danieln danieln - 1 month ago 9
Java Question

Certificate not being sent sporadically

In my application I have 2 components talking to each other with REST (client-server based).

The application can be configured to use HTTP or HTTPS (self signed certificate).

From time to time when I start my application on HTTPS mode, my client can't talk to the server. I'm getting the following exception:

09-16-2013 12:28:52 [dispatcher] [http-nio-8143-exec-8] [INFO] - Exception while dispatching request
java.util.concurrent.ExecutionException: com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
...
Caused by: com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
...
Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
...
Caused by: java.io.EOFException: SSL peer shut down incorrectly
...


When I stopped and started the application everything worked as expected.

I tried searching for solutions, but couldn't find anything that is similar to my problem by something that happened from time to time and fixed by restart, all the problems were consistent.

Java version: Oracle Corporation, 'Java HotSpot(TM) 64-Bit Server VM', 1.7.0_17-b02
OS: Red Hat
Any idea?

UPDATE

Turns out this can also happen after some time the application works. Meaning, everything works fine, SSL communication is ok, and suddenly this error occur and won't resolve until I restart the client side.

I was able to reproduce the problem with -Djavax.net.debug=all, obviously certificate is not being sent from the client, the question is why. As sometimes everything works smoothly, what can cause things to go wrong from time to time?

Client side:

pool-4-thread-2, WRITE: TLSv1 Handshake, length = 48
pool-4-thread-2, waiting for close_notify or alert: state 1
pool-4-thread-2, received EOFException: error
pool-4-thread-2, Exception while waiting for close javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
pool-4-thread-2, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
%% Invalidated: [Session-7, TLS_RSA_WITH_AES_128_CBC_SHA]
pool-4-thread-2, SEND TLSv1 ALERT: fatal, description = handshake_failure
Padded plaintext before ENCRYPTION: len = 32
0000: 02 28 7A 8E 21 1F 09 1A 5F 00 5C 42 6B 12 33 D8 .(z.!..._.\Bk.3.
0010: 73 F0 58 DD 0D D9 09 09 09 09 09 09 09 09 09 09 s.X.............
pool-4-thread-2, WRITE: TLSv1 Alert, length = 32
pool-4-thread-2, Exception sending alert: java.net.SocketException: Broken pipe
pool-4-thread-2, called closeSocket()
Keep-Alive-Timer, called close()
Keep-Alive-Timer, called closeInternal(true)
Keep-Alive-Timer, SEND TLSv1 ALERT: warning, description = close_notify
Padded plaintext before ENCRYPTION: len = 32
0000: 01 00 FD 8B FE 50 2A 16 8A FC 10 F7 E0 05 7E D1 .....P*.........
0010: 0A 78 A0 03 84 26 09 09 09 09 09 09 09 09 09 09 .x...&..........
Keep-Alive-Timer, WRITE: TLSv1 Alert, length = 32
[Raw write]: length = 37
0000: 15 03 01 00 20 24 CC 05 7B DA AA 98 D7 BC 49 07 .... $........I.
0010: 59 94 A4 42 A1 D9 22 42 34 C2 75 1B 9E 36 F0 23 Y..B.."B4.u..6.#
0020: 58 9D 80 8D 38 X...8
Keep-Alive-Timer, called closeSocket(selfInitiated)


Server side:

http-nio-8243-exec-2, READ: TLSv1 Handshake, length = 269
*** Certificate chain
***
http-nio-8243-exec-2, fatal error: 42: null cert chain
javax.net.ssl.SSLHandshakeException: null cert chain
%% Invalidated: [Session-5, TLS_RSA_WITH_AES_128_CBC_SHA]
http-nio-8243-exec-2, SEND TLSv1 ALERT: fatal, description = bad_certificate
http-nio-8243-exec-2, WRITE: TLSv1 Alert, length = 2
http-nio-8243-exec-2, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: null cert chain
http-nio-8243-exec-2, called closeOutbound()
http-nio-8243-exec-2, closeOutboundInternal()
http-nio-8243-ClientPoller-1, called closeOutbound()
http-nio-8243-ClientPoller-1, closeOutboundInternal()
http-nio-8243-ClientPoller-1, SEND TLSv1 ALERT: warning, description = close_notify

Answer

Apparently someone added code to that overwrites the certificate:

        HttpsURLConnection.setDefaultSSLSocketFactory(ctx.getSocketFactory());

I deleted this line and everything is working now.