Hi, I would like to suggest enabling on client ssl debug logging (-Djavax.net.debug=ssl,handshake). Hopefully, it might shed some lights on the issue with SSL handshake.
Kind regards, Alex On Tue, 23 Feb 2021 at 18:52, cluelessdev <[email protected]> wrote: > > Hi everyone, > > I'm experiencing a bizarre issue where a client will not properly connect to > the Qpidd broker depending on which version of Java is being used. All of > these versions work: 1.8u222 - 1.8u265. Starting with 1.8u272 the problem > arises, however it is inconsistent/intermittent. I've also tested 1.u282 and > Java 11. It does seem like there were significant updates made to the > java.security module in 1.8u272 as the logging significantly changes in this > version and above. I am trying to use SSL/TLS 1.2 w/ the SASL mechanism of > EXTERNAL. > > The qpidd broker is being run with the following security-related options: > --ssl-cert-password=<pw> --ssl-cert-db<cert dir> --ssl-port=5672 > --ssl-cert-name=<name> --ssl-require-client-authentication > --require-encryption --ssl-sasl-no-dict > > When running the qpidd broker w/ trace logging enabled, I see this with the > versions of Java referenced above when things are working properly: > [Network] trace Accepting connection with optional SSL wrapper. > [Network] Accepted SSL connection. > ... > [Security] debug External ssf=256 and auth=<username> > [Security] debug = min_ssf: 0, max_ssf: 0, external_ssf: 256 > [Security] debug external auth detected and set to <username> > [Security] info SASL: Mechanism list: EXTERNAL > ... > > In the versions that do not work (sometimes), the broker log looks like > this: > [Network] trace Accepting connection with optional SSL wrapper. > [Network] Accepted Plaintext connection. > ... > [System] debug Exception constructed: SASL layer required! > [System] error SASL layer required! > > I noticed pouring over the Java version release notes that there was a > backport of TLSv1.3 put into 1.8u272 and beyond, but I've done everything I > can find to ensure my client is still using TLSv1.2 (and it is my > understanding that TLSv1.2 is the default) such as running my client > application with -Djdk.tls.client.protocols=TLSv1.2. > > I'm throwing darts at this point. Any help would be greatly appreciated. > > > > -- > Sent from: http://qpid.2158936.n2.nabble.com/Apache-Qpid-users-f2158936.html > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
