Have the default cipher suites changed between XFire and CXF?
The reason I ask is that I am in the process of upgrading a XFire client to
CXF. The XFire client successfully uses a SOAP service over HTTPS. I didn't
do anything particular to get XFire working over HTTPS so presumably the
default cipher suites were used.
My first attempt at connecting to the same endpoint via my new CXF client
resulted in the following SSL handshake_failure:
INFO: The cipher suites have been set to SSL_RSA_WITH_DES_CBC_SHA,
SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA,
SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_WITH_NULL_MD5,
SSL_RSA_WITH_NULL_SHA, SSL_DH_anon_WITH_DES_CBC_SHA,
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5,
TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_MD5,
TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5.
%% No cached client session
*** ClientHello, SSLv3
RandomCookie: GMT: 1187298740 bytes = { 113, 45, 193, 158, 214, 231, 11,
225, 197, 38, 3, 179, 175, 26, 25, 234, 108, 241, 155, 106, 191, 62, 221,
65, 209, 8, 182, 48 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA,
SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_WITH_NULL_MD5,
SSL_RSA_WITH_NULL_SHA, SSL_DH_anon_WITH_DES_CBC_SHA,
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5,
TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_MD5,
TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5]
Compression Methods: { 0 }
***
WRITE: SSLv3 Handshake, length = 79
WRITE: SSLv2 client hello message, length = 101
READ: SSLv3 Alert, length = 2
RECV TLSv1 ALERT: fatal, handshake_failure
called closeSocket()
handling exception: javax.net.ssl.SSLHandshakeException: Received fatal
alert: handshake_failure
Feb 27, 2008 2:49:08 PM org.apache.cxf.phase.PhaseInterceptorChain
doIntercept
INFO: Interceptor has thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: Error writing to XMLStreamWriter.
at
org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor.writeSoapEnvelopeStart(SoapOutInterceptor.java:136)
at
org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor.handleMessage(SoapOutInterceptor.java:76)
at
org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor.handleMessage(SoapOutInterceptor.java:57)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:208)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:276)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:222)
at
org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:135)
at $Proxy48.localAuthenticationQuery(Unknown Source) ...
Caused by: javax.xml.stream.XMLStreamException
at
com.sun.xml.stream.writers.XMLStreamWriterImpl.writeStartElement(XMLStreamWriterImpl.java:1210)
at
org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor.writeSoapEnvelopeStart(SoapOutInterceptor.java:95)
... 16 more
After googling around for "SSLv3 Alert, length = 2" I found that this can
occur when the server rejects the cipher suites given in the ClientHello
message. By running the working XFire client with
"-Djavax.net.debug=ssl,handshake" enabled I learned that the server was
choosing SSL_RSA_WITH_3DES_EDE_CBC_SHA as the cipher suite. Sure enough
this cipher suite isn't in the default cipher suites thay my CXF client was
picking up (list is above). Adding this to my CXF client resolved the
handshake issue:
TLSClientParameters tlsParams = new TLSClientParameters();
tlsParams.getCipherSuites().add("SSL_RSA_WITH_3DES_EDE_CBC_SHA");
conduit.setTlsClientParameters(tlsParams);
I'm all set now but this got me thinking about how my upgrade could have
been made much smoother had the default cipher suites remained the same. But
perhaps there is a good reason why they differ?
thanks,
-Travis
--
View this message in context:
http://www.nabble.com/upgrading-from-XFire---SSL-handshake-errors-tp15725238p15725238.html
Sent from the cxf-user mailing list archive at Nabble.com.
