J4SC: Has SpinVox changed the way it authenticates?

[nec]

Hi,

I had been using the first version of J4SC to successfully access the
SpinVox service.

However I noticed recently that the service no longer seems to work.
In particular it seems to fail to read the wav file being sent to it.

The following error occurs:

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated


Are you aware if the SpinVox service is still in operation?

Regards,
Neil

[Rajneesh Patel]

Hi Neil

Just tried some functional junit tests we have in the source below

http://j4sc.googlecode.com/svn/trunk/J4SC/src/functional/test/java/com/googlecode/j4sc/functionaltests/SubmitAudioAndRetrieveConversion.java

When using dev, it works fine but on live getting read time out exceptions as shown below. May be that the service may be experiencing some issues currently.

How long has this error persisted. Since my functional tests work with dev service, thinking this is an issue with the live service currently

<error message="Read timed out" type="java.net.SocketTimeoutException">java.net.SocketTimeoutException: Read timed out

at java.net.SocketInputStream.socketRead0(Native Method)

at java.net.SocketInputStream.read(SocketInputStream.java:129)

at com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:293)

at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:331)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:789)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:746)

 

Raj Patel

07957 446908

[nec]

Hi Raj,

I hadn't tried the dev service, just the release service. My use of
this has been a bit intermittent recently, but I first noticed the
problem around the 16th or 17th of October.

I just read on create.spinvox that they have updated the user manual,
but don't know the extent of the changes. Is it possible that SpinVox
have updated the API which now prevents J4SC 0.1 working?

Thanks,
Neil

On Oct 25, 8:53 pm, Rajneesh Patel <rajneeshpa...@gmail.com> wrote:
> Hi Neil
>
> Just tried some functional junit tests we have in the source below
>

> http://j4sc.googlecode.com/svn/trunk/J4SC/src/functional/test/java/co...

[Raj Patel]

Hi Neil

Checked 1.2 version of the manual and doesn't seem to be any breaking changes

Since the dev service seems to be working, I can only assume no changes in the 

auth mechanism have been made as this would affect the dev service as well.

Which version of java are you running, a quick look on the web has suggested possible

issues with JSSE (java security extensions).

Regards

Raj

2009/10/26 nec <neil....@gmail.com>

--
Raj Patel
Mobile: 07957 446908
Home: 0208 371 1958

[nec]

Hi Raj,

Actually I've just tried the dev service and I get the same problem
too with that.

I'm using version "Java(TM) SE Runtime Environment (build 1.6.0_02-
b06)" on a development machine and "Java(TM) SE Runtime Environment
(build 1.6.0_16-b01)" on a server. Both used to work and neither have
been changed as far as I am aware.

Regards,
Neil

On Oct 26, 8:39 am, Raj Patel <rajneeshpa...@gmail.com> wrote:
> Hi Neil
>

> Checked 1.2 version of the manual and doesn't seem to be any breaking
> changes
>
> Since the dev service seems to be working, I can only assume no changes in
> the
> auth mechanism have been made as this would affect the dev service as well.
>
> Which version of java are you running, a quick look on the web has suggested
> possible
> issues with JSSE (java security extensions).
>
> Regards
>
> Raj
>

> 2009/10/26 nec <neil.cro...@gmail.com>

[Raj Patel]

Hi Neil

Will have to look into this tomorrow. Will try the live service with real audio using the existing functional test.

Regards

Raj

2009/10/26 nec <neil....@gmail.com>

[Raj Patel]

Hi Neil

Just tried live service and is working for me

Any luck your end?

Raj

2009/10/26 Raj Patel <rajnee...@gmail.com>

[nec]

Hi Raj,

Thanks for looking at this. I'm afraid I still get the error stack
shown below on our production server. I will also try again from a
development machine and see if I still get the same result. I'll let
you know how this goes.

Out of interest, the error is apparently related to SSL certificates.
Is there any explicit code related to certificates in the J4SC code
base?

Regards,
Neil


javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at
com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(Unkno
wn Source)
at org.apache.http.conn.ssl.AbstractVerifier.verify
(AbstractVerifier.jav
a:129)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket
(SSLSocketFact
ory.java:326)
at
org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnect
ion(DefaultClientConnectionOperator.java:129)
at org.apache.http.impl.conn.AbstractPoolEntry.open
(AbstractPoolEntry.ja
va:164)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open
(AbstractPool
edConnAdapter.java:119)
at org.apache.http.impl.client.DefaultRequestDirector.execute
(DefaultReq
uestDirector.java:349)
at org.apache.http.impl.client.AbstractHttpClient.execute
(AbstractHttpCl
ient.java:555)
at org.apache.http.impl.client.AbstractHttpClient.execute
(AbstractHttpCl
ient.java:487)
at org.apache.http.impl.client.AbstractHttpClient.execute
(AbstractHttpCl
ient.java:465)
at com.googlecode.j4sc.service.Service.executeHttpMethod
(Service.java:17
1)
at com.googlecode.j4sc.service.Service.submit(Service.java:
136)


Regards,
Neil

On Oct 27, 9:13 am, Raj Patel <rajneeshpa...@gmail.com> wrote:
> Hi Neil
>

> Just tried live service and is working for me
>
> Any luck your end?
>
> Raj
>

> 2009/10/26 Raj Patel <rajneeshpa...@gmail.com>

>
>
>
>
>
> > Hi Neil
>
> > Will have to look into this tomorrow. Will try the live service with real
> > audio using the existing functional test.
>
> > Regards
>
> > Raj
>

> > 2009/10/26 nec <neil.cro...@gmail.com>

[Raj Patel]

Hi Neil

In terms of certificates, nothing specifically in the code, not an expert but pretty much username, password based authentication

Auth mech snippets as below

private static final int PORT = 443;

private static final String REALM = "spinvoxapi";

...

private void configureAuthentication(UserCredentials userCredentials, DefaultHttpClient httpclient) {

        Credentials defaultcreds = new UsernamePasswordCredentials(userCredentials.getUsername(), userCredentials

                .getPassword());

        httpclient.getCredentialsProvider().setCredentials(new AuthScope(uri.getHost(), PORT, REALM), defaultcreds);

}

Regards

Raj

2009/10/27 nec <neil....@gmail.com>

[nec]

Hi Raj,

I think I have just found out what is causing the issue. A colleague
has just told me that our server has been updated to use SSL
certificates. The JVM that is used to run the web application, into
which we have incorporated J4SC, is now started with two additional
variables:

-Djavax.net.ssl.trustStore="/path/to/keystore"
-Djavax.net.ssl.trustStorePassword=keystorepassword

We have just run a quick test without these and the SpinVox service
starts working again.

The problem I have now is understanding how this has adversely
affected the calls to SpinVox and understanding if there is any way we
can then avoid this?

Do you have any suggestions on how we might modify the J4SC code to
explicitly disable the effect of the trust store settings for our
server?

Regards,
Neil

On Oct 27, 10:02 am, Raj Patel <rajneeshpa...@gmail.com> wrote:
> Hi Neil
>

> In terms of certificates, nothing specifically in the code, not an expert
> but pretty much username, password based authentication
>
> Auth mech snippets as below
>
> private static final int PORT = 443;
>
> private static final String REALM = "spinvoxapi";
>
> ...
>
> private void configureAuthentication(UserCredentials userCredentials,
> DefaultHttpClient httpclient) {
>
>         Credentials defaultcreds =
> newUsernamePasswordCredentials(userCredentials.getUsername(),
> userCredentials
>
>                 .getPassword());
>
>         httpclient.getCredentialsProvider().setCredentials(new
> AuthScope(uri.getHost(),
> PORT, REALM), defaultcreds);
>
> }
>
> Regards
>
> Raj
>

> 2009/10/27 nec <neil.cro...@gmail.com>

[Raj Patel]

Just found this which may help

http://www.exampledepot.com/egs/javax.net.ssl/TrustAll.html?l=rel

Should disable the trust store, let me know it it works

2009/10/27 nec <neil....@gmail.com>

[nec]

Ok, thanks. I'll see what I can do and let you know how it goes.

Regards,
Neil

On Oct 27, 10:34 am, Raj Patel <rajneeshpa...@gmail.com> wrote:
> Just found this which may help
>
> http://www.exampledepot.com/egs/javax.net.ssl/TrustAll.html?l=rel
>
> Should disable the trust store, let me know it it works
>

> 2009/10/27 nec <neil.cro...@gmail.com>

[nec]

Hi Raj,

I did some more searching on this subject and I think I have found an
alternative, configuration based solution.

Essentially the problem is that the SSL connection requires access to
the CA certificate that SpinVox use on their servers. The reason it
works without explicitly doing anything is that the JRE contains a
java keystore containing a whole bunch of certificates, one of which
is used by SpinVox. In my case we had overridden the default keystore
to use a different keystore containing just our own CA certificate.
Therefore when a request was made by SpinVox, it couldn't find the
expected certificate and failed.

I read of a few other instances of this problem in other contexts and
the recommended solution seems to be to import the required
certificate from the JRE cacerts keystore into your own keystore.
Alternatively it has been suggested that you could do it the other way
around and import your certificates into the JRE cacerts.

I figured out that SpinVox use GoDaddy based certificates, so I
imported that and this then seems to overcome the SSL issue I
encountered.

Anyway, I hope this is useful information and thanks for taking the
time to look into this.

Regards,
Neil

[Raj Patel]

Neil

Thanks for the followup. This is really useful to know and worth adding to the J4SC wiki pages for other users.

So to summarise, either place the GoDaddy CA in your keystore if you dont use the default or place your CA 

in the default which already contains the GoDaddy CA which is used by SpinVox

Is the summary correct?

Regards

Raj

2009/10/28 nec <neil....@gmail.com>

[nec]

Hi Raj,

Yes, that is correct. I've only tried out the case where I import the
GoDaddy CA from the JRE cacerts file into my keystore, but I'm
assuming what others have said is right that you could equally import
your own certificates into the JRE cacerts file.

I don't know how future proof this is, as I guess SpinVox could always
change their CA authority, but it seems to work for now and fits in
with other SSL requirements we have for our server.

Regards,
Neil

On Oct 28, 12:16 pm, Raj Patel <rajneeshpa...@gmail.com> wrote:
> Neil
>
> Thanks for the followup. This is really useful to know and worth adding to
> the J4SC wiki pages for other users.
>
> So to summarise, either place the GoDaddy CA in your keystore if you dont
> use the default or place your CA
> in the default which already contains the GoDaddy CA which is used by
> SpinVox
>
> Is the summary correct?
>
> Regards
>
> Raj
>

> 2009/10/28 nec <neil.cro...@gmail.com>

> ...
>
> read more »

[Raj Patel]

Ok, will post page in wiki regarding this and thanks once again

2009/10/28 nec <neil....@gmail.com>