Colm,
While I cannot do logging on the client side, I did some logging on the
server side for this issue. I attached the portion of the log below.
The log shows that the client started with sending a SSLv2Hello handshake
first (the client should have sent TSLv1Hello if it had read the server's
capabilities properly). But anyway, the SSLv2Hello was rejected by the
server, interestingly with a TLSv1.2 ALERT. In this case, the client only
supports TLSv1.0 (not TLSv1.1 and TLSv1.2). I suspect the client had
problem in processing the TLSv1.2 ALERT and gave up.
Does this make sense? If yes, what should be the proper way to reject
SSLv2Hello? Apparently, that client could talk to an IIS using TLSv1.0
successfully.
Thank you very much for your help!
Using SSLEngineImpl.
2015-05-14 13:12:28,121 [qtp426435961-26 Selector0 ] DEBUG nio
- created
SCEP@62320e8{l(/165.122.232.248:57180)<->r(/166.50.179.97:443),s=0,open=true,ishut=false,oshut=false,rb=false,wb=false,w=true,i=0}-{SslConnection@658c6f68
SSL NOT_HANDSHAKING i/o/u=-1/-1/-1 ishut=false oshut=false
{AsyncHttpConnection@3a4d68e6,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=-14,l=0,c=0},r=0}}
2015-05-14 13:12:28,121 [qtp426435961-27 ] DEBUG ssl
- [Session-1, SSL_NULL_WITH_NULL_NULL] SslConnection@658c6f68 SSL
NOT_HANDSHAKING i/o/u=73/0/0 ishut=false oshut=false
{AsyncHttpConnection@3a4d68e6,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=-14,l=0,c=0},r=0}
NOT_HANDSHAKING filled=73/73 flushed=0/0
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for
TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for
TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for
TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for
TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for
TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
TLSv1.1
qtp426435961-27, fatal error: 10: General SSLEngine problem
javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
qtp426435961-27, SEND TLSv1.2 ALERT: fatal, description =
unexpected_message
qtp426435961-27, WRITE: TLSv1.2 Alert, length = 2
qtp426435961-27, fatal: engine already closed. Rethrowing
javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
2015-05-14 13:12:28,152 [qtp426435961-27 ] DEBUG ssl
-
SCEP@62320e8{l(/165.122.232.248:57180)<->r(/166.50.179.97:443),s=1,open=true,ishut=false,oshut=false,rb=false,wb=false,w=true,i=0r}-{SslConnection@658c6f68
SSL NEED_WRAP i/o/u=73/0/0 ishut=false oshut=false
{AsyncHttpConnection@3a4d68e6,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=-14,l=0,c=0},r=0}}
javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
at sun.security.ssl.InputRecord.handleUnknownRecord(Unknown Source)
at sun.security.ssl.InputRecord.read(Unknown Source)
at sun.security.ssl.EngineInputRecord.read(Unknown Source)
at sun.security.ssl.SSLEngineImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source)
at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source)
at javax.net.ssl.SSLEngine.unwrap(Unknown Source)
at org.eclipse.jetty.io.nio.SslConnection.unwrap(SslConnection.java:536)
at
org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:359)
at
org.eclipse.jetty.io.nio.SslConnection.access$900(SslConnection.java:48)
at
org.eclipse.jetty.io.nio.SslConnection$SslEndPoint.fill(SslConnection.java:678)
at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1044)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:280)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
at
org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
at org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196)
at
org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
at
org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
at
org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
at java.lang.Thread.run(Unknown Source)
2015-05-14 13:12:28,152 [qtp426435961-27 ] DEBUG
ChannelEndPoint - close
SCEP@62320e8{l(/165.122.232.248:57180)<->r(/166.50.179.97:443),s=1,open=true,ishut=false,oshut=false,rb=false,wb=false,w=true,i=0!}-{SslConnection@658c6f68
SSL NEED_WRAP i/o/u=73/0/0 ishut=false oshut=false
{AsyncHttpConnection@3a4d68e6,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=-14,l=0,c=0},r=0}}
2015-05-14 13:12:28,152 [qtp426435961-27 ] DEBUG HttpParser
-
javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
at sun.security.ssl.InputRecord.handleUnknownRecord(Unknown Source)
at sun.security.ssl.InputRecord.read(Unknown Source)
at sun.security.ssl.EngineInputRecord.read(Unknown Source)
at sun.security.ssl.SSLEngineImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source)
at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source)
at javax.net.ssl.SSLEngine.unwrap(Unknown Source)
at org.eclipse.jetty.io.nio.SslConnection.unwrap(SslConnection.java:536)
at
org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:359)
at
org.eclipse.jetty.io.nio.SslConnection.access$900(SslConnection.java:48)
at
org.eclipse.jetty.io.nio.SslConnection$SslEndPoint.fill(SslConnection.java:678)
at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1044)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:280)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
at
org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
at org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196)
at
org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
at
org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
at
org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
at java.lang.Thread.run(Unknown Source)
2015-05-14 13:12:28,152 [qtp426435961-27 ] DEBUG HttpParser
- HttpParser{s=-14,l=0,c=0}
org.eclipse.jetty.io.EofException
at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1050)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:280)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
at
org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
at org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196)
at
org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
at
org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
at
org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
at sun.security.ssl.InputRecord.handleUnknownRecord(Unknown Source)
at sun.security.ssl.InputRecord.read(Unknown Source)
at sun.security.ssl.EngineInputRecord.read(Unknown Source)
at sun.security.ssl.SSLEngineImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source)
at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source)
at javax.net.ssl.SSLEngine.unwrap(Unknown Source)
at org.eclipse.jetty.io.nio.SslConnection.unwrap(SslConnection.java:536)
at
org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:359)
at
org.eclipse.jetty.io.nio.SslConnection.access$900(SslConnection.java:48)
at
org.eclipse.jetty.io.nio.SslConnection$SslEndPoint.fill(SslConnection.java:678)
at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1044)
... 9 more
2015-05-14 13:12:28,152 [qtp426435961-27 ] DEBUG
AsyncHttpConnection - Disabled read interest while writing
response SSL NEED_WRAP i/o/u=73/0/0 ishut=false oshut=false
{AsyncHttpConnection@3a4d68e6,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=0,l=0,c=0},r=0}
2015-05-14 13:12:28,152 [qtp426435961-27 ] DEBUG nio
- EOF
org.eclipse.jetty.io.EofException
at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1050)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:280)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
at
org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
at org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196)
at
org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
at
org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
at
org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
at sun.security.ssl.InputRecord.handleUnknownRecord(Unknown Source)
at sun.security.ssl.InputRecord.read(Unknown Source)
at sun.security.ssl.EngineInputRecord.read(Unknown Source)
at sun.security.ssl.SSLEngineImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source)
at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source)
at javax.net.ssl.SSLEngine.unwrap(Unknown Source)
at org.eclipse.jetty.io.nio.SslConnection.unwrap(SslConnection.java:536)
at
org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:359)
at
org.eclipse.jetty.io.nio.SslConnection.access$900(SslConnection.java:48)
at
org.eclipse.jetty.io.nio.SslConnection$SslEndPoint.fill(SslConnection.java:678)
at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1044)
... 9 more
2015-05-14 13:12:28,152 [qtp426435961-27 ] DEBUG
ChannelEndPoint - close
SCEP@62320e8{l(/165.122.232.248:57180)<->r(0.0.0.0/0.0.0.0:443),s=1,open=false,ishut=true,oshut=true,rb=false,wb=false,w=true,i=0!}-{SslConnection@658c6f68
SSL NEED_WRAP i/o/u=73/0/0 ishut=false oshut=false
{AsyncHttpConnection@3a4d68e6,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=0,l=0,c=0},r=0}}
2015-05-14 13:12:28,152 [qtp426435961-26 Selector0 ] DEBUG nio
- destroyEndPoint
SCEP@62320e8{l(null)<->r(0.0.0.0/0.0.0.0:443),s=0,open=false,ishut=true,oshut=true,rb=false,wb=false,w=true,i=0!}-{SslConnection@658c6f68
SSL NEED_WRAP i/o/u=73/0/0 ishut=false oshut=false
{AsyncHttpConnection@3a4d68e6,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=0,l=0,c=0},r=0}}
2015-05-14 13:12:28,152 [qtp426435961-26 Selector0 ] DEBUG
AbstractHttpConnection - closed
AsyncHttpConnection@3a4d68e6,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=0,l=0,c=0},r=0
--
View this message in context:
http://cxf.547215.n5.nabble.com/CXF-3-0-4-server-cannot-receive-message-from-TLS1-0-client-tp5756863p5757267.html
Sent from the cxf-user mailing list archive at Nabble.com.
