error:14141152:SSL routines:SSL_SCAN_SERVERHELLO_TLSEXT:unsafe legacy renegotiati

[Pavel Fila]

Hi guys,

I've setup pushy but when I try to connect it gives me this error:

javax.net.ssl.SSLHandshakeException: error:14141152:SSL routines:SSL_SCAN_SERVERHELLO_TLSEXT:unsafe legacy renegotiation disabled
        at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.sslReadErrorResult(ReferenceCountedOpenSslEngine.java:912)

I'm behind proxy the proxy setup might be the culprit as we have pretty restricted environment.

would you have any advice what that might be?

Cheers Pavel

the pom contains this:

<dependency>
    <groupId>com.relayrides</groupId>
    <artifactId>pushy</artifactId>
    <exclusions>
        <exclusion>
            <groupId>io.netty</groupId>
            <artifactId>netty-codec-http2</artifactId>
        </exclusion>
        <exclusion>
            <groupId>io.netty</groupId>
            <artifactId>netty-handler-proxy</artifactId>
        </exclusion>
    </exclusions>
</dependency>

<dependency>
    <groupId>io.netty</groupId>
    <artifactId>netty-tcnative</artifactId>
    <version>2.0.0.Final</version>
    <classifier>${io.netty.tcnative.classifier}</classifier>
</dependency>

<dependency>
    <groupId>io.netty</groupId>
    <artifactId>netty-all</artifactId>
    <version>4.1.9.Final</version>
</dependency>

<dependency>
    <groupId>org.eclipse.jetty.alpn</groupId>
    <artifactId>alpn-api</artifactId>
    <version>1.1.3.v20160715</version>
    <scope>runtime</scope>
</dependency>

[Jon Chambers]

Well, two things (beyond the issues you've already mentioned) jump to mind:

1. We don't yet officially support Netty 4.1.9 or netty-tcnative 2.0.0 yet (though I'm not immediately aware of any reason they WOULDN'T work).

2. What JVM are you using? This sounds a little bit like a missing cipher problem to me.

Thanks!

-Jon

--
Pushy is an open-source Java library for sending APNs (iOS and OS X) push notifications. Pushy is brought to you by the engineers at RelayRides.
---
You received this message because you are subscribed to the Google Groups "pushy" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pushy-apns+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Pavel Fila]

Thanks for quick answer.

JVM is 1.7.0_80

I tried with io.netty-tcnative:1.1.33.Fork26 and netty-all:4.1.6.Final

Now I've got this:

Using SSLEngineImpl.

Allow unsafe renegotiation: false

Allow legacy hello messages: true

Is initial handshake: true

Is secure renegotiation: false

No available cipher suite for TLSv1

No available cipher suite for TLSv1.1

No available cipher suite for TLSv1.2

nioEventLoopGroup-3-1, fatal error: 40: Couldn't kickstart handshaking

javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

nioEventLoopGroup-3-1, SEND TLSv1 ALERT:  fatal, description = handshake_failure

nioEventLoopGroup-3-1, WRITE: TLSv1 Alert, length = 2

INFO  2017-03-29 14:38:33,650 [nioEventLoopGroup-3-1] com.relayrides.pushy.apns.ApnsClient: Failed to connect.

javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

        at sun.security.ssl.Handshaker.activate(Handshaker.java:470)

        at sun.security.ssl.SSLEngineImpl.kickstartHandshake(SSLEngineImpl.java:714)

        at sun.security.ssl.SSLEngineImpl.beginHandshake(SSLEngineImpl.java:740)

        at io.netty.handler.ssl.JdkSslEngine.beginHandshake(JdkSslEngine.java:147)

To unsubscribe from this group and stop receiving emails from it, send an email to pushy-apns+...@googlegroups.com.

[Pavel Fila]

OK,

this was probably my wrong installation of openssl.

Using the statically linked boringssl solved that.

p.f.

[Jon Chambers]

Ah—cool! Glad it's resolved, and thanks for sharing the solution!

-Jon

To unsubscribe from this group and stop receiving emails from it, send an email to pushy-apns+unsubscribe@googlegroups.com.

[Murali Balusa]

I am getting the below error:

io.netty.handler.ssl.ApplicationProtocolNegotiationHandler handshakeFailure

WARNING: [id: 0x9e45a0f6, L:/10.232.100.14:61460 - R:api.development.push.apple.com/17.188.166.27:443] TLS handshake failed:

javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)

at sun.security.ssl.Handshaker.activate(Handshaker.java:470)

I am using Java version: 1.7.0_80

and here are the dependencies in pom.xml. 

<dependency>

    <groupId>com.relayrides</groupId>

    <artifactId>pushy</artifactId>

    <version>0.9.2</version>

</dependency> 

<dependency>

    <groupId>org.eclipse.jetty.alpn</groupId>

    <artifactId>alpn-api</artifactId>

    <version>1.1.0.v20141014</version>

</dependency>

<dependency>

    <groupId>org.mortbay.jetty.alpn</groupId>

    <artifactId>alpn-boot</artifactId>

    <version>7.1.0.v20141016</version>

</dependency>

Any help is appreciated, which version of alpn-api and alpn-boot will work for Java version: 1.7.0_80.

Thanks,

Murali Balusa

[Pavel Fila]

Hi,

in my case I've need to add this dependency:

<dependency>
    <groupId>io.netty</groupId>
    <artifactId>netty-tcnative-boringssl-static</artifactId>
    <version>2.0.0.Final</version>
</dependency>

[Murali Balusa]

Hi Pavel,

Thanks for the reply.

Can you please share the pom.xml dependencies for the pushy to work with Java version: 1.7.0_80?.

Thanks,

Murali Balusa

[Murali Balusa]

Hi Pavel,

It worked with the dependency netty-tcnative-boringssl-static.

Thanks a lot for your inputs.

Thanks,

Murali Balusa.