IPF Auditor Handshake failiure
44 views
Skip to first unread message
Marina K
Nov 21, 2016, 6:12:31 AM11/21/16
to ipf-user
Hi,
I have implemented and configured the ATNA auditor,
same as in your Homepage Example,
Unfortunatly I get an Handshake failiure.
I really do not know, what causes this error, since the the other transactions are working fine.
I attached the atna properties and the context.xml
Kind Regards,
Marina
Dmytro Rud
Nov 21, 2016, 6:19:11 AM11/21/16
to ipf-...@googlegroups.com
Hello Marina,
Please show us the stack trace.
And please double check your configuration. For example, the string "port" is definitely not a correct value for an integer attribute.
Best regards
Dmytro
--
You received this message because you are subscribed to the Google Groups "ipf-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ipf-user+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Marina K
Nov 21, 2016, 6:41:30 AM11/21/16
to ipf-user
The String "Port" i just have overwritten it.
It is a intenger.
I Have noticed, that even though i set the https protocoll to TLSv1.2
It uses TLSv1?
Why is that?
Am Montag, 21. November 2016 12:19:11 UTC+1 schrieb Dmytro Rud:
Hello Marina,Please show us the stack trace.And please double check your configuration. For example, the string "port" is definitely not a correct value for an integer attribute.Best regardsDmytro
2016-11-21 12:00 GMT+01:00 Marina K <kavic...@gmail.com>:
Hi,I have implemented and configured the ATNA auditor,same as in your Homepage Example,Unfortunatly I get an Handshake failiure.I really do not know, what causes this error, since the the other transactions are working fine.I attached the atna properties and the context.xmlKind Regards,Marina
--
You received this message because you are subscribed to the Google Groups "ipf-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ipf-user+u...@googlegroups.com.
Marina K
Nov 21, 2016, 6:44:15 AM11/21/16
to ipf-user
Sry. I forgott the Stacktrace:
2016-11-21 11:43:01 | ERROR | o.o.i.a.n.h.TLSEnabledSocketHandler | createSecureSocket - Handshake failed with server hostname on port 1234 reason Received fatal alert: handshake_failure
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.openhealthtools.ihe.atna.nodeauth.handlers.TLSEnabledSocketHandler.createSecureSocket(TLSEnabledSocketHandler.java:227)
at org.openhealthtools.ihe.atna.nodeauth.handlers.TLSEnabledSocketHandler.createSecureSocket(TLSEnabledSocketHandler.java:61)
at org.openhealthtools.ihe.atna.nodeauth.handlers.AbstractSecureSocketHandler.getSocket(AbstractSecureSocketHandler.java:142)
at org.openhealthtools.ihe.atna.nodeauth.handlers.AbstractSecureSocketHandler.getSocket(AbstractSecureSocketHandler.java:126)
at org.openhealthtools.ihe.atna.nodeauth.handlers.AbstractSecureSocketHandler.getSocket(AbstractSecureSocketHandler.java:118)
at org.openhealthtools.ihe.atna.auditor.sender.TLSSyslogSenderImpl.getTLSSocket(TLSSyslogSenderImpl.java:178)
at org.openhealthtools.ihe.atna.auditor.sender.TLSSyslogSenderImpl.sendAuditEvent(TLSSyslogSenderImpl.java:139)
at org.openhealthtools.ihe.atna.auditor.queue.ThreadedAuditQueue$ThreadedAuditQueueRuntime.run(ThreadedAuditQueue.java:165)
Dmytro Rud
Nov 21, 2016, 7:01:17 AM11/21/16
to ipf-...@googlegroups.com
What are your OS and OS version, JDK and JDK version? And, if you know it, the same for the server you are trying to connect to.
To unsubscribe from this group and stop receiving emails from it, send an email to ipf-user+unsubscribe@googlegroups.com.
Marina K
Nov 21, 2016, 7:17:00 AM11/21/16
to ipf-user
Hi.
I requested it from the other party.
But I am using Win 10. Java 8. JDK: 1.8
But I am using Win 10. Java 8. JDK: 1.8
Christian Ohr
Nov 21, 2016, 7:21:00 AM11/21/16
to ipf-...@googlegroups.com
Because the IHE iinitially specified this that way, and the original OHT library chose to hardcode this requirement. Bad choice.
We fixed this for the upcoming 3.2 version, see https://github.com/oehf/ipf-oht-atna/issues/3.
Christian
Christian Ohr
Nov 21, 2016, 7:24:41 AM11/21/16
to ipf-...@googlegroups.com
Consider starting your application with -Djava.net.debug=ssl.
This will give you a verbose log about the SSL handshake and probably also the reason about what is going on.
Christian
Marina K
Nov 21, 2016, 7:25:42 AM11/21/16
to ipf-user
Hi.
When will this version be ready?
Does there exist a workaround, because i really need it in 2 days.
Kind Regards
Marina
Marina K
Nov 21, 2016, 7:49:19 AM11/21/16
to ipf-user
Thanks. I will try to figure it out.
But I got the feedback, the the services denies the Audit Message because it is not TLS1.2.
So I think, that this is the fault for the handshake error.
Marina
Christian Ohr
Nov 21, 2016, 8:14:54 AM11/21/16
to ipf-...@googlegroups.com
There will be no release within the next two days...
But you can probably temporarily use your own Audit Sender Implementation and specify this in your auditor.class property.
Basically you can copy the org.openhealthtools.ihe.atna.auditor.sender.TLSSyslogSenderImpl into your own project using a different package/class name and change the line in the getTLSSocket() method where the socket is obtained:
Instead of socket = nodeAuthContext.getSocketHandler().getSocket(destination.getHostName(), port, true);
something like socket = SSLContext.getDefault().getSocketFactory().getSocket(destination.getHostName(), port);
Again, enabling SSL debugging is handy with every kind of handshaking problem.
Christian
Marina K
Nov 21, 2016, 10:09:38 AM11/21/16
to ipf-user
Hi Christian,
Thanks for your help.
I tried this and set the properties, but the Auditor is still using TSLv1.
I now know that this is the error.
Here is the log from the server:
javax.net.ssl.SSLHandshakeException:
Client requested protocol TLSv1 not enabled or not supported
If you have any idea. I appriciate it.
Thank you!
Marina
Christian Ohr
Nov 21, 2016, 10:28:12 AM11/21/16
to ipf-...@googlegroups.com
You can narrow down of what is negotiated between client and server:
socket = SSLContext.getInstance("TLSv1.2").getSocketFactory().getSocket(destination.getHostName(), port);
socket.setEnabledProtocols(new String[] {"TLSv1.2"});
socket.setEnabledCipherSuites(new String[] {"TLS_RSA_WITH_AES_128_CBC_SHA"});Also doublecheck that your new sender implementation is actually being used (breakpoints, logs etc.).Christian
Marina K
Nov 22, 2016, 3:25:25 AM11/22/16
to ipf-user
Hi,
This is intresting, which SSLContext are you using?
I took the java.net.ssl and there are no functions as you have written.
Thanks for your help :)
marina
Christian Ohr
Nov 22, 2016, 4:59:31 AM11/22/16
to ipf-...@googlegroups.com
My bad. It's createSocket instead of getSocket:
SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
SSLSocketFactory socketFactory = sslContext.getSocketFactory();
SSLSocket socket = socketFactory.createSocket(destination.getHostName(), port);
socket.setEnabledProtocols(new String[] {"TLSv1.2"});
socket.setEnabledCipherSuites(new String[] {"TLS_RSA_WITH_AES_128_CBC_SHA"});
Marina K
Nov 22, 2016, 6:13:04 AM11/22/16
to ipf-user
Thank you!
I Still get the error, that the ContextSpi is not initialized, therefor i get this stacktrace:
java.lang.IllegalStateException: SSLContextImpl is not initialized
at sun.security.ssl.SSLContextImpl.engineGetSocketFactory(SSLContextImpl.java:181)
at javax.net.ssl.SSLContext.getSocketFactory(SSLContext.java:294)
at at.ooe.cas.CASmed.config.TLSSyslogSenderMyImpl.getTLSSocket(TLSSyslogSenderMyImpl.java:131)
at at.ooe.cas.CASmed.config.TLSSyslogSenderMyImpl.sendAuditEvent(TLSSyslogSenderMyImpl.java:103)
at org.openhealthtools.ihe.atna.auditor.queue.ThreadedAuditQueue$ThreadedAuditQueueRuntime.run(ThreadedAuditQueue.java:165)
And so it's not able to create a factory ...
I havent found any solution yet, maybe you know, what this is about?
Christian Ohr
Nov 22, 2016, 8:46:17 AM11/22/16
to ipf-...@googlegroups.com
OK, one more try:
SSLContext sslContext = SSLContext.getDefault();
SSLSocketFactory socketFactory = sslContext.getSocketFactory();
SSLSocket socket = (SSLSocket) socketFactory.createSocket("host", 4711);
socket.setEnabledProtocols(new String[] {"TLSv1.2"});
socket.setEnabledCipherSuites(new String[] {"TLS_RSA_WITH_AES_128_CBC_SHA"});
In Java 8, TLSv1.2 is available by default. The actual protocol being used is either set by the setEnabledProtocols or by specifying the protocol in the
jdk.tls.client.protocols system property.Christian
Marina K
Nov 23, 2016, 1:48:32 PM11/23/16
to ipf-user
Thank you so much!!
It really worked :)
The only issue i have, that no messages are sent. hmn..
But the connection is built successfully
Cheers,
Marina
Marina K
Nov 23, 2016, 2:08:14 PM11/23/16
to ipf-user
The Socket Outputstream seems to be null:
java.lang.NullPointerException: null
at at.ooe.cas.CASmed.config.TLSSyslogSenderCASImpl.send(TLSSyslogSenderCASImpl.java:44)
at at.ooe.cas.CASmed.config.TLSSyslogSenderCASImpl.sendAuditEvent(TLSSyslogSenderCASImpl.java:104)
at org.openhealthtools.ihe.atna.auditor.queue.ThreadedAuditQueue$ThreadedAuditQueueRuntime.run(ThreadedAuditQueue.java:165)
Marina K
Nov 23, 2016, 2:21:34 PM11/23/16
to ipf-user
Okay it seems, that this nullpointer exception just happens the first time?
Because afterwards it just worked fine.
That is really really weird....
Marina
Reply all
Reply to author
Forward
0 new messages