Skip to main content

Re: Bug: GlassFish 3.1.2.2 closes connection during SSL handshake

  • From: Ryan Lubke <ryan.lubke@...>
  • To: users@...
  • Subject: Re: Bug: GlassFish 3.1.2.2 closes connection during SSL handshake
  • Date: Mon, 03 Jun 2013 08:34:29 -0700

Could you please run your test with '-Djavax.net.debug=ssl:handshake' (less the quotes) on your test domain and attach the output?

Thanks,
-rl

Rolf Krahl wrote:
Hi,

I believe, I found a bug.


Symptom
-------

I installed GlassFish Server Open Source Edition version 3.1.2.2,
started the default domain using the default configuration
(e.g. applications listening for https at port 8181) and deployed some
applications.

Connections to the applications using https work fine with some
clients (e.g. Firefox), but fail with others.  For instance a Python
script using Suds throws the following error:

| urllib2.URLError:<urlopen error [Errno 8] _ssl.c:517: EOF occurred in 
violation of protocol>


Analysis
--------

Trying the openssl command line client, it turns out that the
connection with an old version of the client (0.9.8h) work fine:

| $ openssl version
| OpenSSL 0.9.8h 28 May 2008
| $ openssl s_client -connect glassfish.example.org:8181
| CONNECTED(00000003)
| depth=3 [...]

while recent versions fail:

| $ openssl version
| OpenSSL 1.0.1e 11 Feb 2013
| $ openssl s_client -connect glassfish.example.org:8181
| CONNECTED(00000003)
| 140160983336616:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake 
failure:s23_lib.c:177:
| [...]

Inspecting the network stream shows that in the case of the error,
GlassFish closes the connection right after "SSL Client Hello",
without sending any reply.  At this point, the only difference in the
SSL dialog between a failed and a successful connection is the list of
cipher suites and extensions that the client offers.  It seems that
GlassFish is not able to correctly handle the list of ciphers that
recent openssl client versions offer to the server.

Indeed, if one reduces this list with a recent openssl client, the
connection succeeds:

| $ openssl version
| OpenSSL 1.0.1e 11 Feb 2013
| $ openssl s_client -cipher 
DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5
 -connect glassfish.example.org:8181
| CONNECTED(00000003)
| depth=3 [...]

The default list of ciphers of my newer openssl version is:

| $ openssl ciphers

ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5


________________________________

Helmholtz-Zentrum Berlin für Materialien und Energie GmbH

Mitglied der Hermann von Helmholtz-Gemeinschaft Deutscher Forschungszentren 
e.V.

Aufsichtsrat: Vorsitzender Prof. Dr. Dr. h.c. mult. Joachim Treusch, stv. 
Vorsitzende Dr. Beatrix Vierkorn-Rudolph
Geschäftsführung: Prof. Dr. Anke Rita Kaysser-Pyzalla, Thomas Frederking

Sitz Berlin, AG Charlottenburg, 89 HRB 5583

Postadresse:
Hahn-Meitner-Platz 1
D-14109 Berlin

http://www.helmholtz-berlin.de



Re: Bug: GlassFish 3.1.2.2 closes connection during SSL handshake

Ryan Lubke 06/03/2013

<Possible follow-up(s)>

Re: Bug: GlassFish 3.1.2.2 closes connection during SSL handshake

Rolf Krahl 06/04/2013

Re: Bug: GlassFish 3.1.2.2 closes connection during SSL handshake

Ryan Lubke 06/04/2013

Re: Bug: GlassFish 3.1.2.2 closes connection during SSL handshake

Rolf Krahl 06/04/2013

Re: Bug: GlassFish 3.1.2.2 closes connection during SSL handshake

Ryan Lubke 06/04/2013

Re: Bug: GlassFish 3.1.2.2 closes connection during SSL handshake

Rolf Krahl 06/05/2013

Re: Bug: GlassFish 3.1.2.2 closes connection during SSL handshake

Florent THOMAS 06/09/2013
 
 
Close
loading
Please Confirm
Close