SSL Handshake Hangs

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL Handshake Hangs

javajones
I'm finding that SSL connections fail with Restlet 2.1.7. When using curl to test it, the initial negotiation seems to work and I see the message "TLS handshake, Finished", but then it hangs for about 30 seconds before curl returns an "Unknown SSL protocol error" message.

I have a build of the same application using Restlet 1.1 that works fine when running this test with the same certificate.

I was not able to do this test with Restlet 2.2.0. I can't figure out what to jars to use since I see no replacement for org.restlet.ext.ssl.jar

The code I'm using to configure the server is:

   Context context = component.getContext().createChildContext();
   Server server = new Server(context, Protocol.HTTPS, portNo, component);
   DefaultSslContextFactory sslContextFactory = new DefaultSslContextFactory();
   sslContextFactory.setProtocol("SSL");
   sslContextFactory.setKeyStoreType("JKS");
   sslContextFactory.setKeyStorePath(config.getString("https.keystore"));
   sslContextFactory.setKeyStorePassword(storePass);
   sslContextFactory.setKeyStoreKeyPassword(keyPass);
   sslContextFactory.setKeyManagerAlgorithm("SunX509");            
   server.getContext().getAttributes().put("sslContextFactory", sslContextFactory);
   serverList.add(server);

Here's the output from curl:
   
   curl -v -k -d @POSample1.xml https://localhost
   * About to connect() to localhost port 443 (#0)
   *   Trying 127.0.0.1... connected
   * Connected to localhost (127.0.0.1) port 443 (#0)
   * SSLv3, TLS handshake, Client hello (1):
   * SSLv3, TLS handshake, Server hello (2):
   * SSLv3, TLS handshake, CERT (11):
   * SSLv3, TLS handshake, Server key exchange (12):
   * SSLv3, TLS handshake, Server finished (14):
   * SSLv3, TLS handshake, Client key exchange (16):
   * SSLv3, TLS change cipher, Client hello (1):
   * SSLv3, TLS handshake, Finished (20):
   (HANGS AT THIS POINT)
   * Unknown SSL protocol error in connection to localhost:443
   * Closing connection #0
   curl: (35) Unknown SSL protocol error in connection to localhost:443
 
Here's that last part of what's logged by the server before the connection process hangs:
   
   SESSION KEYGEN:
   PreMaster Secret:
   0000:
   0010:
   0020:
   0030:
   0040:
   0050:
   CONNECTION KEYGEN:
   Client Nonce:
   0000:
   0010:
   Server Nonce:
   0000:
   0010:
   Master Secret:
   0000:
   0010:
   0020:
   Client MAC write Secret:
   0000:
   0010:
   Server MAC write Secret:
   0000:
   0010:
   Client write key:
   0000:
   0010:
   Server write key:
   0000:
   0010:
   Client write IV:
   0000:
   Server write IV:
   0000:
   [read] MD5 and SHA1 hashes:  len = 102
   0000:
   0010:
   0020:
   0030:
   0040:
   0050:
   0060:

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3076942
Reply | Threaded
Open this post in threaded view
|

Re: SSL Handshake Hangs

Jerome Louvel-3
Hi Roy,

In v2.2.0, the org.restlet.ext.ssl module has been split into:
  • an org.restlet.ext.jsslutils.jar module (not necessary for your case, integration with jSSLutils library for special SSL certificates)
  • the org.restlet.jar core module
So, you should be able to remove the org.restlet.ext.ssl.jar dependency altogether and try again.




On Wed, Apr 23, 2014 at 2:51 PM, Roy Olsen <[hidden email]> wrote:
I'm finding that SSL connections fail with Restlet 2.1.7. When using curl to test it, the initial negotiation seems to work and I see the message "TLS handshake, Finished", but then it hangs for about 30 seconds before curl returns an "Unknown SSL protocol error" message.

I have a build of the same application using Restlet 1.1 that works fine when running this test with the same certificate.

I was not able to do this test with Restlet 2.2.0. I can't figure out what to jars to use since I see no replacement for org.restlet.ext.ssl.jar

The code I'm using to configure the server is:

   Context context = component.getContext().createChildContext();
   Server server = new Server(context, Protocol.HTTPS, portNo, component);
   DefaultSslContextFactory sslContextFactory = new DefaultSslContextFactory();
   sslContextFactory.setProtocol("SSL");
   sslContextFactory.setKeyStoreType("JKS");
   sslContextFactory.setKeyStorePath(config.getString("https.keystore"));
   sslContextFactory.setKeyStorePassword(storePass);
   sslContextFactory.setKeyStoreKeyPassword(keyPass);
   sslContextFactory.setKeyManagerAlgorithm("SunX509");
   server.getContext().getAttributes().put("sslContextFactory", sslContextFactory);
   serverList.add(server);

Here's the output from curl:

   curl -v -k -d @POSample1.xml https://localhost
   * About to connect() to localhost port 443 (#0)
   *   Trying 127.0.0.1... connected
   * Connected to localhost (127.0.0.1) port 443 (#0)
   * SSLv3, TLS handshake, Client hello (1):
   * SSLv3, TLS handshake, Server hello (2):
   * SSLv3, TLS handshake, CERT (11):
   * SSLv3, TLS handshake, Server key exchange (12):
   * SSLv3, TLS handshake, Server finished (14):
   * SSLv3, TLS handshake, Client key exchange (16):
   * SSLv3, TLS change cipher, Client hello (1):
   * SSLv3, TLS handshake, Finished (20):
   (HANGS AT THIS POINT)
   * Unknown SSL protocol error in connection to localhost:443
   * Closing connection #0
   curl: (35) Unknown SSL protocol error in connection to localhost:443

Here's that last part of what's logged by the server before the connection process hangs:

   SESSION KEYGEN:
   PreMaster Secret:
   0000:
   0010:
   0020:
   0030:
   0040:
   0050:
   CONNECTION KEYGEN:
   Client Nonce:
   0000:
   0010:
   Server Nonce:
   0000:
   0010:
   Master Secret:
   0000:
   0010:
   0020:
   Client MAC write Secret:
   0000:
   0010:
   Server MAC write Secret:
   0000:
   0010:
   Client write key:
   0000:
   0010:
   Server write key:
   0000:
   0010:
   Client write IV:
   0000:
   Server write IV:
   0000:
   [read] MD5 and SHA1 hashes:  len = 102
   0000:
   0010:
   0020:
   0030:
   0040:
   0050:
   0060:

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3076942

Reply | Threaded
Open this post in threaded view
|

RE: Re: SSL Handshake Hangs

javajones
Hi Jerome,

Using the three jars from 2.2.0:
   org.restlet.jar
   org.restlet.ext.jsslutils.jar
   org.restlet.ext.xml.jar

I'm getting the error "No available server connector supports the required protocols: 'HTTPS' . Please add the JAR of a matching connector to your classpath."

Thanks,

Roy


> Hi Roy,
>
> In v2.2.0, the org.restlet.ext.ssl module has been split into:
>
>    - an org.restlet.ext.jsslutils.jar module (not necessary for your case,
>    integration with jSSLutils library for special SSL certificates)
>    - the org.restlet.jar core module
>
> So, you should be able to remove the org.restlet.ext.ssl.jar dependency
> altogether and try again.
>
> Thanks,
> Jerome
> --
> http://restlet.org
> @jlouvel <http://twitter.com/#!/jlouvel>
>
>

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3076948
Reply | Threaded
Open this post in threaded view
|

Re: Re: SSL Handshake Hangs

Jerome Louvel-3
Hi Roy,

Thanks for the test, you spotted a bug in 2.2.0. The internal HTTPS server isn't properly registered with the engine. 
While we fix it for the upcoming 2.2.1, you can add this line somewhere before creating your HTTPS server:

        Engine.getInstance().getRegisteredServers().add(
                new org.restlet.engine.connector.HttpsServerHelper(null));

Hope this helps,
Jerome





On Wed, Apr 23, 2014 at 3:52 PM, Roy Olsen <[hidden email]> wrote:
Hi Jerome,

Using the three jars from 2.2.0:
   org.restlet.jar
   org.restlet.ext.jsslutils.jar
   org.restlet.ext.xml.jar

I'm getting the error "No available server connector supports the required protocols: 'HTTPS' . Please add the JAR of a matching connector to your classpath."

Thanks,

Roy


> Hi Roy,
>
> In v2.2.0, the org.restlet.ext.ssl module has been split into:
>
>    - an org.restlet.ext.jsslutils.jar module (not necessary for your case,
>    integration with jSSLutils library for special SSL certificates)
>    - the org.restlet.jar core module
>
> So, you should be able to remove the org.restlet.ext.ssl.jar dependency
> altogether and try again.
>
> Thanks,
> Jerome
> --
> http://restlet.org
> @jlouvel <http://twitter.com/#!/jlouvel>
>
>

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3076948

Reply | Threaded
Open this post in threaded view
|

RE: Re: Re: SSL Handshake Hangs

javajones
Hi Jerome,

Registering the server helper as you suggested solved the issue I had with 2.2.0.  As you said with this version I only need to use the jars:
    org.restlet.jar
    org.restlet.ext.xml.jar

Also, now that I'm using 2.2.0 my original problem is gone.

Thanks for your help.

Roy

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3077084
Reply | Threaded
Open this post in threaded view
|

Re: Re: Re: SSL Handshake Hangs

Jerome Louvel-3
Hi Roy,

Excellent, thanks for the feed-back!

BTW, I have fixed this issue in upcoming 2.2.1 so that manual registration of the HTTPS server helper isn't even necessary.


On Fri, Apr 25, 2014 at 2:21 PM, Roy Olsen <[hidden email]> wrote:
Hi Jerome,

Registering the server helper as you suggested solved the issue I had with 2.2.0.  As you said with this version I only need to use the jars:
    org.restlet.jar
    org.restlet.ext.xml.jar

Also, now that I'm using 2.2.0 my original problem is gone.

Thanks for your help.

Roy

------------------------------------------------------
http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=3077084