Hmm. I saw this from some googling I did on that particular message.
We generally control both ends of the communication within our product
so I had assumed the handshake would negotiate this automatically.
>From a wireshark trace of the same test over the wire, I saw a huge
list of cipher-suites proposed to the other end (in fact, if you
decode those 100 bytes, I beleive that's what you see in the
messageSent log from my test).
/**
* Sets the list of cipher suites to be enabled when [EMAIL PROTECTED]
SSLEngine}
* is initialized.
*
* @param cipherSuites <tt>null</tt> means 'use [EMAIL PROTECTED]
SSLEngine}'s default.'
*/
public void setEnabledCipherSuites(String[] cipherSuites) {
this.enabledCipherSuites = cipherSuites;
}
Just for kicks, I tried "setEnabledCipherSuites(null);" but with no
change in behavior....
On Fri, Mar 7, 2008 at 10:12 AM, Niklas Therning <[EMAIL PROTECTED]> wrote:
> I think it is the "no cipher suites in common" error which causes the
> handshake problem. You can use SslFilter.setEnabledCipherSuites() to
> specify which suites should be enabled.
>
> HTH
>
> /Niklas
>
> Mark Renouf skrev:
>
>
> > I've been struggling with an SSL issue. I had it all working but I've
> > lost track of some changes and basically I'm stuck again. I've
> > dissolved it down to a unit test where I have a pair of VmPipe
> > (acceptor/connector) talking, each with an SslFilter. Each have a
> > seperate keystore, and a common truststore. Each's certificates are
> > signed by a CA cert in the trust store. These are known-good as they
> > were take from a production server.
> >
> > The server has a simple handler set which waits for "PING" and sends
> > back "PONG". The test passes without the SSL Filter in place. In the
> > tests I also placed a logging filter last on the filter chain of the
> > connector so I can see the raw data after processing.
> >
> > When I enable SSL on both ends, I get a failed handshake. I'm using
> > SSLContextFactory and KeyStoreFactory to load keystores. I've
> > independently verified the keystores are valid and being loaded
> > correctly (right passwords etc).
> >
> > The com.XXXXX.XXXXX lines below are just package names from an
> > unreleased product of my employer which I've anonymized for now :-)
> >
> > The handlers look like this:
> > IoHandler clientHandler = new IoHandlerAdapter() {
> > @Override
> > public void exceptionCaught(IoSession session, Throwable
> > cause) throws Exception {
> > LOGGER.fatal("CLIENT IoHandler: exceptionCaught", cause);
> > }
> > };
> >
> > IoHandler serverHandler = new IoHandlerAdapter() {
> > @Override
> > public void exceptionCaught(IoSession session, Throwable
> > cause) throws Exception {
> > LOGGER.fatal("SERVER IoHandler: exceptionCaught", cause);
> > session.close(true);
> > }
> >
> > @Override
> > public void messageReceived(IoSession session, Object
> > message) throws Exception {
> > if (message instanceof IoBuffer) {
> > String msg =
> > ((IoBuffer)message).getString(CHARSET.newDecoder());
> > if (msg.equals("PING")) {
> > IoBuffer buffer = IoBuffer.allocate(4);
> > buffer.putString("PONG", CHARSET.newEncoder());
> > buffer.flip();
> > session.write(buffer);
> > }
> > }
> > }
> > };
> >
> > There's also a LoggingFilter attached with the messageSent and
> > messageReceived levels visible (attached to the client's filter chain)
> >
> > Here is the relevant test code:
> >
> > Set up SSLContext ctx1 using SSLContextFactory....
> >
> > 171 IoAcceptor acceptor = new VmPipeAcceptor();
> > 172 acceptor.setHandler(serverHandler);
> > 173 SslFilter serverFilter = new SslFilter(ctx1);
> > 174 serverFilter.setNeedClientAuth(true);
> > 175 acceptor.getFilterChain().addLast("SSL", serverFilter);
> > 176 acceptor.bind(new VmPipeAddress(1));
> >
> > Set up SSLContext ctx2 using SSLContextFactory....
> >
> > 189 IoConnector connector = new VmPipeConnector();
> > 190 connector.setHandler(clientHandler);
> > 191 SslFilter clientFilter = new SslFilter(ctx2);
> > 192 clientFilter.setUseClientMode(true);
> > (Set up LoggingFilter)
> > 203 connector.getFilterChain().addLast("LOG", loggingFilter);
> > 204 connector.getFilterChain().addLast("SSL", clientFilter);
> >
> > Then:
> >
> > 206 ConnectFuture cf = connector.connect(new VmPipeAddress(1));
> > 207 cf.await();
> > 208 assertTrue(cf.isConnected());
> > 209 IoSession session = cf.getSession();
> > 210 session.getConfig().setUseReadOperation(true);
> > 211 IoBuffer buffer = IoBuffer.allocate(4);
> > 212 buffer.putString("PING", CHARSET.newEncoder());
> > 213 buffer.flip();
> > 214 WriteFuture wf = session.write(buffer);
> > 215 wf.await();
> > 216 assertTrue(wf.isWritten());
> > 217
> > 218
> > 219 ReadFuture rf = session.read();
> > 220 rf.await();
> > 221 assertTrue(rf.isRead());
> > 222 assertTrue(rf.getMessage() instanceof IoBuffer);
> > 223 IoBuffer buffer2 = (IoBuffer) rf.getMessage();
> > 224 assertEquals("PONG",
> buffer2.getString(CHARSET.newDecoder()));
> > 225 }
> >
> >
> > Here is the log output from the failing test case:
> >
> > 2008-03-07 09:21:47,597 INFO main SSLTestClient - SENT:
> > HeapBuffer[pos=0 lim=100 cap=130: 80 62 01 03 01 00 39 00 00 00 20 00
> > 00 04 01 00...]
> > 2008-03-07 09:21:47,602 FATAL main SSLTest - SERVER IoHandler:
> > exceptionCaught
> > javax.net.ssl.SSLHandshakeException: SSL handshake failed.
> > at
> org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:426)
> > at
> org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:405)
> > at
> org.apache.mina.common.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:40)
> > at
> org.apache.mina.common.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:823)
> > at
> org.apache.mina.common.DefaultIoFilterChain$HeadFilter.messageReceived(DefaultIoFilterChain.java:607)
> > at
> org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:405)
> > at
> org.apache.mina.common.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:399)
> > at
> org.apache.mina.transport.vmpipe.VmPipeFilterChain.fireEvent(VmPipeFilterChain.java:91)
> > at
> org.apache.mina.transport.vmpipe.VmPipeFilterChain.flushEvents(VmPipeFilterChain.java:75)
> > at
> org.apache.mina.transport.vmpipe.VmPipeFilterChain.pushEvent(VmPipeFilterChain.java:68)
> > at
> org.apache.mina.transport.vmpipe.VmPipeFilterChain.fireMessageReceived(VmPipeFilterChain.java:166)
> > at
> org.apache.mina.transport.vmpipe.VmPipeFilterChain$VmPipeIoProcessor.updateTrafficMask(VmPipeFilterChain.java:239)
> > at
> org.apache.mina.transport.vmpipe.VmPipeFilterChain$VmPipeIoProcessor.updateTrafficMask(VmPipeFilterChain.java:169)
> > at
> org.apache.mina.transport.vmpipe.VmPipeFilterChain.flushPendingDataQueues(VmPipeFilterChain.java:120)
> > at
> org.apache.mina.transport.vmpipe.VmPipeFilterChain.start(VmPipeFilterChain.java:62)
> > at
> org.apache.mina.transport.vmpipe.VmPipeConnector.connect0(VmPipeConnector.java:124)
> > at
> org.apache.mina.common.AbstractIoConnector.connect(AbstractIoConnector.java:167)
> > at
> org.apache.mina.common.AbstractIoConnector.connect(AbstractIoConnector.java:93)
> > at com.XXXXX.XXXXX.net.ssl.SSLTest.testSSLHandshake(SSLTest.java:206)
> > (junit code)
> > Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
> > at
> com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:997)
> > at
> com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:459)
> > at
> com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1058)
> > at
> com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1030)
> > at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:411)
> > at
> org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:477)
> > at
> org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:286)
> > at
> org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:407)
> > ... 40 more
> > Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
> > at
> com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
> > at
> com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1356)
> > at
> com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)
> > at
> com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:164)
> > at
> com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:639)
> > at
> com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:450)
> > at
> com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:178)
> > at
> com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
> > at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:437)
> > at java.security.AccessController.doPrivileged(Native Method)
> > at
> com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:935)
> > at org.apache.mina.filter.ssl.SslHandler.doTasks(SslHandler.java:667)
> > at
> org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:458)
> > ... 42 more
> > 2008-03-07 09:21:47,607 INFO main SSLTestClient - RECEIVED:
> > HeapBuffer[pos=0 lim=7 cap=7: 15 03 01 00 02 02 28]
> > 2008-03-07 09:21:47,607 FATAL main SSLTest - CLIENT IoHandler:
> > exceptionCaught
> > javax.net.ssl.SSLHandshakeException: SSL handshake failed.
> > at
> org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:426)
> > at
> org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:405)
> > at
> org.apache.mina.common.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:40)
> > at
> org.apache.mina.common.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:823)
> > at
> org.apache.mina.filter.logging.LoggingFilter.messageReceived(LoggingFilter.java:95)
> > at
> org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:405)
> > at
> org.apache.mina.common.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:40)
> > at
> org.apache.mina.common.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:823)
> > at
> org.apache.mina.common.DefaultIoFilterChain$HeadFilter.messageReceived(DefaultIoFilterChain.java:607)
> > at
> org.apache.mina.common.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:405)
> > at
> org.apache.mina.common.DefaultIoFilterChain.fireMessageReceived(DefaultIoFilterChain.java:399)
> > at
> org.apache.mina.transport.vmpipe.VmPipeFilterChain.fireEvent(VmPipeFilterChain.java:91)
> > at
> org.apache.mina.transport.vmpipe.VmPipeFilterChain.flushEvents(VmPipeFilterChain.java:75)
> > at
> org.apache.mina.transport.vmpipe.VmPipeFilterChain.pushEvent(VmPipeFilterChain.java:68)
> > at
> org.apache.mina.transport.vmpipe.VmPipeFilterChain.fireMessageReceived(VmPipeFilterChain.java:166)
> > at
> org.apache.mina.transport.vmpipe.VmPipeFilterChain$VmPipeIoProcessor.flush(VmPipeFilterChain.java:192)
> > at
> org.apache.mina.transport.vmpipe.VmPipeFilterChain$VmPipeIoProcessor.flush(VmPipeFilterChain.java:169)
> > at
> org.apache.mina.common.DefaultIoFilterChain$HeadFilter.filterWrite(DefaultIoFilterChain.java:644)
> > at
> org.apache.mina.common.DefaultIoFilterChain.callPreviousFilterWrite(DefaultIoFilterChain.java:467)
> > at
> org.apache.mina.common.DefaultIoFilterChain.access$1400(DefaultIoFilterChain.java:40)
> > at
> org.apache.mina.common.DefaultIoFilterChain$EntryImpl$1.filterWrite(DefaultIoFilterChain.java:835)
> > at
> org.apache.mina.filter.ssl.SslHandler.flushScheduledEvents(SslHandler.java:260)
> > at
> org.apache.mina.filter.ssl.SslFilter.filterClose(SslFilter.java:581)
> > at
> org.apache.mina.common.DefaultIoFilterChain.callPreviousFilterClose(DefaultIoFilterChain.java:482)
> > at
> org.apache.mina.common.DefaultIoFilterChain.access$1500(DefaultIoFilterChain.java:40)
> > at
> org.apache.mina.common.DefaultIoFilterChain$EntryImpl$1.filterClose(DefaultIoFilterChain.java:840)
> > at
> org.apache.mina.common.DefaultIoFilterChain$TailFilter.filterClose(DefaultIoFilterChain.java:767)
> > at
> org.apache.mina.common.DefaultIoFilterChain.callPreviousFilterClose(DefaultIoFilterChain.java:482)
> > at
> org.apache.mina.common.DefaultIoFilterChain.fireFilterClose(DefaultIoFilterChain.java:477)
> > at
> org.apache.mina.transport.vmpipe.VmPipeFilterChain.fireEvent(VmPipeFilterChain.java:115)
> > at
> org.apache.mina.transport.vmpipe.VmPipeFilterChain.flushEvents(VmPipeFilterChain.java:75)
> > at
> org.apache.mina.transport.vmpipe.VmPipeFilterChain.pushEvent(VmPipeFilterChain.java:68)
> > at
> org.apache.mina.transport.vmpipe.VmPipeFilterChain.fireFilterClose(VmPipeFilterChain.java:126)
> > at
> org.apache.mina.common.AbstractIoSession.close(AbstractIoSession.java:173)
> > at
> org.apache.mina.common.AbstractIoSession.close(AbstractIoSession.java:158)
> > at com.XXXXX.XXXXX.net.ssl.SSLTest$2.exceptionCaught(SSLTest.java:95)
> > (stacktrace continues back into client here)
> >
> > Caused by: javax.net.ssl.SSLException: Received fatal alert:
> handshake_failure
> > at
> com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:166)
> > at
> com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1356)
> > at
> com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1324)
> > at
> com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1486)
> > at
> com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:961)
> > at
> com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:787)
> > at
> com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:663)
> > at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:566)
> > at org.apache.mina.filter.ssl.SslHandler.unwrap0(SslHandler.java:644)
> > at
> org.apache.mina.filter.ssl.SslHandler.unwrapHandshake(SslHandler.java:591)
> > at
> org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:461)
> > at
> org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:286)
> > at
> org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:407)
> > ... 90 more
> >
>
>
