RE: Issue with Connection Reset

2011-10-27 Thread Dave Thompson 
>   From: owner-openssl-us...@openssl.org On Behalf Of Ratin, Yuliya S.
>   Sent: Wednesday, 26 October, 2011 09:55

>   Connection to SQL Server 2008 R2 database (cluster install)
>   We're seeing the connection reset while testing from multiple 
> sources and applications - it seems like the server is not responding 
> with an SSL certificate during the handshake, here's the output from 
> OpenSSL's s_client (error 104 indicates a connection reset):

Aside: 104 is reset only on Linux, other OSes are different.

>   OpenSSL> s_client -host 10.0.5.31 -port 1433 -prexit
>   CONNECTED(0003)
>   write:errno=104
>   ---
>   no peer certificate available
>   ---
>   No client certificate CA names sent
>   ---
>   SSL handshake has read 0 bytes and written 118 bytes
> 

It's not that the server is omitting the cert specifically, 
the server (or perhaps something in between) is resetting 
BEFORE the handshake gets to the message(s) that would carry 
the cert, and also several other things.

Are you sure the server is ready for SSL? I don't use 
this SQLSvr option, but from the description in the MSDN 
it sounds like it does clear and SSL alternatively over 
the same port. That means it must start in clear and have 
some explicit command to switch to SSL. Many protocols 
do this, e.g. SMTP, FTP, often using command STARTTLS.
OpenSSL s_client supports several of these (see the help, 
or man page) but not SQLSvr. (In contrast, HTTPS uses a 
different port, 443 instead of 80, and starts right in.)

If the server is expecting SQLSvr-type packet (in clear),  
and it gets SSL ClientHello instead, it will have to 
reject it, and might well do so by a connection reset.
If you can find the start-SSL command (or perhaps sequence) 
in documentation or from a network trace, you could modify 
s_client to do it, or write a stripped-down version which 
just does the SQLSvr-specific start-SSL then SSL_connect, 
with suitable callbacks/tracing. This may be some work.

For the java, I'd expect com.microsoft.sqlserver.jdbc.* 
to handle this correctly, assuming it's honestly named.
If the/a client is on a different machine than the server, 
I'd look at a network trace. If a client is on or near 
Windows I like www.wireshark.org but there are others.

You also say the server is in a cluster. I don't know if 
that involves some redirector between client and server;
if so, that could be the source of the reset rather than 
the actual server. If you can use a non-cluster server 
instead, and see if/how that differs, it might help.


__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Issue with Connection Reset

2011-10-26 Thread Ratin, Yuliya S. 
Please help! Many thanks!



Info:

Connection to SQL Server 2008 R2 database (cluster install)



We're seeing the connection reset while testing from multiple sources and 
applications - it seems like the server is not responding with an SSL 
certificate during the handshake, here's the output from OpenSSL's s_client 
(error 104 indicates a connection reset):



OpenSSL> s_client -host 10.0.5.31 -port 1433 -prexit

CONNECTED(0003)

write:errno=104

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 0 bytes and written 118 bytes

---

New, (NONE), Cipher is (NONE)

Compression: NONE

Expansion: NONE

---

More info from the log...


Calling ELMS WebService program to  feedLeads

Oct 18, 2011 12:36:01 PM com.microsoft.sqlserver.jdbc.TDSChannel enableSSL

INFO: java.security path: /usr/local/fisher/web/jdk1.6.0_24/jre/lib/security

Security providers: [SUN version 1.6, SunRsaSign version 1.5, SunJSSE version 
1.6, SunJCE version 1.6, SunJGSS version 1.0, SunSASL version 1.5, XMLDSig 
version 1.0, SunPCSC version 1.6]

SSLContext provider info: Sun JSSE provider(PKCS12, SunX509 key/trust 
factories, SSLv3, TLSv1)

SSLContext provider services:

[SunJSSE: KeyFactory.RSA -> sun.security.rsa.RSAKeyFactory

  aliases: [1.2.840.113549.1.1, OID.1.2.840.113549.1.1]

, SunJSSE: KeyPairGenerator.RSA -> sun.security.rsa.RSAKeyPairGenerator

  aliases: [1.2.840.113549.1.1, OID.1.2.840.113549.1.1]

, SunJSSE: Signature.MD2withRSA -> sun.security.rsa.RSASignature$MD2withRSA

  aliases: [1.2.840.113549.1.1.2, OID.1.2.840.113549.1.1.2]

, SunJSSE: Signature.MD5withRSA -> sun.security.rsa.RSASignature$MD5withRSA

  aliases: [1.2.840.113549.1.1.4, OID.1.2.840.113549.1.1.4]

, SunJSSE: Signature.SHA1withRSA -> sun.security.rsa.RSASignature$SHA1withRSA

  aliases: [1.2.840.113549.1.1.5, OID.1.2.840.113549.1.1.5, 1.3.14.3.2.29, 
OID.1.3.14.3.2.29]

, SunJSSE: Signature.MD5andSHA1withRSA -> 
com.sun.net.ssl.internal.ssl.RSASignature

, SunJSSE: KeyManagerFactory.SunX509 -> 
com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl$SunX509

, SunJSSE: KeyManagerFactory.NewSunX509 -> 
com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl$X509

, SunJSSE: TrustManagerFactory.SunX509 -> 
com.sun.net.ssl.internal.ssl.TrustManagerFactoryImpl$SimpleFactory

, SunJSSE: TrustManagerFactory.PKIX -> 
com.sun.net.ssl.internal.ssl.TrustManagerFactoryImpl$PKIXFactory

  aliases: [SunPKIX, X509, X.509]

, SunJSSE: SSLContext.SSL -> com.sun.net.ssl.internal.ssl.SSLContextImpl

, SunJSSE: SSLContext.SSLv3 -> com.sun.net.ssl.internal.ssl.SSLContextImpl

, SunJSSE: SSLContext.TLS -> com.sun.net.ssl.internal.ssl.SSLContextImpl

, SunJSSE: SSLContext.TLSv1 -> com.sun.net.ssl.internal.ssl.SSLContextImpl

, SunJSSE: SSLContext.Default -> 
com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl

, SunJSSE: KeyStore.PKCS12 -> com.sun.net.ssl.internal.pkcs12.PKCS12KeyStore

]

java.ext.dirs: 
/usr/local/fisher/web/jdk1.6.0_24/jre/lib/ext:/usr/java/packages/lib/ext

com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish 
a secure connection to SQL Server by using Secure Sockets Layer (SSL) 
encryption. Error: "Connection reset".

  at 
com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:1352)

  at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1533)

  at 
com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:1042)

  at 
com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:817)

  at 
com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:700)

  at 
com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:842)

  at java.sql.DriverManager.getConnection(DriverManager.java:582)

  at java.sql.DriverManager.getConnection(DriverManager.java:185)

  at LeadAssignment.main(Unknown Source)

Caused by: java.io.IOException: Connection reset

  at 
com.microsoft.sqlserver.jdbc.TDSChannel$SSLHandshakeInputStream.ensureSSLPayload(IOBuffer.java:594)

  at 
com.microsoft.sqlserver.jdbc.TDSChannel$SSLHandshakeInputStream.readInternal(IOBuffer.java:664)

  at 
com.microsoft.sqlserver.jdbc.TDSChannel$SSLHandshakeInputStream.read(IOBuffer.java:656)

  at 
com.microsoft.sqlserver.jdbc.TDSChannel$ProxyInputStream.readInternal(IOBuffer.java:851)

  at 
com.microsoft.sqlserver.jdbc.TDSChannel$ProxyInputStream.read(IOBuffer.java:839)

  at 
com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:293)

  at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:331)

  at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:798)

  at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138)

  at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1165)

  at 
com.sun.net.ssl.i