No success on sending notifications because of failed SSL handshake

[Frank Steiler]

Hey guys,

I am trying all day to get my server working to send out push notifications but somehow I am not able to tell pushy (or java-apns which I tried out before) to accept the SSL connection of the the apple APNS server (why the hell aren't they using proper signed certificates, it's not like they don't have the money to buy them). Anyway:

The error I am getting when running your example from the Github page is the following:

2015-04-13T19:58:32,539 DEBUG [nioEventLoopGroup-2-1] ApnsConnection [connect] - ExamplePushManager-connection-123 beginning connection process.

2015-04-13T19:58:32,546 DEBUG [nioEventLoopGroup-2-1] ApnsConnection [exceptionCaught] - ExamplePushManager-connection-122 caught an exception. io.netty.handler.codec.DecoderException: javax.net.ssl.SSLException: Received fatal alert: handshake_failure

        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:346)

2015-04-13T19:58:32,813 DEBUG [nioEventLoopGroup-2-1] ApnsConnection [operationComplete] - ExamplePushManager-connection-123 connected; waiting for TLS handshake.

2015-04-13T19:58:33,309 DEBUG [nioEventLoopGroup-2-1] ApnsConnection [operationComplete] - ExamplePushManager-connection-123 failed to complete TLS handshake with APNs gateway. javax.net.ssl.SSLException: Received fatal alert: handshake_failure

        at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)

2015-04-13T19:58:33,311 TRACE [nioEventLoopGroup-2-1] PushManager [handleConnectionFailure] - Connection failed: ApnsConnection [name=ExamplePushManager-connection-123] javax.net.ssl.SSLException: Received fatal alert: handshake_failure

        at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)

That basically means that my server is not accepting the provided certificate of Apple, right?

I already tried everything to resolve this issue (adding the certificate using this method or using the keytool to import this certificate provided by the technical note about troubleshooting push notifications).

Could you please tell me what I am missing and why java just cant ignore this error or send out a warning?

It would be great if someone of you could give me a step-by-step guide how to get this thing flying.

Thank you so much in advance for taking the time!

P.S.: I am currently using (against your advise) tomcat 8 with openjdk 8 version "1.8.0_40-internal". My Github repo about this project (including the iOS client) can be found here, although the last push still "uses" java-apns.

[Jon Chambers]

Oops—forgot to CC the list. Doing so now for posterity.

You can try to connect via the command line using `openssl s_connect`. See https://www.pubnub.com/knowledge-base/discussion/234/how-do-i-test-my-pem-key for an example.

-Jon

On Thu, Apr 16, 2015 at 11:11 AM, Frank Steiler <fr...@steiler.eu> wrote:

Hi Jon, 

I hope so ;) 

Actually I did not think of that possibility and it is the first time I am doing APNS, so this could also be the problem.

Is there a way to double-check the validity of my certificate? 

Thank you,

Frank

On 16 Apr 2015, at 17:07, Jon Chambers <j...@relayrides.com> wrote:

> That basically means that my server is not accepting the provided certificate of Apple, right?

Not necessarily. It's also possible that the APNs gateway is rejecting YOUR certificate, rather than the other way around. Are you sure you're sending the right certificate?

-Jon

--
Pushy is an open-source Java library for sending APNs (iOS and OS X) push notifications. Pushy is brought to you by the engineers at RelayRides.
---
You received this message because you are subscribed to the Google Groups "pushy" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pushy-apns+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Jon Chambers]

…and by `s_connect`, I mean `s_client`. Beg your pardon.

Apple also has this tech note you may find helpful: https://developer.apple.com/library/ios/technotes/tn2265/_index.html

-Jon

[Frank Steiler]

Hey Jon,

First of all thank you for your response and sorry for taking so long to test your suggestions. 

I used the following method to convert my .cer and .p12 file to .pem:

$ openssl x509 -in cert.cer -inform DER -outform PEM -out cert.pem
$ openssl pkcs12 -in key.p12 -out key.pem -nodes

I put the output of the openssl s_client command in this gist: https://gist.github.com/steilerDev/c7c93beb3fd370047a08

I am not sure if this is the expected output, but I doubt it. Do you know what went wrong?

Thanks,

Frank

You received this message because you are subscribed to a topic in the Google Groups "pushy" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/pushy-apns/cKs_2_2r5v4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to pushy-apns+...@googlegroups.com.