Membrane Service Proxy v4.4.2 throws javax.net.ssl.SSLHandshakeException
80 views
Skip to first unread message
ivork...@gmail.com
Jul 25, 2017, 8:18:46 AM7/25/17
to membrane-monitor
Hi,
When I use Membrane Service Proxy v4.0.18 with jdk 1.8.0.131, I can successful connection to the target server as below:
<serviceProxy port="7080">
<path>/webservice/Handler_FuBon.ashx</path>
<wsdlRewriter />
<log headerOnly="false" level="DEBUG"/>
<target host="61.31.xxx.xxx" port="443">
<ssl ignoreTimestampCheckFailure="true">
<truststore location="../conf/prod-env-keystore.jks" password="abc12345" />
</ssl>
</target>
</serviceProxy>
<path>/webservice/Handler_FuBon.ashx</path>
<wsdlRewriter />
<log headerOnly="false" level="DEBUG"/>
<target host="61.31.xxx.xxx" port="443">
<ssl ignoreTimestampCheckFailure="true">
<truststore location="../conf/prod-env-keystore.jks" password="abc12345" />
</ssl>
</target>
</serviceProxy>
But when I use Membrane Service Proxy v4.4.2 with the same jdk, I got the javax.net.ssl.SSLHandshakeException:
*** ClientHello, TLSv1
RandomCookie: GMT: 1500980317 bytes = { 212, 163, 198, 107, 200, 34, 99, 207, 92, 12, 145, 7, 17, 230, 54, 67, 137, 21,
151, 145, 168, 8, 110, 198, 229, 157, 94, 57 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_S
HA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_
RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CB
C_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RS
A_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, se
ct571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension server_name, server_name: [type=host_name (0), value=61.31.xxx.xxx]
***
RouterThread /127.0.0.1:59603, WRITE: TLSv1 Handshake, length = 127
RouterThread /127.0.0.1:59603, received EOFException: error
RouterThread /127.0.0.1:59603, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection du
ring handshake
RouterThread /127.0.0.1:59603, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
RouterThread /127.0.0.1:59603, WRITE: TLSv1.2 Alert, length = 2
RouterThread /127.0.0.1:59603, called closeSocket()
2017/07/25-18:58:37,952 Thread:RouterThread /127.0.0.1:59603 DEBUG HttpClient:335 - try # 3 failed
GET /webservice/Handler_FuBon.ashx HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: zh-TW
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 61.31.232.9:443
Connection: Keep-Alive
X-Forwarded-For: 127.0.0.1
X-Forwarded-Proto: http
RandomCookie: GMT: 1500980317 bytes = { 212, 163, 198, 107, 200, 34, 99, 207, 92, 12, 145, 7, 17, 230, 54, 67, 137, 21,
151, 145, 168, 8, 110, 198, 229, 157, 94, 57 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_S
HA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_
RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CB
C_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RS
A_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, se
ct571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension server_name, server_name: [type=host_name (0), value=61.31.xxx.xxx]
***
RouterThread /127.0.0.1:59603, WRITE: TLSv1 Handshake, length = 127
RouterThread /127.0.0.1:59603, received EOFException: error
RouterThread /127.0.0.1:59603, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection du
ring handshake
RouterThread /127.0.0.1:59603, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
RouterThread /127.0.0.1:59603, WRITE: TLSv1.2 Alert, length = 2
RouterThread /127.0.0.1:59603, called closeSocket()
2017/07/25-18:58:37,952 Thread:RouterThread /127.0.0.1:59603 DEBUG HttpClient:335 - try # 3 failed
GET /webservice/Handler_FuBon.ashx HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: zh-TW
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 61.31.232.9:443
Connection: Keep-Alive
X-Forwarded-For: 127.0.0.1
X-Forwarded-Proto: http
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:992)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at com.predic8.membrane.core.http.Message.write(Message.java:229)
at com.predic8.membrane.core.transport.http.HttpClient.doCall(HttpClient.java:342)
at com.predic8.membrane.core.transport.http.HttpClient.call(HttpClient.java:211)
at com.predic8.membrane.core.interceptor.HTTPClientInterceptor.handleRequest(HTTPClientInterceptor.java:60)
at com.predic8.membrane.core.interceptor.InterceptorFlowController.invokeRequestHandlers(InterceptorFlowControll
er.java:106)
at com.predic8.membrane.core.interceptor.InterceptorFlowController.invokeHandlers(InterceptorFlowController.java
:71)
at com.predic8.membrane.core.transport.http.AbstractHttpHandler.invokeHandlers(AbstractHttpHandler.java:70)
at com.predic8.membrane.core.transport.http.HttpServerHandler.process(HttpServerHandler.java:234)
at com.predic8.membrane.core.transport.http.HttpServerHandler.run(HttpServerHandler.java:119)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at sun.security.ssl.InputRecord.read(InputRecord.java:505)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
... 17 more
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:992)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at com.predic8.membrane.core.http.Message.write(Message.java:229)
at com.predic8.membrane.core.transport.http.HttpClient.doCall(HttpClient.java:342)
at com.predic8.membrane.core.transport.http.HttpClient.call(HttpClient.java:211)
at com.predic8.membrane.core.interceptor.HTTPClientInterceptor.handleRequest(HTTPClientInterceptor.java:60)
at com.predic8.membrane.core.interceptor.InterceptorFlowController.invokeRequestHandlers(InterceptorFlowControll
er.java:106)
at com.predic8.membrane.core.interceptor.InterceptorFlowController.invokeHandlers(InterceptorFlowController.java
:71)
at com.predic8.membrane.core.transport.http.AbstractHttpHandler.invokeHandlers(AbstractHttpHandler.java:70)
at com.predic8.membrane.core.transport.http.HttpServerHandler.process(HttpServerHandler.java:234)
at com.predic8.membrane.core.transport.http.HttpServerHandler.run(HttpServerHandler.java:119)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at sun.security.ssl.InputRecord.read(InputRecord.java:505)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)
... 17 more
I add the JVM properties such as "-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2" and "-Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2", but it still doesn't work.
What should I do....? May anyone help me, please?
Tobias Polley
Jul 25, 2017, 2:04:39 PM7/25/17
to membrane-monitor
Hi.
It seems that the machine running on 61.31.xxx.xxx does not like the incoming connection. There have been several changes (comparing the master branch to 4.0.X) to improve security.
The error message "Remote host closed connection during handshake" does not give Membrane more information to show. It just indicates that the remote host closed the TCP connection. Maybe the log on the machine 61.31.xxx.xxx has more info.
You should not use TLS1.0 or TLS1.1 anymore, as they are considered insecure. If possible, even drop TLS1.2 in favor of TLS1.3.
Best
Tobias
It seems that the machine running on 61.31.xxx.xxx does not like the incoming connection. There have been several changes (comparing the master branch to 4.0.X) to improve security.
The error message "Remote host closed connection during handshake" does not give Membrane more information to show. It just indicates that the remote host closed the TCP connection. Maybe the log on the machine 61.31.xxx.xxx has more info.
You should not use TLS1.0 or TLS1.1 anymore, as they are considered insecure. If possible, even drop TLS1.2 in favor of TLS1.3.
Best
Tobias
ivork...@gmail.com
Jul 25, 2017, 7:42:02 PM7/25/17
to membrane-monitor
Thanks for your help, I'll try checking log files on the target machine.
Best
Kang
Best
Kang
Reply all
Reply to author
Forward
0 new messages