I've added a new way of including protocols for the next release:
https://issues.apache.org/jira/browse/CXF-6414
This allows you to have a TLS endpoint, but also to support SSLv2Hello if
required. For example:
<httpj:engine-factory id="tls-but-allow-ssl3">
<httpj:engine port="${testutil.ports.SSLv3Server.4}">
<httpj:tlsServerParameters>
<sec:keyManagers keyPassword="password">
<sec:keyStore type="jks" password="password"
resource="keys/Bethal.jks"/>
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="jks" password="password"
resource="keys/Truststore.jks"/>
</sec:trustManagers>
<sec:clientAuthentication want="true" required="false"/>
<sec:includeProtocols>
<sec:includeProtocol>SSLv3</sec:includeProtocol>
<sec:includeProtocol>SSLv2Hello</sec:includeProtocol>
</sec:includeProtocols>
</httpj:tlsServerParameters>
</httpj:engine>
</httpj:engine-factory>
Colm.
On Thu, May 14, 2015 at 6:58 PM, boca2608 <boca2...@gmail.com> wrote:
> Colm,
>
> While I cannot do logging on the client side, I did some logging on the
> server side for this issue. I attached the portion of the log below.
>
> The log shows that the client started with sending a SSLv2Hello handshake
> first (the client should have sent TSLv1Hello if it had read the server's
> capabilities properly). But anyway, the SSLv2Hello was rejected by the
> server, interestingly with a TLSv1.2 ALERT. In this case, the client only
> supports TLSv1.0 (not TLSv1.1 and TLSv1.2). I suspect the client had
> problem in processing the TLSv1.2 ALERT and gave up.
>
> Does this make sense? If yes, what should be the proper way to reject
> SSLv2Hello? Apparently, that client could talk to an IIS using TLSv1.0
> successfully.
>
> Thank you very much for your help!
>
>
>
>
> Using SSLEngineImpl.
> 2015-05-14 13:12:28,121 [qtp426435961-26 Selector0 ] DEBUG nio
> - created
> SCEP@62320e8{l(/165.122.232.248:57180)<->r(/166.50.179.97:443
> ),s=0,open=true,ishut=false,oshut=false,rb=false,wb=false,w=true,i=0}-{SslConnection@658c6f68
> SSL NOT_HANDSHAKING i/o/u=-1/-1/-1 ishut=false oshut=false
> {AsyncHttpConnection@3a4d68e6
> ,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=-14,l=0,c=0},r=0}}
> 2015-05-14 13:12:28,121 [qtp426435961-27 ] DEBUG ssl
> - [Session-1, SSL_NULL_WITH_NULL_NULL] SslConnection@658c6f68 SSL
> NOT_HANDSHAKING i/o/u=73/0/0 ishut=false oshut=false
> {AsyncHttpConnection@3a4d68e6
> ,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=-14,l=0,c=0},r=0}
> NOT_HANDSHAKING filled=73/73 flushed=0/0
> Allow unsafe renegotiation: false
> Allow legacy hello messages: true
> Is initial handshake: true
> Is secure renegotiation: false
> Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> for
> TLSv1
> Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for
> TLSv1
> Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1
> Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for
> TLSv1
> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
> TLSv1
> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
> TLSv1
> Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> for
> TLSv1.1
> Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for
> TLSv1.1
> Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
> for TLSv1.1
> Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for
> TLSv1.1
> Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
> TLSv1.1
> Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
> TLSv1.1
> qtp426435961-27, fatal error: 10: General SSLEngine problem
> javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
> qtp426435961-27, SEND TLSv1.2 ALERT: fatal, description =
> unexpected_message
> qtp426435961-27, WRITE: TLSv1.2 Alert, length = 2
> qtp426435961-27, fatal: engine already closed. Rethrowing
> javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
> 2015-05-14 13:12:28,152 [qtp426435961-27 ] DEBUG ssl
> -
> SCEP@62320e8{l(/165.122.232.248:57180)<->r(/166.50.179.97:443
> ),s=1,open=true,ishut=false,oshut=false,rb=false,wb=false,w=true,i=0r}-{SslConnection@658c6f68
> SSL NEED_WRAP i/o/u=73/0/0 ishut=false oshut=false
> {AsyncHttpConnection@3a4d68e6
> ,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=-14,l=0,c=0},r=0}}
> javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
> at sun.security.ssl.InputRecord.handleUnknownRecord(Unknown Source)
> at sun.security.ssl.InputRecord.read(Unknown Source)
> at sun.security.ssl.EngineInputRecord.read(Unknown Source)
> at sun.security.ssl.SSLEngineImpl.readRecord(Unknown Source)
> at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source)
> at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source)
> at javax.net.ssl.SSLEngine.unwrap(Unknown Source)
> at
> org.eclipse.jetty.io.nio.SslConnection.unwrap(SslConnection.java:536)
> at
> org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:359)
> at
> org.eclipse.jetty.io.nio.SslConnection.access$900(SslConnection.java:48)
> at
>
> org.eclipse.jetty.io.nio.SslConnection$SslEndPoint.fill(SslConnection.java:678)
> at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1044)
> at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:280)
> at
> org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
> at
>
> org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
> at
> org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196)
> at
>
> org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
> at
>
> org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
> at
>
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
> at
>
> org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
> at java.lang.Thread.run(Unknown Source)
> 2015-05-14 13:12:28,152 [qtp426435961-27 ] DEBUG
> ChannelEndPoint - close
> SCEP@62320e8{l(/165.122.232.248:57180)<->r(/166.50.179.97:443
> ),s=1,open=true,ishut=false,oshut=false,rb=false,wb=false,w=true,i=0!}-{SslConnection@658c6f68
> SSL NEED_WRAP i/o/u=73/0/0 ishut=false oshut=false
> {AsyncHttpConnection@3a4d68e6
> ,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=-14,l=0,c=0},r=0}}
> 2015-05-14 13:12:28,152 [qtp426435961-27 ] DEBUG HttpParser
> -
> javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
> at sun.security.ssl.InputRecord.handleUnknownRecord(Unknown Source)
> at sun.security.ssl.InputRecord.read(Unknown Source)
> at sun.security.ssl.EngineInputRecord.read(Unknown Source)
> at sun.security.ssl.SSLEngineImpl.readRecord(Unknown Source)
> at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source)
> at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source)
> at javax.net.ssl.SSLEngine.unwrap(Unknown Source)
> at
> org.eclipse.jetty.io.nio.SslConnection.unwrap(SslConnection.java:536)
> at
> org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:359)
> at
> org.eclipse.jetty.io.nio.SslConnection.access$900(SslConnection.java:48)
> at
>
> org.eclipse.jetty.io.nio.SslConnection$SslEndPoint.fill(SslConnection.java:678)
> at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1044)
> at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:280)
> at
> org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
> at
>
> org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
> at
> org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196)
> at
>
> org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
> at
>
> org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
> at
>
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
> at
>
> org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
> at java.lang.Thread.run(Unknown Source)
> 2015-05-14 13:12:28,152 [qtp426435961-27 ] DEBUG HttpParser
> - HttpParser{s=-14,l=0,c=0}
> org.eclipse.jetty.io.EofException
> at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1050)
> at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:280)
> at
> org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
> at
>
> org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
> at
> org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196)
> at
>
> org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
> at
>
> org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
> at
>
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
> at
>
> org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
> at java.lang.Thread.run(Unknown Source)
> Caused by: javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
> at sun.security.ssl.InputRecord.handleUnknownRecord(Unknown Source)
> at sun.security.ssl.InputRecord.read(Unknown Source)
> at sun.security.ssl.EngineInputRecord.read(Unknown Source)
> at sun.security.ssl.SSLEngineImpl.readRecord(Unknown Source)
> at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source)
> at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source)
> at javax.net.ssl.SSLEngine.unwrap(Unknown Source)
> at
> org.eclipse.jetty.io.nio.SslConnection.unwrap(SslConnection.java:536)
> at
> org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:359)
> at
> org.eclipse.jetty.io.nio.SslConnection.access$900(SslConnection.java:48)
> at
>
> org.eclipse.jetty.io.nio.SslConnection$SslEndPoint.fill(SslConnection.java:678)
> at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1044)
> ... 9 more
> 2015-05-14 13:12:28,152 [qtp426435961-27 ] DEBUG
> AsyncHttpConnection - Disabled read interest while writing
> response SSL NEED_WRAP i/o/u=73/0/0 ishut=false oshut=false
> {AsyncHttpConnection@3a4d68e6
> ,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=0,l=0,c=0},r=0}
> 2015-05-14 13:12:28,152 [qtp426435961-27 ] DEBUG nio
> - EOF
> org.eclipse.jetty.io.EofException
> at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1050)
> at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:280)
> at
> org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
> at
>
> org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
> at
> org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196)
> at
>
> org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
> at
>
> org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
> at
>
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
> at
>
> org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
> at java.lang.Thread.run(Unknown Source)
> Caused by: javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
> at sun.security.ssl.InputRecord.handleUnknownRecord(Unknown Source)
> at sun.security.ssl.InputRecord.read(Unknown Source)
> at sun.security.ssl.EngineInputRecord.read(Unknown Source)
> at sun.security.ssl.SSLEngineImpl.readRecord(Unknown Source)
> at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source)
> at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source)
> at javax.net.ssl.SSLEngine.unwrap(Unknown Source)
> at
> org.eclipse.jetty.io.nio.SslConnection.unwrap(SslConnection.java:536)
> at
> org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:359)
> at
> org.eclipse.jetty.io.nio.SslConnection.access$900(SslConnection.java:48)
> at
>
> org.eclipse.jetty.io.nio.SslConnection$SslEndPoint.fill(SslConnection.java:678)
> at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1044)
> ... 9 more
> 2015-05-14 13:12:28,152 [qtp426435961-27 ] DEBUG
> ChannelEndPoint - close
> SCEP@62320e8{l(/165.122.232.248:57180)<->r(0.0.0.0/0.0.0.0:443
> ),s=1,open=false,ishut=true,oshut=true,rb=false,wb=false,w=true,i=0!}-{SslConnection@658c6f68
> SSL NEED_WRAP i/o/u=73/0/0 ishut=false oshut=false
> {AsyncHttpConnection@3a4d68e6
> ,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=0,l=0,c=0},r=0}}
> 2015-05-14 13:12:28,152 [qtp426435961-26 Selector0 ] DEBUG nio
> - destroyEndPoint
> SCEP@62320e8{l(null)<->r(0.0.0.0/0.0.0.0:443
> ),s=0,open=false,ishut=true,oshut=true,rb=false,wb=false,w=true,i=0!}-{SslConnection@658c6f68
> SSL NEED_WRAP i/o/u=73/0/0 ishut=false oshut=false
> {AsyncHttpConnection@3a4d68e6
> ,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=0,l=0,c=0},r=0}}
> 2015-05-14 13:12:28,152 [qtp426435961-26 Selector0 ] DEBUG
> AbstractHttpConnection - closed
> AsyncHttpConnection@3a4d68e6
> ,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=0,l=0,c=0},r=0
>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/CXF-3-0-4-server-cannot-receive-message-from-TLS1-0-client-tp5756863p5757267.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
