphersuite). Proposed fix: add call "sslsock.startHandshake();" after call to prepareSocket but before hostnameVerifier (which calls getSession). This requires also one-line change to TestSSLSocketFactory.java (change SSLPeerUnverifiedException to SSLHandshakeException). I tested this fix with five different cases (TCP connection reset, socket read timeout, expired certificate, self-signed certificate, and non-SSL server), and in all five cases, I now get a reasonably correct exception text (and a cause chain). -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org For additional commands, e-mail: dev-help@hc.apache.org