Hi all,
We have been running into an issue lately where our client certificate
authenticated SSL connections are randomly closing with a TLS alert
"close_notify". The strange thing is that out of 10 tries, the connection
may work maybe around 2-3 times. All other times, the connections will
receive a "close_notify" and the connection will close. For comparison
purposes, we tried using command-line CURL to submit the same request with
client certificate authentication and we were able to connect and send data
without issues every time.
Below is the debug (with -Djavax.net.debug=all) output from a sample
session. I have removed the actual data and replaced them with place
holders.
... <more data and messages>
Client MAC write Secret:
<data>
Server MAC write Secret:
<data>
Client write key:
<data>
Server write key:
<data>
... no IV used for this cipher
Padded plaintext before ENCRYPTION: len = 17
<data>
main, WRITE: TLSv1 Change Cipher Spec, length = 17
[Raw write]: length = 22
<data>
*** Finished
verify_data: <data>
***
[write] MD5 and SHA1 hashes: len = 16
<data>
Padded plaintext before ENCRYPTION: len = 32
<data>
main, WRITE: TLSv1 Handshake, length = 32
<data>
main, received EOFException: ignored
main, called closeInternal(false)
main, SEND TLSv1 ALERT: warning, description = close_notify
Padded plaintext before ENCRYPTION: len = 18
<data>
main, WRITE: TLSv1 Alert, length = 18
main, Exception sending alert: java.net.SocketException: Software caused
connection abort: socket write error
2011-01-12 11:20:59,908 DEBUG
org.apache.commons.httpclient.HttpMethodDirector - Closing the connection.
2011-01-12 11:20:59,908 DEBUG
org.apache.commons.httpclient.HttpConnection - enter HttpConnection.close()
2011-01-12 11:20:59,908 DEBUG
org.apache.commons.httpclient.HttpConnection - enter
HttpConnection.closeSockedAndStreams()
main, called close()
main, called closeInternal(true)
main, called close()
main, called closeInternal(true)
main, called close()
main, called closeInternal(true)
2011-01-12 11:20:59,909 INFO
org.apache.commons.httpclient.HttpMethodDirector - I/O exception
(org.apache.commons.httpclient.NoHttpResponseException) caught when
processing request: The server <host> failed to respond
2011-01-12 11:20:59,912 DEBUG
org.apache.commons.httpclient.HttpMethodDirector - The server <host> failed
to respond
org.apache.commons.httpclient.NoHttpResponseException: The server
www.callit.com failed to respond
at
org.apache.commons.httpclient.HttpMethodBase.readStatusLine(HttpMethodBase.java:1976)
at
org.apache.commons.httpclient.HttpMethodBase.readResponse(HttpMethodBase.java:1735)
at
org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1098)
at
org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
at
org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at
org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
at SSLConnectionTest.main(SSLConnectionTest.java:83)
Here is the code I used to connect to the host:
HttpClientParams params = new
HttpClientParams(DefaultHttpParams.getDefaultParams());
HttpClient httpclient = new HttpClient(params);
AuthSSLProtocolSocketFactory socketFactory = new
AuthSSLProtocolSocketFactory(keyStoreFileUrl.toURL(), keyStorePwd, null,
null);
Protocol httpsProtocol = new Protocol("https", socketFactory, 443);
httpclient.getHostConfiguration().setHost("www.myhost.com", 443,
httpsProtocol);
PostMethod httppost = new PostMethod("/vl/feature.asp");
NameValuePair[] data = {
new NameValuePair("Query", "function"),
};
try {
httppost.setRequestBody(data);
httpclient.executeMethod(httppost);
System.out.println(httppost.getResponseBodyAsString());
} catch (HttpException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
} finally {
httppost.releaseConnection();
}
Within the AuthSSLProtocolSocketFactory, we also use the
AuthSSLX509TrustManager and a custom KeyManager that stores the client
certificate and private key. Any pointers or tips to help debug this issue
will be greatly appreciated.
Regards,
Mike
