Re: SSL Mutual Authentication Code worked in 4.0.1 but fails in 4.1

Oleg Kalnichevski Wed, 09 Mar 2011 03:08:16 -0800

On Tue, 2011-03-08 at 09:22 -0800, Travis T wrote:
> 
> olegk wrote:
> > 
> > Try running you code with the SSL debug enabled to get more details
> > about the trust material sent by the server during the SSL handshake.
> > 
> > Oleg 
> > 
> 
> Below is the debug output of the handshake from the 4.0.1 (which succeeds)
> and the 4.1 (that fails).  If you need more, please let me know.  I really
> appreciate any help.
> 
> 4.0.1 Success
> 
>     DEBUG [2011-03-08 10:11:39]
> [org.apache.http.impl.conn.SingleClientConnManager] Get connection for route
> HttpRoute[{s}->https://SCRUBBED:8140]
>     main, setSoTimeout(0) called
>     %% No cached client session
>     *** ClientHello, TLSv1
>     RandomCookie:  GMT: 1299604300 bytes = { 56, 69, 171, 192, 81, 150, 1,
> 51, 148, 122, 219, 92, 104, 240, 83, 119, 239, 134, 243, 194, 25, 4, 204,
> 78, 207, 154, 158, 109 }
>     Session ID:  {}
>     Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
> TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA,
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
> TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
> SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA,
> SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA,
> SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
> SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
> SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
>     Compression Methods:  { 0 }
>     ***
>     [write] MD5 and SHA1 hashes:  len = 79
>     0000: 01 00 00 4B 03 01 4D 76   63 4C 38 45 AB C0 51 96 
> ...K..MvcL8E..Q.
>     0010: 01 33 94 7A DB 5C 68 F0   53 77 EF 86 F3 C2 19 04 
> .3.z.\h.Sw......
>     0020: CC 4E CF 9A 9E 6D 00 00   24 00 04 00 05 00 2F 00 
> .N...m..$...../.
>     0030: 35 00 33 00 39 00 32 00   38 00 0A 00 16 00 13 00 
> 5.3.9.2.8.......
>     0040: 09 00 15 00 12 00 03 00   08 00 14 00 11 01 00     ...............
>     main, WRITE: TLSv1 Handshake, length = 79
>     [write] MD5 and SHA1 hashes:  len = 107
>     0000: 01 03 01 00 42 00 00 00   20 00 00 04 01 00 80 00  ....B...
> .......
>     0010: 00 05 00 00 2F 00 00 35   00 00 33 00 00 39 00 00 
> ..../..5..3..9..
>     0020: 32 00 00 38 00 00 0A 07   00 C0 00 00 16 00 00 13 
> 2..8............
>     0030: 00 00 09 06 00 40 00 00   15 00 00 12 00 00 03 02 
> .....@..........
>     0040: 00 80 00 00 08 00 00 14   00 00 11 4D 76 63 4C 38 
> ...........MvcL8
>     0050: 45 AB C0 51 96 01 33 94   7A DB 5C 68 F0 53 77 EF 
> E..Q..3.z.\h.Sw.
>     0060: 86 F3 C2 19 04 CC 4E CF   9A 9E 6D                 ......N...m
>     main, WRITE: SSLv2 client hello message, length = 107
>     [Raw write]: length = 109
>     0000: 80 6B 01 03 01 00 42 00   00 00 20 00 00 04 01 00  .k....B...
> .....
>     0010: 80 00 00 05 00 00 2F 00   00 35 00 00 33 00 00 39 
> ....../..5..3..9
>     0020: 00 00 32 00 00 38 00 00   0A 07 00 C0 00 00 16 00 
> ..2..8..........
>     0030: 00 13 00 00 09 06 00 40   00 00 15 00 00 12 00 00 
> .......@........
>     0040: 03 02 00 80 00 00 08 00   00 14 00 00 11 4D 76 63 
> .............Mvc
>     0050: 4C 38 45 AB C0 51 96 01   33 94 7A DB 5C 68 F0 53 
> L8E..Q..3.z.\h.S
>     0060: 77 EF 86 F3 C2 19 04 CC   4E CF 9A 9E 6D           w.......N...m
>     [Raw read]: length = 5
>     0000: 16 03 01 00 4A                                     ....J
>     [Raw read]: length = 74
>     0000: 02 00 00 46 03 01 4D 76   62 42 57 B1 AF A4 0E 69 
> ...F..MvbBW....i
>     0010: F4 C6 3B B3 1B EB 16 CF   AE 01 DD E1 74 1A 1A 27 
> ..;.........t..'
>     0020: 03 C3 C9 EB D3 87 20 38   B4 66 57 D4 3D 95 14 B6  ......
> 8.fW.=...
>     0030: 02 92 A3 9A D2 BB EE A4   3F 90 C6 3B 4C B1 94 F5 
> ........?..;L...
>     0040: DF 34 8F 53 B3 84 F5 00   04 00                    .4.S......
>     main, READ: TLSv1 Handshake, length = 74
>     *** ServerHello, TLSv1
>     RandomCookie:  GMT: 1299604034 bytes = { 87, 177, 175, 164, 14, 105,
> 244, 198, 59, 179, 27, 235, 22, 207, 174, 1, 221, 225, 116, 26, 26, 39, 3,
> 195, 201, 235, 211, 135 }
>     Session ID:  {56, 180, 102, 87, 212, 61, 149, 20, 182, 2, 146, 163, 154,
> 210, 187, 238, 164, 63, 144, 198, 59, 76, 177, 148, 245, 223, 52, 143, 83,
> 179, 132, 245}
>     Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
>     Compression Method: 0
>     ***
>     %% Created:  [Session-1, SSL_RSA_WITH_RC4_128_MD5]
> 
> 4.1 Failure
> 
>     DEBUG [2011-03-08 10:09:33]
> [org.apache.http.impl.conn.SingleClientConnManager] Get connection for route
> HttpRoute[{s}->https://SCRUBBED:8140]
>     DEBUG [2011-03-08 10:09:33]
> [org.apache.http.impl.conn.DefaultClientConnectionOperator] Connecting to
> SCRUBBED/IPADDRSCRUBBED:8140
>     %% No cached client session
>     *** ClientHello, TLSv1
>     RandomCookie:  GMT: 1299603917 bytes = { 223, 239, 55, 100, 246, 87, 34,
> 54, 117, 35, 249, 56, 223, 119, 72, 23, 219, 220, 23, 74, 131, 189, 167, 80,
> 105, 234, 59, 207 }
>     Session ID:  {}
>     Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,
> TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA,
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
> TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
> SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA,
> SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA,
> SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
> SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
> SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
>     Compression Methods:  { 0 }
>     ***
>     [write] MD5 and SHA1 hashes:  len = 79
>     0000: 01 00 00 4B 03 01 4D 76   62 CD DF EF 37 64 F6 57 
> ...K..Mvb...7d.W
>     0010: 22 36 75 23 F9 38 DF 77   48 17 DB DC 17 4A 83 BD 
> "6u#.8.wH....J..
>     0020: A7 50 69 EA 3B CF 00 00   24 00 04 00 05 00 2F 00 
> .Pi.;...$...../.
>     0030: 35 00 33 00 39 00 32 00   38 00 0A 00 16 00 13 00 
> 5.3.9.2.8.......
>     0040: 09 00 15 00 12 00 03 00   08 00 14 00 11 01 00     ...............
>     main, WRITE: TLSv1 Handshake, length = 79
>     [write] MD5 and SHA1 hashes:  len = 107
>     0000: 01 03 01 00 42 00 00 00   20 00 00 04 01 00 80 00  ....B...
> .......
>     0010: 00 05 00 00 2F 00 00 35   00 00 33 00 00 39 00 00 
> ..../..5..3..9..
>     0020: 32 00 00 38 00 00 0A 07   00 C0 00 00 16 00 00 13 
> 2..8............
>     0030: 00 00 09 06 00 40 00 00   15 00 00 12 00 00 03 02 
> .....@..........
>     0040: 00 80 00 00 08 00 00 14   00 00 11 4D 76 62 CD DF 
> ...........Mvb..
>     0050: EF 37 64 F6 57 22 36 75   23 F9 38 DF 77 48 17 DB 
> .7d.W"6u#.8.wH..
>     0060: DC 17 4A 83 BD A7 50 69   EA 3B CF                 ..J...Pi.;.
>     main, WRITE: SSLv2 client hello message, length = 107
>     [Raw write]: length = 109
>     0000: 80 6B 01 03 01 00 42 00   00 00 20 00 00 04 01 00  .k....B...
> .....
>     0010: 80 00 00 05 00 00 2F 00   00 35 00 00 33 00 00 39 
> ....../..5..3..9
>     0020: 00 00 32 00 00 38 00 00   0A 07 00 C0 00 00 16 00 
> ..2..8..........
>     0030: 00 13 00 00 09 06 00 40   00 00 15 00 00 12 00 00 
> .......@........
>     0040: 03 02 00 80 00 00 08 00   00 14 00 00 11 4D 76 62 
> .............Mvb
>     0050: CD DF EF 37 64 F6 57 22   36 75 23 F9 38 DF 77 48 
> ...7d.W"6u#.8.wH
>     0060: 17 DB DC 17 4A 83 BD A7   50 69 EA 3B CF           ....J...Pi.;.
>     main, handling exception: java.net.SocketException: Software caused
> connection abort: recv failed
>     main, SEND TLSv1 ALERT:  fatal, description = unexpected_message
>     main, WRITE: TLSv1 Alert, length = 2
>     main, Exception sending alert: java.net.SocketException: Software caused
> connection abort: socket write error
>     main, called closeSocket()
>     main, IOException in getSession():  java.net.SocketException: Software
> caused connection abort: recv failed
>     main, called close()
>     main, called closeInternal(true)
>     DEBUG [2011-03-08 10:09:33]
> [org.apache.http.impl.conn.DefaultClientConnection] Connection closed
>     DEBUG [2011-03-08 10:09:33]
> [org.apache.http.impl.conn.DefaultClientConnection] Connection shut down
>     DEBUG [2011-03-08 10:09:33]
> [org.apache.http.impl.conn.SingleClientConnManager] Releasing connection
> org.apache.http.impl.conn.SingleClientConnManager$ConnAdapter@d0a5d9
>     Exception in thread "main" javax.net.ssl.SSLPeerUnverifiedException:
> peer not authenticated
>       at
> com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:352)


...

Travis,

It looks like the remote server once of a sudden drops the connection in
the middle of the SSL handshake on the unsuspecting client. Looks very
bizarre.

I reviewed code of both versions and I found out there were some subtle
differences in the algorithm used by SSLSocketFactory in HC 4.0.1 and HC
4.1 to create SSLSocket instances and to connect them to a remote
endpoint. 

Could you please try out two things?

(1) Please check the socket timeout value configured for the request and
make sure it is not too aggressive (low)

(2) Make a copy of SSLSocketFactory, 

http://svn.apache.org/repos/asf/httpcomponents/httpclient/trunk/httpclient/src/main/java/org/apache/http/conn/ssl/SSLSocketFactory.java

replace #createSocket method with this one

---
public Socket createSocket(final HttpParams params) throws IOException {
  return this.socketfactory.createSocket();
}
---

and configure HttpClient to use your implementation of SSLSocketFactory
instead of the stock one.

Oleg



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Re: SSL Mutual Authentication Code worked in 4.0.1 but fails in 4.1

Reply via email to