Re: SSL connection with client certificate authentication closing randomly

Tue, 25 Jan 2011 14:11:19 -0800 

I forgot to mention that I am using HttpClient 3.1.

On Tue, Jan 25, 2011 at 2:07 PM, Michael Lam <[email protected]> wrote:

>     Hi all,
>
>     We have been running into an issue lately where our client certificate
> authenticated SSL connections are randomly closing with a TLS alert
> "close_notify".  The strange thing is that out of 10 tries, the connection
> may work maybe around 2-3 times.  All other times, the connections will
> receive a "close_notify" and the connection will close.  For comparison
> purposes, we tried using command-line CURL to submit the same request with
> client certificate authentication and we were able to connect and send data
> without issues every time.
>
> Below is the debug (with -Djavax.net.debug=all) output from a sample
> session. I have removed the actual data and replaced them with place
> holders.
>
>     ... <more data and messages>
>     Client MAC write Secret:
>     <data>
>     Server MAC write Secret:
>     <data>
>     Client write key:
>     <data>
>     Server write key:
>     <data>
>     ... no IV used for this cipher
>     Padded plaintext before ENCRYPTION:  len = 17
>     <data>
>     main, WRITE: TLSv1 Change Cipher Spec, length = 17
>     [Raw write]: length = 22
>     <data>
>     *** Finished
>     verify_data:  <data>
>     ***
>     [write] MD5 and SHA1 hashes:  len = 16
>     <data>
>     Padded plaintext before ENCRYPTION:  len = 32
>     <data>
>     main, WRITE: TLSv1 Handshake, length = 32
>     <data>
>     main, received EOFException: ignored
>     main, called closeInternal(false)
>     main, SEND TLSv1 ALERT:  warning, description = close_notify
>     Padded plaintext before ENCRYPTION:  len = 18
>     <data>
>     main, WRITE: TLSv1 Alert, length = 18
>     main, Exception sending alert: java.net.SocketException: Software
> caused connection abort: socket write error
>     2011-01-12 11:20:59,908 DEBUG
> org.apache.commons.httpclient.HttpMethodDirector - Closing the connection.
>     2011-01-12 11:20:59,908 DEBUG
> org.apache.commons.httpclient.HttpConnection - enter HttpConnection.close()
>     2011-01-12 11:20:59,908 DEBUG
> org.apache.commons.httpclient.HttpConnection - enter
> HttpConnection.closeSockedAndStreams()
>     main, called close()
>     main, called closeInternal(true)
>     main, called close()
>     main, called closeInternal(true)
>     main, called close()
>     main, called closeInternal(true)
>     2011-01-12 11:20:59,909 INFO
> org.apache.commons.httpclient.HttpMethodDirector - I/O exception
> (org.apache.commons.httpclient.NoHttpResponseException) caught when
> processing request: The server <host> failed to respond
>     2011-01-12 11:20:59,912 DEBUG
> org.apache.commons.httpclient.HttpMethodDirector - The server <host> failed
> to respond
>     org.apache.commons.httpclient.NoHttpResponseException: The server
> www.callit.com failed to respond
>     at
> org.apache.commons.httpclient.HttpMethodBase.readStatusLine(HttpMethodBase.java:1976)
>     at
> org.apache.commons.httpclient.HttpMethodBase.readResponse(HttpMethodBase.java:1735)
>     at
> org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1098)
>     at
> org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
>     at
> org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
>     at
> org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
>     at
> org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
>             at SSLConnectionTest.main(SSLConnectionTest.java:83)
>
>
> Here is the code I used to connect to the host:
>
>         HttpClientParams params = new
> HttpClientParams(DefaultHttpParams.getDefaultParams());
>         HttpClient httpclient = new HttpClient(params);
>
>         AuthSSLProtocolSocketFactory socketFactory = new
> AuthSSLProtocolSocketFactory(keyStoreFileUrl.toURL(), keyStorePwd, null,
> null);
>         Protocol httpsProtocol = new Protocol("https", socketFactory, 443);
>         httpclient.getHostConfiguration().setHost("www.myhost.com", 443,
> httpsProtocol);
>
>         PostMethod httppost = new PostMethod("/vl/feature.asp");
>
>         NameValuePair[] data = {
>                   new NameValuePair("Query", "function"),
>                 };
>         try {
>           httppost.setRequestBody(data);
>           httpclient.executeMethod(httppost);
>           System.out.println(httppost.getResponseBodyAsString());
>         } catch (HttpException e) {
>             e.printStackTrace();
>         } catch (IOException e) {
>             e.printStackTrace();
>         } finally {
>             httppost.releaseConnection();
>         }
>
> Within the AuthSSLProtocolSocketFactory, we also use the
> AuthSSLX509TrustManager and a custom KeyManager that stores the client
> certificate and private key.  Any pointers or tips to help debug this issue
> will be greatly appreciated.
>
> Regards,
> Mike
>
>

Reply via email to