Notification of handshake failure/timeout

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Notification of handshake failure/timeout

Siman Tov Gal

Hi Alexey,

 

We managed to establish a complete handshake on both SSL/TLS channels.

However, I have got several open issues regarding the handshake mechanism.

 

We implemented the HandshakeListener interface (OnComplete / OnStart).

How can we be notified of other handshake events such as : handshake failure and handshake timeout (E.g: Since we do have the ability to set the timeout via setHandshakeTimeout())

 

I would like to thank you on your prompt responses to my (and my team members) queries.

 

Thanks a lot,

 

Gal

 

 

From: Oleksiy Stashok [mailto:[hidden email]]
Sent: Thursday, January 22, 2015 11:06 PM
To: Siman Tov Gal; [hidden email]
Cc: Meltser Tiran; Broide Uri; Ben-Yosef Efrat
Subject: Re: Trying to establish SSL connection - Fails in handshake

 

Hi,

yeah, I expected there's something wrong with the config.
 

Do you have any suggested solution to filter out specific protocols and ciphers  ?

Grizzly API seems to provide a “white list” for these settings. What we are looking for is an option to provide a “black list”.

Well, it's always possible to get the list of *all* available ciphers and protocols, so it's very easy to get a "white list" out of "black list".
To get the list of all supported protocols you can do something like:



 

Thanks

 

Gal

 

 

From: Oleksiy Stashok [[hidden email]]
Sent: Thursday, January 22, 2015 7:58 AM
To: [hidden email]
Subject: Re: Trying to establish SSL connection - Fails in handshake

 

Hi,

unfortunately I can't reproduce the problem locally.
How do you run the sample server, do you use maven?
Can you pls. share the entire server SSL log, not only handshake.

Thank you.

WBR,
Alexey.

On 21.01.15 01:58, Siman Tov Gal wrote:

Hi Alexey.

I have run the SSLEchoServer along with the SSLEchoClient (As taken from the Grizzly samples).

 

I have added to the SSLEchoServer runtime execution the  -Djavax.net.debug=all .

 

I got the following output during the handshake :

 

trustStore is: C:\jdk1.7.0_72\jre\lib\security\cacerts

trustStore type is : jks

trustStore provider is :

init truststore

 

trigger seeding of SecureRandom

done seeding SecureRandom

Press any key to stop the server...

Using SSLEngineImpl.

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA

Allow unsafe renegotiation: false

Allow legacy hello messages: true

Is initial handshake: true

Is secure renegotiation: false

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1

[Raw read]: length = 5

0000: 16 03 01 00 95                                     .....

[Raw read]: length = 149

0000: 01 00 00 91 03 01 54 BF   77 2F A6 34 EF B4 AD CA  ......T.w/.4....

0010: 49 27 25 DD 7A CA 3E EF   A9 9E 60 33 15 0C 81 A0  I'%.z.>...`3....

0020: 8B 12 9D B1 B4 7C 00 00   2A C0 09 C0 13 00 2F C0  ........*...../.

0030: 04 C0 0E 00 33 00 32 C0   08 C0 12 00 0A C0 03 C0  ....3.2.........

0040: 0D 00 16 00 13 C0 07 C0   11 00 05 C0 02 C0 0C 00  ................

0050: 04 00 FF 01 00 00 3E 00   0A 00 34 00 32 00 17 00  ......>...4.2...

0060: 01 00 03 00 13 00 15 00   06 00 07 00 09 00 0A 00  ................

0070: 18 00 0B 00 0C 00 19 00   0D 00 0E 00 0F 00 10 00  ................

0080: 11 00 02 00 12 00 04 00   05 00 14 00 08 00 16 00  ................

0090: 0B 00 02 01 00                                     .....

Grizzly-worker(1), READ: TLSv1 Handshake, length = 149

*** ClientHello, TLSv1

RandomCookie:  GMT: 1405056815 bytes = { 166, 52, 239, 180, 173, 202, 73, 39, 37, 221, 122, 202, 62, 239, 169, 158, 96, 51, 21, 12, 129, 160, 139, 18, 157, 177, 180, 124 }

Session ID:  {}

Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]

Compression Methods:  { 0 }

Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}

Extension ec_point_formats, formats: [uncompressed]

***

[read] MD5 and SHA1 hashes:  len = 149

0000: 01 00 00 91 03 01 54 BF   77 2F A6 34 EF B4 AD CA  ......T.w/.4....

0010: 49 27 25 DD 7A CA 3E EF   A9 9E 60 33 15 0C 81 A0  I'%.z.>...`3....

0020: 8B 12 9D B1 B4 7C 00 00   2A C0 09 C0 13 00 2F C0  ........*...../.

0030: 04 C0 0E 00 33 00 32 C0   08 C0 12 00 0A C0 03 C0  ....3.2.........

0040: 0D 00 16 00 13 C0 07 C0   11 00 05 C0 02 C0 0C 00  ................

0050: 04 00 FF 01 00 00 3E 00   0A 00 34 00 32 00 17 00  ......>...4.2...

0060: 01 00 03 00 13 00 15 00   06 00 07 00 09 00 0A 00  ................

0070: 18 00 0B 00 0C 00 19 00   0D 00 0E 00 0F 00 10 00  ................

0080: 11 00 02 00 12 00 04 00   05 00 14 00 08 00 16 00  ................

0090: 0B 00 02 01 00                                     .....

%% Initialized:  [Session-1, SSL_NULL_WITH_NULL_NULL]

Grizzly-worker(1), fatal error: 40: no cipher suites in common

javax.net.ssl.SSLHandshakeException: no cipher suites in common

%% Invalidated:  [Session-1, SSL_NULL_WITH_NULL_NULL]

Grizzly-worker(1), SEND TLSv1 ALERT:  fatal, description = handshake_failure

Grizzly-worker(1), WRITE: TLSv1 Alert, length = 2

Grizzly-worker(1), fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common

 

 

Please advise,

 

Thanks Gal Siman-Tov

 

From: Oleksiy Stashok [[hidden email]]
Sent: Wednesday, January 21, 2015 3:27 AM
To: Siman Tov Gal
Cc: Meltser Tiran; Broide Uri; '[hidden email]'
Subject: Re: Trying to establish SSL connection - Fails in handshake

 

Hi,

are you running SSLEchoServer?
If yes, there is SSLEchoClient, does it work with the server?

Thank you.

WBR,
Alexey.

On 19.01.15 06:17, Siman Tov Gal wrote:

Hi Alexey,

 

Thanks for the prompt reply.

 

I took a step back and tried to launch the SSL sample from the Grizzly repository (grizzly-framework-samples-2.3.18.jar).

I used an openssl client and on handshake I got the following error:

 

30720:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

 

Note that I did not perform any setup on the SSLEngineConfigurator.

 

As far as I’ve seen other examples they should work as is, but this does not happen here.

 

Am I missing something?

 

10x,

 

Gal

 

 

 

From: Oleksiy Stashok [[hidden email]]
Sent: Monday, January 19, 2015 6:58 AM
To: Siman Tov Gal; [hidden email]
Cc: Meltser Tiran; Broide Uri
Subject: Re: Trying to establish SSL connection - Fails in handshake

 

Hi,

can you pls. share the test case so we can reproduce the problem?

Thank you.

WBR,
Alexey.

On 18.01.15 00:13, Siman Tov Gal wrote:

Hi

 

I am trying to establish a SSL handshake with my Grizzly server and an openssl client.

 

I’ve  configured the SSLEngineConfigurator with the following setup:

 

              sslContextConfig.setKeyStoreFile(keyStoreLocation);

              sslContextConfig.setKeyStorePass(keyStorePassword);

             

              // Create SSLEngine configurator

              SSLEngineConfigurator sslEngineConfigurator = new SSLEngineConfigurator(sslContextConfig.createSSLContext(),false,false,false);

              SSLSocketFactory sf = sslEngineConfigurator.getSslContext().getSocketFactory();         

             

              String[] supportedProtocols = {"TLSv1","SSLv3","TLSv1.1","TLSv1.2","SSLv2Hello"};

              sslEngineConfigurator.setEnabledProtocols(supportedProtocols);

              sslEngineConfigurator.setProtocolConfigured(true);

              String[] cipherSuites = sf.getSupportedCipherSuites();

              sslEngineConfigurator.setEnabledCipherSuites(cipherSuites);

              sslEngineConfigurator.setCipherConfigured(true);

              sslEngineConfigurator.setNeedClientAuth(false);

              sslEngineConfigurator.setWantClientAuth(false);

 

When debugging the handshake code, the point of failure was in the SSLBaseFilter:doHandshakeStep() method.

When entering the case of NEED_UNWRAP, the handshake failed due to the fact that the inputBuffer was set to null.

 

The openssl client send the following command :

 

openssl.exe s_client -debug -msg -connect localhost:50443

 

I am getting the following response :

 

8392:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:.\ssl\s23_clnt.c:601

 

Thanks in advance

 

Gal S.T

 

P.S:  I open the SSL debug info (using : -Djavax.net.debug=all)

 

Here is the output :

 

chain [0] = [

[

  Version: V3

  Subject: CN=mist mist, OU=VI, O=Comverse, L=Raanana, ST=Israel, C=IL

  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

 

  Key:  Sun RSA public key, 2048 bits

  modulus: 24414085473144772337919323012074107190618816754963514243080255494571539528736844619038076143491962690817977116723664346553272438908433680538048087195422831263971167306175278902944331875961609798287166241724881538546675318900905485132685167634098012392607384655817306725746127194856379390873270494744745754705873786404248972196545665264863541650881792842260766824580673229124863089563730094213195521617379221251195145200022967368062802615057847357727486054056179317815221853820588458878995885198226082418443238912098038011785005029767939039988128318928941102946178680941872945325579621419106798984545238312478653261279

  public exponent: 65537

  Validity: [From: Thu Jan 15 15:47:10 IST 2015,

               To: Wed Aug 10 16:47:10 IDT 2044]

  Issuer: CN=mist mist, OU=VI, O=Comverse, L=Raanana, ST=Israel, C=IL

  SerialNumber: [    5606fc55]

 

Certificate Extensions: 1

[1]: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: 27 D1 11 CB 8B AF EB 5E   D8 67 A5 58 88 CE 39 72  '......^.g.X..9r

0010: 74 DA 48 65                                        t.He

]

]

 

]

  Algorithm: [SHA1withRSA]

  Signature:

0000: 56 82 F0 A4 A6 56 A8 F8   37 3D E6 A5 1F 87 E3 9D  V....V..7=......

0010: 45 33 C6 C6 DB 5E A5 46   C7 EB 6D 12 FD 12 38 F3  E3...^.F..m...8.

0020: 0F 80 99 A6 B7 1D 1F 84   22 5E E6 B8 FA DE 7F 68  ........"^.....h

0030: 7B 0D D0 24 53 D0 DA CB   13 F3 38 E3 EA 3B 69 C1  ...$S.....8..;i.

0040: 1E 6B BB AA 32 4F CF AF   42 91 52 C5 07 49 99 AB  .k..2O..B.R..I..

0050: C5 48 29 64 17 2A 23 AF   74 B0 2C 90 01 C1 7E BE  .H)d.*#.t.,.....

0060: 37 ED DC 2E F3 59 E7 6C   0B B0 6B DF 20 5C 61 24  7....Y.l..k. \a$

0070: FB BA EB 4E 35 BD 6A AE   DB 98 59 27 D4 C1 6D 81  ...N5.j...Y'..m.

0080: 50 8A 7B 45 9C ED 73 20   74 78 6E 45 44 54 E3 3E  P..E..s txnEDT.>

0090: B8 B6 86 98 EE 3D 65 36   D8 F2 96 67 9B BD DC DE  .....=e6...g....

00A0: CF 6B 12 51 2F D3 5E B6   E4 87 9C E5 2C 91 E6 70  .k.Q/.^.....,..p

00B0: F4 2F 19 A0 08 19 BF BF   0B 25 87 16 AE 98 76 94  ./.......%....v.

00C0: 22 DD 36 99 0A FB 41 53   0D 46 C6 18 33 36 A7 4F  ".6...AS.F..36.O

00D0: DF 45 71 46 3B 02 DA 55   58 E8 65 9F 70 E6 E1 F9  .EqF;..UX.e.p...

00E0: 6D A3 B9 6D 56 01 F8 B8   E1 A0 47 E5 76 EA 25 BE  m..mV.....G.v.%.

00F0: 6B 64 1A AA 04 1D A2 61   D9 CB 3F 2C 06 FC 24 37  kd.....a..?,..$7

 

]

***

trustStore is: C:\jdk1.7.0_72\jre\lib\security\cacerts

trustStore type is : jks

trustStore provider is :

init truststore

adding as trusted cert:

  Subject: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH

  Issuer:  CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH

  Algorithm: RSA; Serial number: 0x4eb200670c035d4f

  Valid from Wed Oct 25 10:36:00 IST 2006 until Sat Oct 25 11:36:00 IDT 2036

 

adding as trusted cert:

  Subject: [hidden email], CN=http://www.valicert.com/, OU=ValiCert Class 1 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network

  Issuer:  [hidden email], CN=http://www.valicert.com/, OU=ValiCert Class 1 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network

  Algorithm: RSA; Serial number: 0x1

  Valid from Sat Jun 26 01:23:48 IDT 1999 until Wed Jun 26 01:23:48 IDT 2019

 

trigger seeding of SecureRandom

done seeding SecureRandom

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_anon_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA

***** MIST started in 10092 ms *****

Using SSLEngineImpl.

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA

Allow unsafe renegotiation: false

Allow legacy hello messages: true

Is initial handshake: true

Is secure renegotiation: false

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1

%% No cached client session

*** ClientHello, TLSv1.2

RandomCookie:  GMT: 1404790585 bytes = { 174, 154, 88, 222, 218, 55, 81, 20, 22, 53, 136, 174, 20, 168, 180, 225, 117, 54, 216, 158, 183, 119, 118, 16, 236, 221, 24, 251 }

Session ID:  {}

Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_anon_WITH_RC4_128_SHA, SSL_DH_anon_WITH_RC4_128_MD5, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_RSA_WITH_NULL_SHA256, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDH_anon_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_RC4_128_SHA, TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_MD5]

Compression Methods:  { 0 }

Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}

Extension ec_point_formats, formats: [uncompressed]

Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA

***

[write] MD5 and SHA1 hashes:  len = 263

0000: 01 00 01 03 03 03 54 BB   67 39 AE 9A 58 DE DA 37  ......T.g9..X..7

0010: 51 14 16 35 88 AE 14 A8   B4 E1 75 36 D8 9E B7 77  Q..5......u6...w

0020: 76 10 EC DD 18 FB 00 00   7E C0 23 C0 27 00 3C C0  v.........#.'.<.

0030: 25 C0 29 00 67 00 40 C0   09 C0 13 00 2F C0 04 C0  %.)[hidden email]...

0040: 0E 00 33 00 32 C0 08 C0   12 00 0A C0 03 C0 0D 00  ..3.2...........

0050: 16 00 13 C0 07 C0 11 00   05 C0 02 C0 0C 00 04 00  ................

0060: FF 00 6C C0 18 00 34 C0   17 00 1B C0 16 00 18 00  ..l...4.........

0070: 09 00 15 00 12 00 1A 00   03 00 17 00 08 00 14 00  ................

0080: 11 00 19 00 3B C0 06 C0   10 00 02 C0 01 C0 0B C0  ....;...........

0090: 15 00 01 00 1F 00 23 00   20 00 24 00 1E 00 22 00  ......#. .$...".

00A0: 26 00 29 00 28 00 2B 01   00 00 5C 00 0A 00 34 00  &.).(.+...\...4.

00B0: 32 00 17 00 01 00 03 00   13 00 15 00 06 00 07 00  2...............

00C0: 09 00 0A 00 18 00 0B 00   0C 00 19 00 0D 00 0E 00  ................

00D0: 0F 00 10 00 11 00 02 00   12 00 04 00 05 00 14 00  ................

00E0: 08 00 16 00 0B 00 02 01   00 00 0D 00 1A 00 18 06  ................

00F0: 03 06 01 05 03 05 01 04   03 04 01 03 03 03 01 02  ................

0100: 03 02 01 02 02 01 01                               .......

StartPoint-IMAP-SSL-Kernel(3) SelectorRunner, WRITE: TLSv1.2 Handshake, length = 263

[write] MD5 and SHA1 hashes:  len = 257

0000: 01 03 03 00 D8 00 00 00   20 00 C0 23 00 C0 27 00  ........ ..#..'.

0010: 00 3C 00 C0 25 00 C0 29   00 00 67 00 00 40 00 C0  .<..%..)[hidden email]..

0020: 09 06 00 40 00 C0 13 00   00 2F 00 C0 04 01 00 80  [hidden email]......

0030: 00 C0 0E 00 00 33 00 00   32 00 C0 08 00 C0 12 00  .....3..2.......

0040: 00 0A 07 00 C0 00 C0 03   02 00 80 00 C0 0D 00 00  ................

0050: 16 00 00 13 00 C0 07 05   00 80 00 C0 11 00 00 05  ................

0060: 00 C0 02 00 C0 0C 00 00   04 01 00 80 00 00 FF 00  ................

0070: 00 6C 00 C0 18 00 00 34   00 C0 17 00 00 1B 00 C0  .l.....4........

0080: 16 00 00 18 00 00 09 06   00 40 00 00 15 00 00 12  [hidden email]......

0090: 00 00 1A 00 00 03 02 00   80 00 00 17 00 00 08 00  ................

00A0: 00 14 00 00 11 00 00 19   00 00 3B 00 C0 06 04 00  ..........;.....

00B0: 80 00 C0 10 00 00 02 00   C0 01 00 C0 0B 00 C0 15  ................

00C0: 00 00 01 00 00 1F 00 00   23 00 00 20 00 00 24 00  ........#.. ..$.

00D0: 00 1E 00 00 22 00 00 26   00 00 29 00 00 28 00 00  ...."..&..)..(..

00E0: 2B 54 BB 67 39 AE 9A 58   DE DA 37 51 14 16 35 88  +T.g9..X..7Q..5.

00F0: AE 14 A8 B4 E1 75 36 D8   9E B7 77 76 10 EC DD 18  .....u6...wv....

0100: FB                                                 .

StartPoint-IMAP-SSL-Kernel(3) SelectorRunner, WRITE: SSLv2 client hello message, length = 257

[Raw write]: length = 259

0000: 81 01 01 03 03 00 D8 00   00 00 20 00 C0 23 00 C0  .......... ..#..

0010: 27 00 00 3C 00 C0 25 00   C0 29 00 00 67 00 00 40  '..<..%..)..g..@

0020: 00 C0 09 06 00 40 00 C0   13 00 00 2F 00 C0 04 01  [hidden email]....

0030: 00 80 00 C0 0E 00 00 33   00 00 32 00 C0 08 00 C0  .......3..2.....

0040: 12 00 00 0A 07 00 C0 00   C0 03 02 00 80 00 C0 0D  ................

0050: 00 00 16 00 00 13 00 C0   07 05 00 80 00 C0 11 00  ................

0060: 00 05 00 C0 02 00 C0 0C   00 00 04 01 00 80 00 00  ................

0070: FF 00 00 6C 00 C0 18 00   00 34 00 C0 17 00 00 1B  ...l.....4......

0080: 00 C0 16 00 00 18 00 00   09 06 00 40 00 00 15 00  [hidden email]....

0090: 00 12 00 00 1A 00 00 03   02 00 80 00 00 17 00 00  ................

00A0: 08 00 00 14 00 00 11 00   00 19 00 00 3B 00 C0 06  ............;...

00B0: 04 00 80 00 C0 10 00 00   02 00 C0 01 00 C0 0B 00  ................

00C0: C0 15 00 00 01 00 00 1F   00 00 23 00 00 20 00 00  ..........#.. ..

00D0: 24 00 00 1E 00 00 22 00   00 26 00 00 29 00 00 28  $....."..&..)..(

00E0: 00 00 2B 54 BB 67 39 AE   9A 58 DE DA 37 51 14 16  ..+T.g9..X..7Q..

00F0: 35 88 AE 14 A8 B4 E1 75   36 D8 9E B7 77 76 10 EC  5......u6...wv..

0100: DD 18 FB     


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”
Reply | Threaded
Open this post in threaded view
|

Re: Notification of handshake failure/timeout

oleksiys
Administrator
Hi Gal,

do you need this for client or server side, or both?

Thanks.

WBR,
Alexey.

On 04.02.15 09:46, Siman Tov Gal wrote:

Hi Alexey,

 

We managed to establish a complete handshake on both SSL/TLS channels.

However, I have got several open issues regarding the handshake mechanism.

 

We implemented the HandshakeListener interface (OnComplete / OnStart).

How can we be notified of other handshake events such as : handshake failure and handshake timeout (E.g: Since we do have the ability to set the timeout via setHandshakeTimeout())

 

I would like to thank you on your prompt responses to my (and my team members) queries.

 

Thanks a lot,

 

Gal

 

 

From: Oleksiy Stashok [[hidden email]]
Sent: Thursday, January 22, 2015 11:06 PM
To: Siman Tov Gal; [hidden email]
Cc: Meltser Tiran; Broide Uri; Ben-Yosef Efrat
Subject: Re: Trying to establish SSL connection - Fails in handshake

 

Hi,

yeah, I expected there's something wrong with the config.
 

Do you have any suggested solution to filter out specific protocols and ciphers  ?

Grizzly API seems to provide a “white list” for these settings. What we are looking for is an option to provide a “black list”.

Well, it's always possible to get the list of *all* available ciphers and protocols, so it's very easy to get a "white list" out of "black list".
To get the list of all supported protocols you can do something like:



 

Thanks

 

Gal

 

 

From: Oleksiy Stashok [[hidden email]]
Sent: Thursday, January 22, 2015 7:58 AM
To: [hidden email]
Subject: Re: Trying to establish SSL connection - Fails in handshake

 

Hi,

unfortunately I can't reproduce the problem locally.
How do you run the sample server, do you use maven?
Can you pls. share the entire server SSL log, not only handshake.

Thank you.

WBR,
Alexey.

On 21.01.15 01:58, Siman Tov Gal wrote:

Hi Alexey.

I have run the SSLEchoServer along with the SSLEchoClient (As taken from the Grizzly samples).

 

I have added to the SSLEchoServer runtime execution the  -Djavax.net.debug=all .

 

I got the following output during the handshake :

 

trustStore is: C:\jdk1.7.0_72\jre\lib\security\cacerts

trustStore type is : jks

trustStore provider is :

init truststore

 

trigger seeding of SecureRandom

done seeding SecureRandom

Press any key to stop the server...

Using SSLEngineImpl.

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA

Allow unsafe renegotiation: false

Allow legacy hello messages: true

Is initial handshake: true

Is secure renegotiation: false

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1

[Raw read]: length = 5

0000: 16 03 01 00 95                                     .....

[Raw read]: length = 149

0000: 01 00 00 91 03 01 54 BF   77 2F A6 34 EF B4 AD CA  ......T.w/.4....

0010: 49 27 25 DD 7A CA 3E EF   A9 9E 60 33 15 0C 81 A0  I'%.z.>...`3....

0020: 8B 12 9D B1 B4 7C 00 00   2A C0 09 C0 13 00 2F C0  ........*...../.

0030: 04 C0 0E 00 33 00 32 C0   08 C0 12 00 0A C0 03 C0  ....3.2.........

0040: 0D 00 16 00 13 C0 07 C0   11 00 05 C0 02 C0 0C 00  ................

0050: 04 00 FF 01 00 00 3E 00   0A 00 34 00 32 00 17 00  ......>...4.2...

0060: 01 00 03 00 13 00 15 00   06 00 07 00 09 00 0A 00  ................

0070: 18 00 0B 00 0C 00 19 00   0D 00 0E 00 0F 00 10 00  ................

0080: 11 00 02 00 12 00 04 00   05 00 14 00 08 00 16 00  ................

0090: 0B 00 02 01 00                                     .....

Grizzly-worker(1), READ: TLSv1 Handshake, length = 149

*** ClientHello, TLSv1

RandomCookie:  GMT: 1405056815 bytes = { 166, 52, 239, 180, 173, 202, 73, 39, 37, 221, 122, 202, 62, 239, 169, 158, 96, 51, 21, 12, 129, 160, 139, 18, 157, 177, 180, 124 }

Session ID:  {}

Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]

Compression Methods:  { 0 }

Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}

Extension ec_point_formats, formats: [uncompressed]

***

[read] MD5 and SHA1 hashes:  len = 149

0000: 01 00 00 91 03 01 54 BF   77 2F A6 34 EF B4 AD CA  ......T.w/.4....

0010: 49 27 25 DD 7A CA 3E EF   A9 9E 60 33 15 0C 81 A0  I'%.z.>...`3....

0020: 8B 12 9D B1 B4 7C 00 00   2A C0 09 C0 13 00 2F C0  ........*...../.

0030: 04 C0 0E 00 33 00 32 C0   08 C0 12 00 0A C0 03 C0  ....3.2.........

0040: 0D 00 16 00 13 C0 07 C0   11 00 05 C0 02 C0 0C 00  ................

0050: 04 00 FF 01 00 00 3E 00   0A 00 34 00 32 00 17 00  ......>...4.2...

0060: 01 00 03 00 13 00 15 00   06 00 07 00 09 00 0A 00  ................

0070: 18 00 0B 00 0C 00 19 00   0D 00 0E 00 0F 00 10 00  ................

0080: 11 00 02 00 12 00 04 00   05 00 14 00 08 00 16 00  ................

0090: 0B 00 02 01 00                                     .....

%% Initialized:  [Session-1, SSL_NULL_WITH_NULL_NULL]

Grizzly-worker(1), fatal error: 40: no cipher suites in common

javax.net.ssl.SSLHandshakeException: no cipher suites in common

%% Invalidated:  [Session-1, SSL_NULL_WITH_NULL_NULL]

Grizzly-worker(1), SEND TLSv1 ALERT:  fatal, description = handshake_failure

Grizzly-worker(1), WRITE: TLSv1 Alert, length = 2

Grizzly-worker(1), fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common

 

 

Please advise,

 

Thanks Gal Siman-Tov

 

From: Oleksiy Stashok [[hidden email]]
Sent: Wednesday, January 21, 2015 3:27 AM
To: Siman Tov Gal
Cc: Meltser Tiran; Broide Uri; '[hidden email]'
Subject: Re: Trying to establish SSL connection - Fails in handshake

 

Hi,

are you running SSLEchoServer?
If yes, there is SSLEchoClient, does it work with the server?

Thank you.

WBR,
Alexey.

On 19.01.15 06:17, Siman Tov Gal wrote:

Hi Alexey,

 

Thanks for the prompt reply.

 

I took a step back and tried to launch the SSL sample from the Grizzly repository (grizzly-framework-samples-2.3.18.jar).

I used an openssl client and on handshake I got the following error:

 

30720:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

 

Note that I did not perform any setup on the SSLEngineConfigurator.

 

As far as I’ve seen other examples they should work as is, but this does not happen here.

 

Am I missing something?

 

10x,

 

Gal

 

 

 

From: Oleksiy Stashok [[hidden email]]
Sent: Monday, January 19, 2015 6:58 AM
To: Siman Tov Gal; [hidden email]
Cc: Meltser Tiran; Broide Uri
Subject: Re: Trying to establish SSL connection - Fails in handshake

 

Hi,

can you pls. share the test case so we can reproduce the problem?

Thank you.

WBR,
Alexey.

On 18.01.15 00:13, Siman Tov Gal wrote:

Hi

 

I am trying to establish a SSL handshake with my Grizzly server and an openssl client.

 

I’ve  configured the SSLEngineConfigurator with the following setup:

 

              sslContextConfig.setKeyStoreFile(keyStoreLocation);

              sslContextConfig.setKeyStorePass(keyStorePassword);

             

              // Create SSLEngine configurator

              SSLEngineConfigurator sslEngineConfigurator = new SSLEngineConfigurator(sslContextConfig.createSSLContext(),false,false,false);

              SSLSocketFactory sf = sslEngineConfigurator.getSslContext().getSocketFactory();         

             

              String[] supportedProtocols = {"TLSv1","SSLv3","TLSv1.1","TLSv1.2","SSLv2Hello"};

              sslEngineConfigurator.setEnabledProtocols(supportedProtocols);

              sslEngineConfigurator.setProtocolConfigured(true);

              String[] cipherSuites = sf.getSupportedCipherSuites();

              sslEngineConfigurator.setEnabledCipherSuites(cipherSuites);

              sslEngineConfigurator.setCipherConfigured(true);

              sslEngineConfigurator.setNeedClientAuth(false);

              sslEngineConfigurator.setWantClientAuth(false);

 

When debugging the handshake code, the point of failure was in the SSLBaseFilter:doHandshakeStep() method.

When entering the case of NEED_UNWRAP, the handshake failed due to the fact that the inputBuffer was set to null.

 

The openssl client send the following command :

 

openssl.exe s_client -debug -msg -connect localhost:50443

 

I am getting the following response :

 

8392:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:.\ssl\s23_clnt.c:601

 

Thanks in advance

 

Gal S.T

 

P.S:  I open the SSL debug info (using : -Djavax.net.debug=all)

 

Here is the output :

 

chain [0] = [

[

  Version: V3

  Subject: CN=mist mist, OU=VI, O=Comverse, L=Raanana, ST=Israel, C=IL

  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

 

  Key:  Sun RSA public key, 2048 bits

  modulus: 24414085473144772337919323012074107190618816754963514243080255494571539528736844619038076143491962690817977116723664346553272438908433680538048087195422831263971167306175278902944331875961609798287166241724881538546675318900905485132685167634098012392607384655817306725746127194856379390873270494744745754705873786404248972196545665264863541650881792842260766824580673229124863089563730094213195521617379221251195145200022967368062802615057847357727486054056179317815221853820588458878995885198226082418443238912098038011785005029767939039988128318928941102946178680941872945325579621419106798984545238312478653261279

  public exponent: 65537

  Validity: [From: Thu Jan 15 15:47:10 IST 2015,

               To: Wed Aug 10 16:47:10 IDT 2044]

  Issuer: CN=mist mist, OU=VI, O=Comverse, L=Raanana, ST=Israel, C=IL

  SerialNumber: [    5606fc55]

 

Certificate Extensions: 1

[1]: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: 27 D1 11 CB 8B AF EB 5E   D8 67 A5 58 88 CE 39 72  '......^.g.X..9r

0010: 74 DA 48 65                                        t.He

]

]

 

]

  Algorithm: [SHA1withRSA]

  Signature:

0000: 56 82 F0 A4 A6 56 A8 F8   37 3D E6 A5 1F 87 E3 9D  V....V..7=......

0010: 45 33 C6 C6 DB 5E A5 46   C7 EB 6D 12 FD 12 38 F3  E3...^.F..m...8.

0020: 0F 80 99 A6 B7 1D 1F 84   22 5E E6 B8 FA DE 7F 68  ........"^.....h

0030: 7B 0D D0 24 53 D0 DA CB   13 F3 38 E3 EA 3B 69 C1  ...$S.....8..;i.

0040: 1E 6B BB AA 32 4F CF AF   42 91 52 C5 07 49 99 AB  .k..2O..B.R..I..

0050: C5 48 29 64 17 2A 23 AF   74 B0 2C 90 01 C1 7E BE  .H)d.*#.t.,.....

0060: 37 ED DC 2E F3 59 E7 6C   0B B0 6B DF 20 5C 61 24  7....Y.l..k. \a$

0070: FB BA EB 4E 35 BD 6A AE   DB 98 59 27 D4 C1 6D 81  ...N5.j...Y'..m.

0080: 50 8A 7B 45 9C ED 73 20   74 78 6E 45 44 54 E3 3E  P..E..s txnEDT.>

0090: B8 B6 86 98 EE 3D 65 36   D8 F2 96 67 9B BD DC DE  .....=e6...g....

00A0: CF 6B 12 51 2F D3 5E B6   E4 87 9C E5 2C 91 E6 70  .k.Q/.^.....,..p

00B0: F4 2F 19 A0 08 19 BF BF   0B 25 87 16 AE 98 76 94  ./.......%....v.

00C0: 22 DD 36 99 0A FB 41 53   0D 46 C6 18 33 36 A7 4F  ".6...AS.F..36.O

00D0: DF 45 71 46 3B 02 DA 55   58 E8 65 9F 70 E6 E1 F9  .EqF;..UX.e.p...

00E0: 6D A3 B9 6D 56 01 F8 B8   E1 A0 47 E5 76 EA 25 BE  m..mV.....G.v.%.

00F0: 6B 64 1A AA 04 1D A2 61   D9 CB 3F 2C 06 FC 24 37  kd.....a..?,..$7

 

]

***

trustStore is: C:\jdk1.7.0_72\jre\lib\security\cacerts

trustStore type is : jks

trustStore provider is :

init truststore

adding as trusted cert:

  Subject: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH

  Issuer:  CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH

  Algorithm: RSA; Serial number: 0x4eb200670c035d4f

  Valid from Wed Oct 25 10:36:00 IST 2006 until Sat Oct 25 11:36:00 IDT 2036

 

adding as trusted cert:

  Subject: [hidden email], CN=http://www.valicert.com/, OU=ValiCert Class 1 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network

  Issuer:  [hidden email], CN=http://www.valicert.com/, OU=ValiCert Class 1 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network

  Algorithm: RSA; Serial number: 0x1

  Valid from Sat Jun 26 01:23:48 IDT 1999 until Wed Jun 26 01:23:48 IDT 2019

 

trigger seeding of SecureRandom

done seeding SecureRandom

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_anon_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA

***** MIST started in 10092 ms *****

Using SSLEngineImpl.

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA

Allow unsafe renegotiation: false

Allow legacy hello messages: true

Is initial handshake: true

Is secure renegotiation: false

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1

%% No cached client session

*** ClientHello, TLSv1.2

RandomCookie:  GMT: 1404790585 bytes = { 174, 154, 88, 222, 218, 55, 81, 20, 22, 53, 136, 174, 20, 168, 180, 225, 117, 54, 216, 158, 183, 119, 118, 16, 236, 221, 24, 251 }

Session ID:  {}

Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_anon_WITH_RC4_128_SHA, SSL_DH_anon_WITH_RC4_128_MD5, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_RSA_WITH_NULL_SHA256, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDH_anon_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_RC4_128_SHA, TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_MD5]

Compression Methods:  { 0 }

Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}

Extension ec_point_formats, formats: [uncompressed]

Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA

***

[write] MD5 and SHA1 hashes:  len = 263

0000: 01 00 01 03 03 03 54 BB   67 39 AE 9A 58 DE DA 37  ......T.g9..X..7

0010: 51 14 16 35 88 AE 14 A8   B4 E1 75 36 D8 9E B7 77  Q..5......u6...w

0020: 76 10 EC DD 18 FB 00 00   7E C0 23 C0 27 00 3C C0  v.........#.'.<.

0030: 25 C0 29 00 67 00 40 C0   09 C0 13 00 2F C0 04 C0  %.)[hidden email]...

0040: 0E 00 33 00 32 C0 08 C0   12 00 0A C0 03 C0 0D 00  ..3.2...........

0050: 16 00 13 C0 07 C0 11 00   05 C0 02 C0 0C 00 04 00  ................

0060: FF 00 6C C0 18 00 34 C0   17 00 1B C0 16 00 18 00  ..l...4.........

0070: 09 00 15 00 12 00 1A 00   03 00 17 00 08 00 14 00  ................

0080: 11 00 19 00 3B C0 06 C0   10 00 02 C0 01 C0 0B C0  ....;...........

0090: 15 00 01 00 1F 00 23 00   20 00 24 00 1E 00 22 00  ......#. .$...".

00A0: 26 00 29 00 28 00 2B 01   00 00 5C 00 0A 00 34 00  &.).(.+...\...4.

00B0: 32 00 17 00 01 00 03 00   13 00 15 00 06 00 07 00  2...............

00C0: 09 00 0A 00 18 00 0B 00   0C 00 19 00 0D 00 0E 00  ................

00D0: 0F 00 10 00 11 00 02 00   12 00 04 00 05 00 14 00  ................

00E0: 08 00 16 00 0B 00 02 01   00 00 0D 00 1A 00 18 06  ................

00F0: 03 06 01 05 03 05 01 04   03 04 01 03 03 03 01 02  ................

0100: 03 02 01 02 02 01 01                               .......

StartPoint-IMAP-SSL-Kernel(3) SelectorRunner, WRITE: TLSv1.2 Handshake, length = 263

[write] MD5 and SHA1 hashes:  len = 257

0000: 01 03 03 00 D8 00 00 00   20 00 C0 23 00 C0 27 00  ........ ..#..'.

0010: 00 3C 00 C0 25 00 C0 29   00 00 67 00 00 40 00 C0  .<..%..)[hidden email]..

0020: 09 06 00 40 00 C0 13 00   00 2F 00 C0 04 01 00 80  [hidden email]......

0030: 00 C0 0E 00 00 33 00 00   32 00 C0 08 00 C0 12 00  .....3..2.......

0040: 00 0A 07 00 C0 00 C0 03   02 00 80 00 C0 0D 00 00  ................

0050: 16 00 00 13 00 C0 07 05   00 80 00 C0 11 00 00 05  ................

0060: 00 C0 02 00 C0 0C 00 00   04 01 00 80 00 00 FF 00  ................

0070: 00 6C 00 C0 18 00 00 34   00 C0 17 00 00 1B 00 C0  .l.....4........

0080: 16 00 00 18 00 00 09 06   00 40 00 00 15 00 00 12  [hidden email]......

0090: 00 00 1A 00 00 03 02 00   80 00 00 17 00 00 08 00  ................

00A0: 00 14 00 00 11 00 00 19   00 00 3B 00 C0 06 04 00  ..........;.....

00B0: 80 00 C0 10 00 00 02 00   C0 01 00 C0 0B 00 C0 15  ................

00C0: 00 00 01 00 00 1F 00 00   23 00 00 20 00 00 24 00  ........#.. ..$.

00D0: 00 1E 00 00 22 00 00 26   00 00 29 00 00 28 00 00  ...."..&..)..(..

00E0: 2B 54 BB 67 39 AE 9A 58   DE DA 37 51 14 16 35 88  +T.g9..X..7Q..5.

00F0: AE 14 A8 B4 E1 75 36 D8   9E B7 77 76 10 EC DD 18  .....u6...wv....

0100: FB                                                 .

StartPoint-IMAP-SSL-Kernel(3) SelectorRunner, WRITE: SSLv2 client hello message, length = 257

[Raw write]: length = 259

0000: 81 01 01 03 03 00 D8 00   00 00 20 00 C0 23 00 C0  .......... ..#..

0010: 27 00 00 3C 00 C0 25 00   C0 29 00 00 67 00 00 40  '..<..%..)..g..@

0020: 00 C0 09 06 00 40 00 C0   13 00 00 2F 00 C0 04 01  [hidden email]....

0030: 00 80 00 C0 0E 00 00 33   00 00 32 00 C0 08 00 C0  .......3..2.....

0040: 12 00 00 0A 07 00 C0 00   C0 03 02 00 80 00 C0 0D  ................

0050: 00 00 16 00 00 13 00 C0   07 05 00 80 00 C0 11 00  ................

0060: 00 05 00 C0 02 00 C0 0C   00 00 04 01 00 80 00 00  ................

0070: FF 00 00 6C 00 C0 18 00   00 34 00 C0 17 00 00 1B  ...l.....4......

0080: 00 C0 16 00 00 18 00 00   09 06 00 40 00 00 15 00  [hidden email]....

0090: 00 12 00 00 1A 00 00 03   02 00 80 00 00 17 00 00  ................

00A0: 08 00 00 14 00 00 11 00   00 19 00 00 3B 00 C0 06  ............;...

00B0: 04 00 80 00 C0 10 00 00   02 00 C0 01 00 C0 0B 00  ................

00C0: C0 15 00 00 01 00 00 1F   00 00 23 00 00 20 00 00  ..........#.. ..

00D0: 24 00 00 1E 00 00 22 00   00 26 00 00 29 00 00 28  $....."..&..)..(

00E0: 00 00 2B 54 BB 67 39 AE   9A 58 DE DA 37 51 14 16  ..+T.g9..X..7Q..

00F0: 35 88 AE 14 A8 B4 E1 75   36 D8 9E B7 77 76 10 EC  5......u6...wv..

0100: DD 18 FB     


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

Reply | Threaded
Open this post in threaded view
|

RE: Notification of handshake failure/timeout

Siman Tov Gal

Hi Alexey

 

I need it for server side.

 

Gal

 

From: Oleksiy Stashok [mailto:[hidden email]]
Sent: Wednesday, February 04, 2015 8:08 PM
To: [hidden email]
Subject: Re: Notification of handshake failure/timeout

 

Hi Gal,

do you need this for client or server side, or both?

Thanks.

WBR,
Alexey.

On 04.02.15 09:46, Siman Tov Gal wrote:

Hi Alexey,

 

We managed to establish a complete handshake on both SSL/TLS channels.

However, I have got several open issues regarding the handshake mechanism.

 

We implemented the HandshakeListener interface (OnComplete / OnStart).

How can we be notified of other handshake events such as : handshake failure and handshake timeout (E.g: Since we do have the ability to set the timeout via setHandshakeTimeout())

 

I would like to thank you on your prompt responses to my (and my team members) queries.

 

Thanks a lot,

 

Gal

 

 

From: Oleksiy Stashok [[hidden email]]
Sent: Thursday, January 22, 2015 11:06 PM
To: Siman Tov Gal; [hidden email]
Cc: Meltser Tiran; Broide Uri; Ben-Yosef Efrat
Subject: Re: Trying to establish SSL connection - Fails in handshake

 

Hi,

yeah, I expected there's something wrong with the config.
 

Do you have any suggested solution to filter out specific protocols and ciphers  ?

Grizzly API seems to provide a “white list” for these settings. What we are looking for is an option to provide a “black list”.

Well, it's always possible to get the list of *all* available ciphers and protocols, so it's very easy to get a "white list" out of "black list".
To get the list of all supported protocols you can do something like:




 

Thanks

 

Gal

 

 

From: Oleksiy Stashok [[hidden email]]
Sent: Thursday, January 22, 2015 7:58 AM
To: [hidden email]
Subject: Re: Trying to establish SSL connection - Fails in handshake

 

Hi,

unfortunately I can't reproduce the problem locally.
How do you run the sample server, do you use maven?
Can you pls. share the entire server SSL log, not only handshake.

Thank you.

WBR,
Alexey.

On 21.01.15 01:58, Siman Tov Gal wrote:

Hi Alexey.

I have run the SSLEchoServer along with the SSLEchoClient (As taken from the Grizzly samples).

 

I have added to the SSLEchoServer runtime execution the  -Djavax.net.debug=all .

 

I got the following output during the handshake :

 

trustStore is: C:\jdk1.7.0_72\jre\lib\security\cacerts

trustStore type is : jks

trustStore provider is :

init truststore

 

trigger seeding of SecureRandom

done seeding SecureRandom

Press any key to stop the server...

Using SSLEngineImpl.

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA

Allow unsafe renegotiation: false

Allow legacy hello messages: true

Is initial handshake: true

Is secure renegotiation: false

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1

[Raw read]: length = 5

0000: 16 03 01 00 95                                     .....

[Raw read]: length = 149

0000: 01 00 00 91 03 01 54 BF   77 2F A6 34 EF B4 AD CA  ......T.w/.4....

0010: 49 27 25 DD 7A CA 3E EF   A9 9E 60 33 15 0C 81 A0  I'%.z.>...`3....

0020: 8B 12 9D B1 B4 7C 00 00   2A C0 09 C0 13 00 2F C0  ........*...../.

0030: 04 C0 0E 00 33 00 32 C0   08 C0 12 00 0A C0 03 C0  ....3.2.........

0040: 0D 00 16 00 13 C0 07 C0   11 00 05 C0 02 C0 0C 00  ................

0050: 04 00 FF 01 00 00 3E 00   0A 00 34 00 32 00 17 00  ......>...4.2...

0060: 01 00 03 00 13 00 15 00   06 00 07 00 09 00 0A 00  ................

0070: 18 00 0B 00 0C 00 19 00   0D 00 0E 00 0F 00 10 00  ................

0080: 11 00 02 00 12 00 04 00   05 00 14 00 08 00 16 00  ................

0090: 0B 00 02 01 00                                     .....

Grizzly-worker(1), READ: TLSv1 Handshake, length = 149

*** ClientHello, TLSv1

RandomCookie:  GMT: 1405056815 bytes = { 166, 52, 239, 180, 173, 202, 73, 39, 37, 221, 122, 202, 62, 239, 169, 158, 96, 51, 21, 12, 129, 160, 139, 18, 157, 177, 180, 124 }

Session ID:  {}

Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]

Compression Methods:  { 0 }

Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}

Extension ec_point_formats, formats: [uncompressed]

***

[read] MD5 and SHA1 hashes:  len = 149

0000: 01 00 00 91 03 01 54 BF   77 2F A6 34 EF B4 AD CA  ......T.w/.4....

0010: 49 27 25 DD 7A CA 3E EF   A9 9E 60 33 15 0C 81 A0  I'%.z.>...`3....

0020: 8B 12 9D B1 B4 7C 00 00   2A C0 09 C0 13 00 2F C0  ........*...../.

0030: 04 C0 0E 00 33 00 32 C0   08 C0 12 00 0A C0 03 C0  ....3.2.........

0040: 0D 00 16 00 13 C0 07 C0   11 00 05 C0 02 C0 0C 00  ................

0050: 04 00 FF 01 00 00 3E 00   0A 00 34 00 32 00 17 00  ......>...4.2...

0060: 01 00 03 00 13 00 15 00   06 00 07 00 09 00 0A 00  ................

0070: 18 00 0B 00 0C 00 19 00   0D 00 0E 00 0F 00 10 00  ................

0080: 11 00 02 00 12 00 04 00   05 00 14 00 08 00 16 00  ................

0090: 0B 00 02 01 00                                     .....

%% Initialized:  [Session-1, SSL_NULL_WITH_NULL_NULL]

Grizzly-worker(1), fatal error: 40: no cipher suites in common

javax.net.ssl.SSLHandshakeException: no cipher suites in common

%% Invalidated:  [Session-1, SSL_NULL_WITH_NULL_NULL]

Grizzly-worker(1), SEND TLSv1 ALERT:  fatal, description = handshake_failure

Grizzly-worker(1), WRITE: TLSv1 Alert, length = 2

Grizzly-worker(1), fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common

 

 

Please advise,

 

Thanks Gal Siman-Tov

 

From: Oleksiy Stashok [[hidden email]]
Sent: Wednesday, January 21, 2015 3:27 AM
To: Siman Tov Gal
Cc: Meltser Tiran; Broide Uri; '[hidden email]'
Subject: Re: Trying to establish SSL connection - Fails in handshake

 

Hi,

are you running SSLEchoServer?
If yes, there is SSLEchoClient, does it work with the server?

Thank you.

WBR,
Alexey.

On 19.01.15 06:17, Siman Tov Gal wrote:

Hi Alexey,

 

Thanks for the prompt reply.

 

I took a step back and tried to launch the SSL sample from the Grizzly repository (grizzly-framework-samples-2.3.18.jar).

I used an openssl client and on handshake I got the following error:

 

30720:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

 

Note that I did not perform any setup on the SSLEngineConfigurator.

 

As far as I’ve seen other examples they should work as is, but this does not happen here.

 

Am I missing something?

 

10x,

 

Gal

 

 

 

From: Oleksiy Stashok [[hidden email]]
Sent: Monday, January 19, 2015 6:58 AM
To: Siman Tov Gal; [hidden email]
Cc: Meltser Tiran; Broide Uri
Subject: Re: Trying to establish SSL connection - Fails in handshake

 

Hi,

can you pls. share the test case so we can reproduce the problem?

Thank you.

WBR,
Alexey.

On 18.01.15 00:13, Siman Tov Gal wrote:

Hi

 

I am trying to establish a SSL handshake with my Grizzly server and an openssl client.

 

I’ve  configured the SSLEngineConfigurator with the following setup:

 

              sslContextConfig.setKeyStoreFile(keyStoreLocation);

              sslContextConfig.setKeyStorePass(keyStorePassword);

             

              // Create SSLEngine configurator

              SSLEngineConfigurator sslEngineConfigurator = new SSLEngineConfigurator(sslContextConfig.createSSLContext(),false,false,false);

              SSLSocketFactory sf = sslEngineConfigurator.getSslContext().getSocketFactory();         

             

              String[] supportedProtocols = {"TLSv1","SSLv3","TLSv1.1","TLSv1.2","SSLv2Hello"};

              sslEngineConfigurator.setEnabledProtocols(supportedProtocols);

              sslEngineConfigurator.setProtocolConfigured(true);

              String[] cipherSuites = sf.getSupportedCipherSuites();

              sslEngineConfigurator.setEnabledCipherSuites(cipherSuites);

              sslEngineConfigurator.setCipherConfigured(true);

              sslEngineConfigurator.setNeedClientAuth(false);

              sslEngineConfigurator.setWantClientAuth(false);

 

When debugging the handshake code, the point of failure was in the SSLBaseFilter:doHandshakeStep() method.

When entering the case of NEED_UNWRAP, the handshake failed due to the fact that the inputBuffer was set to null.

 

The openssl client send the following command :

 

openssl.exe s_client -debug -msg -connect localhost:50443

 

I am getting the following response :

 

8392:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:.\ssl\s23_clnt.c:601

 

Thanks in advance

 

Gal S.T

 

P.S:  I open the SSL debug info (using : -Djavax.net.debug=all)

 

Here is the output :

 

chain [0] = [

[

  Version: V3

  Subject: CN=mist mist, OU=VI, O=Comverse, L=Raanana, ST=Israel, C=IL

  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

 

  Key:  Sun RSA public key, 2048 bits

  modulus: 24414085473144772337919323012074107190618816754963514243080255494571539528736844619038076143491962690817977116723664346553272438908433680538048087195422831263971167306175278902944331875961609798287166241724881538546675318900905485132685167634098012392607384655817306725746127194856379390873270494744745754705873786404248972196545665264863541650881792842260766824580673229124863089563730094213195521617379221251195145200022967368062802615057847357727486054056179317815221853820588458878995885198226082418443238912098038011785005029767939039988128318928941102946178680941872945325579621419106798984545238312478653261279

  public exponent: 65537

  Validity: [From: Thu Jan 15 15:47:10 IST 2015,

               To: Wed Aug 10 16:47:10 IDT 2044]

  Issuer: CN=mist mist, OU=VI, O=Comverse, L=Raanana, ST=Israel, C=IL

  SerialNumber: [    5606fc55]

 

Certificate Extensions: 1

[1]: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: 27 D1 11 CB 8B AF EB 5E   D8 67 A5 58 88 CE 39 72  '......^.g.X..9r

0010: 74 DA 48 65                                        t.He

]

]

 

]

  Algorithm: [SHA1withRSA]

  Signature:

0000: 56 82 F0 A4 A6 56 A8 F8   37 3D E6 A5 1F 87 E3 9D  V....V..7=......

0010: 45 33 C6 C6 DB 5E A5 46   C7 EB 6D 12 FD 12 38 F3  E3...^.F..m...8.

0020: 0F 80 99 A6 B7 1D 1F 84   22 5E E6 B8 FA DE 7F 68  ........"^.....h

0030: 7B 0D D0 24 53 D0 DA CB   13 F3 38 E3 EA 3B 69 C1  ...$S.....8..;i.

0040: 1E 6B BB AA 32 4F CF AF   42 91 52 C5 07 49 99 AB  .k..2O..B.R..I..

0050: C5 48 29 64 17 2A 23 AF   74 B0 2C 90 01 C1 7E BE  .H)d.*#.t.,.....

0060: 37 ED DC 2E F3 59 E7 6C   0B B0 6B DF 20 5C 61 24  7....Y.l..k. \a$

0070: FB BA EB 4E 35 BD 6A AE   DB 98 59 27 D4 C1 6D 81  ...N5.j...Y'..m.

0080: 50 8A 7B 45 9C ED 73 20   74 78 6E 45 44 54 E3 3E  P..E..s txnEDT.>

0090: B8 B6 86 98 EE 3D 65 36   D8 F2 96 67 9B BD DC DE  .....=e6...g....

00A0: CF 6B 12 51 2F D3 5E B6   E4 87 9C E5 2C 91 E6 70  .k.Q/.^.....,..p

00B0: F4 2F 19 A0 08 19 BF BF   0B 25 87 16 AE 98 76 94  ./.......%....v.

00C0: 22 DD 36 99 0A FB 41 53   0D 46 C6 18 33 36 A7 4F  ".6...AS.F..36.O

00D0: DF 45 71 46 3B 02 DA 55   58 E8 65 9F 70 E6 E1 F9  .EqF;..UX.e.p...

00E0: 6D A3 B9 6D 56 01 F8 B8   E1 A0 47 E5 76 EA 25 BE  m..mV.....G.v.%.

00F0: 6B 64 1A AA 04 1D A2 61   D9 CB 3F 2C 06 FC 24 37  kd.....a..?,..$7

 

]

***

trustStore is: C:\jdk1.7.0_72\jre\lib\security\cacerts

trustStore type is : jks

trustStore provider is :

init truststore

adding as trusted cert:

  Subject: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH

  Issuer:  CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH

  Algorithm: RSA; Serial number: 0x4eb200670c035d4f

  Valid from Wed Oct 25 10:36:00 IST 2006 until Sat Oct 25 11:36:00 IDT 2036

 

adding as trusted cert:

  Subject: [hidden email], CN=http://www.valicert.com/, OU=ValiCert Class 1 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network

  Issuer:  [hidden email], CN=http://www.valicert.com/, OU=ValiCert Class 1 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network

  Algorithm: RSA; Serial number: 0x1

  Valid from Sat Jun 26 01:23:48 IDT 1999 until Wed Jun 26 01:23:48 IDT 2019

 

trigger seeding of SecureRandom

done seeding SecureRandom

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_anon_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA

***** MIST started in 10092 ms *****

Using SSLEngineImpl.

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA

Allow unsafe renegotiation: false

Allow legacy hello messages: true

Is initial handshake: true

Is secure renegotiation: false

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1

%% No cached client session

*** ClientHello, TLSv1.2

RandomCookie:  GMT: 1404790585 bytes = { 174, 154, 88, 222, 218, 55, 81, 20, 22, 53, 136, 174, 20, 168, 180, 225, 117, 54, 216, 158, 183, 119, 118, 16, 236, 221, 24, 251 }

Session ID:  {}

Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_anon_WITH_RC4_128_SHA, SSL_DH_anon_WITH_RC4_128_MD5, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_RSA_WITH_NULL_SHA256, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDH_anon_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_RC4_128_SHA, TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_MD5]

Compression Methods:  { 0 }

Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}

Extension ec_point_formats, formats: [uncompressed]

Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA

***

[write] MD5 and SHA1 hashes:  len = 263

0000: 01 00 01 03 03 03 54 BB   67 39 AE 9A 58 DE DA 37  ......T.g9..X..7

0010: 51 14 16 35 88 AE 14 A8   B4 E1 75 36 D8 9E B7 77  Q..5......u6...w

0020: 76 10 EC DD 18 FB 00 00   7E C0 23 C0 27 00 3C C0  v.........#.'.<.

0030: 25 C0 29 00 67 00 40 C0   09 C0 13 00 2F C0 04 C0  %.)[hidden email]...

0040: 0E 00 33 00 32 C0 08 C0   12 00 0A C0 03 C0 0D 00  ..3.2...........

0050: 16 00 13 C0 07 C0 11 00   05 C0 02 C0 0C 00 04 00  ................

0060: FF 00 6C C0 18 00 34 C0   17 00 1B C0 16 00 18 00  ..l...4.........

0070: 09 00 15 00 12 00 1A 00   03 00 17 00 08 00 14 00  ................

0080: 11 00 19 00 3B C0 06 C0   10 00 02 C0 01 C0 0B C0  ....;...........

0090: 15 00 01 00 1F 00 23 00   20 00 24 00 1E 00 22 00  ......#. .$...".

00A0: 26 00 29 00 28 00 2B 01   00 00 5C 00 0A 00 34 00  &.).(.+...\...4.

00B0: 32 00 17 00 01 00 03 00   13 00 15 00 06 00 07 00  2...............

00C0: 09 00 0A 00 18 00 0B 00   0C 00 19 00 0D 00 0E 00  ................

00D0: 0F 00 10 00 11 00 02 00   12 00 04 00 05 00 14 00  ................

00E0: 08 00 16 00 0B 00 02 01   00 00 0D 00 1A 00 18 06  ................

00F0: 03 06 01 05 03 05 01 04   03 04 01 03 03 03 01 02  ................

0100: 03 02 01 02 02 01 01                               .......

StartPoint-IMAP-SSL-Kernel(3) SelectorRunner, WRITE: TLSv1.2 Handshake, length = 263

[write] MD5 and SHA1 hashes:  len = 257

0000: 01 03 03 00 D8 00 00 00   20 00 C0 23 00 C0 27 00  ........ ..#..'.

0010: 00 3C 00 C0 25 00 C0 29   00 00 67 00 00 40 00 C0  .<..%..)[hidden email]..

0020: 09 06 00 40 00 C0 13 00   00 2F 00 C0 04 01 00 80  [hidden email]......

0030: 00 C0 0E 00 00 33 00 00   32 00 C0 08 00 C0 12 00  .....3..2.......

0040: 00 0A 07 00 C0 00 C0 03   02 00 80 00 C0 0D 00 00  ................

0050: 16 00 00 13 00 C0 07 05   00 80 00 C0 11 00 00 05  ................

0060: 00 C0 02 00 C0 0C 00 00   04 01 00 80 00 00 FF 00  ................

0070: 00 6C 00 C0 18 00 00 34   00 C0 17 00 00 1B 00 C0  .l.....4........

0080: 16 00 00 18 00 00 09 06   00 40 00 00 15 00 00 12  [hidden email]......

0090: 00 00 1A 00 00 03 02 00   80 00 00 17 00 00 08 00  ................

00A0: 00 14 00 00 11 00 00 19   00 00 3B 00 C0 06 04 00  ..........;.....

00B0: 80 00 C0 10 00 00 02 00   C0 01 00 C0 0B 00 C0 15  ................

00C0: 00 00 01 00 00 1F 00 00   23 00 00 20 00 00 24 00  ........#.. ..$.

00D0: 00 1E 00 00 22 00 00 26   00 00 29 00 00 28 00 00  ...."..&..)..(..

00E0: 2B 54 BB 67 39 AE 9A 58   DE DA 37 51 14 16 35 88  +T.g9..X..7Q..5.

00F0: AE 14 A8 B4 E1 75 36 D8   9E B7 77 76 10 EC DD 18  .....u6...wv....

0100: FB                                                 .

StartPoint-IMAP-SSL-Kernel(3) SelectorRunner, WRITE: SSLv2 client hello message, length = 257

[Raw write]: length = 259

0000: 81 01 01 03 03 00 D8 00   00 00 20 00 C0 23 00 C0  .......... ..#..

0010: 27 00 00 3C 00 C0 25 00   C0 29 00 00 67 00 00 40  '..<..%..)..g..@

0020: 00 C0 09 06 00 40 00 C0   13 00 00 2F 00 C0 04 01  [hidden email]....

0030: 00 80 00 C0 0E 00 00 33   00 00 32 00 C0 08 00 C0  .......3..2.....

0040: 12 00 00 0A 07 00 C0 00   C0 03 02 00 80 00 C0 0D  ................

0050: 00 00 16 00 00 13 00 C0   07 05 00 80 00 C0 11 00  ................

0060: 00 05 00 C0 02 00 C0 0C   00 00 04 01 00 80 00 00  ................

0070: FF 00 00 6C 00 C0 18 00   00 34 00 C0 17 00 00 1B  ...l.....4......

0080: 00 C0 16 00 00 18 00 00   09 06 00 40 00 00 15 00  [hidden email]....

0090: 00 12 00 00 1A 00 00 03   02 00 80 00 00 17 00 00  ................

00A0: 08 00 00 14 00 00 11 00   00 19 00 00 3B 00 C0 06  ............;...

00B0: 04 00 80 00 C0 10 00 00   02 00 C0 01 00 C0 0B 00  ................

00C0: C0 15 00 00 01 00 00 1F   00 00 23 00 00 20 00 00  ..........#.. ..

00D0: 24 00 00 1E 00 00 22 00   00 26 00 00 29 00 00 28  $....."..&..)..(

00E0: 00 00 2B 54 BB 67 39 AE   9A 58 DE DA 37 51 14 16  ..+T.g9..X..7Q..

00F0: 35 88 AE 14 A8 B4 E1 75   36 D8 9E B7 77 76 10 EC  5......u6...wv..

0100: DD 18 FB     


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”
Reply | Threaded
Open this post in threaded view
|

Re: Notification of handshake failure/timeout

oleksiys
Administrator
Hi,

 
We implemented the HandshakeListener interface (OnComplete / OnStart).

How can we be notified of other handshake events such as : handshake failure and handshake timeout (E.g: Since we do have the ability to set the timeout via setHandshakeTimeout())

timeout is applicable in blocking handshake mode. By default we use non-blocking mode.
Regarding the failure - we don't have that. Can you pls. file an issue - we'll implement that for the next version.

Thanks.

WBR,
Alexey.


 

I would like to thank you on your prompt responses to my (and my team members) queries.

 

Thanks a lot,

 

Gal

 

 

From: Oleksiy Stashok [[hidden email]]
Sent: Thursday, January 22, 2015 11:06 PM
To: Siman Tov Gal; [hidden email]
Cc: Meltser Tiran; Broide Uri; Ben-Yosef Efrat
Subject: Re: Trying to establish SSL connection - Fails in handshake

 

Hi,

yeah, I expected there's something wrong with the config.
 

Do you have any suggested solution to filter out specific protocols and ciphers  ?

Grizzly API seems to provide a “white list” for these settings. What we are looking for is an option to provide a “black list”.

Well, it's always possible to get the list of *all* available ciphers and protocols, so it's very easy to get a "white list" out of "black list".
To get the list of all supported protocols you can do something like:




 

Thanks

 

Gal

 

 

From: Oleksiy Stashok [[hidden email]]
Sent: Thursday, January 22, 2015 7:58 AM
To: [hidden email]
Subject: Re: Trying to establish SSL connection - Fails in handshake

 

Hi,

unfortunately I can't reproduce the problem locally.
How do you run the sample server, do you use maven?
Can you pls. share the entire server SSL log, not only handshake.

Thank you.

WBR,
Alexey.

On 21.01.15 01:58, Siman Tov Gal wrote:

Hi Alexey.

I have run the SSLEchoServer along with the SSLEchoClient (As taken from the Grizzly samples).

 

I have added to the SSLEchoServer runtime execution the  -Djavax.net.debug=all .

 

I got the following output during the handshake :

 

trustStore is: C:\jdk1.7.0_72\jre\lib\security\cacerts

trustStore type is : jks

trustStore provider is :

init truststore

 

trigger seeding of SecureRandom

done seeding SecureRandom

Press any key to stop the server...

Using SSLEngineImpl.

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA

Allow unsafe renegotiation: false

Allow legacy hello messages: true

Is initial handshake: true

Is secure renegotiation: false

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1

[Raw read]: length = 5

0000: 16 03 01 00 95                                     .....

[Raw read]: length = 149

0000: 01 00 00 91 03 01 54 BF   77 2F A6 34 EF B4 AD CA  ......T.w/.4....

0010: 49 27 25 DD 7A CA 3E EF   A9 9E 60 33 15 0C 81 A0  I'%.z.>...`3....

0020: 8B 12 9D B1 B4 7C 00 00   2A C0 09 C0 13 00 2F C0  ........*...../.

0030: 04 C0 0E 00 33 00 32 C0   08 C0 12 00 0A C0 03 C0  ....3.2.........

0040: 0D 00 16 00 13 C0 07 C0   11 00 05 C0 02 C0 0C 00  ................

0050: 04 00 FF 01 00 00 3E 00   0A 00 34 00 32 00 17 00  ......>...4.2...

0060: 01 00 03 00 13 00 15 00   06 00 07 00 09 00 0A 00  ................

0070: 18 00 0B 00 0C 00 19 00   0D 00 0E 00 0F 00 10 00  ................

0080: 11 00 02 00 12 00 04 00   05 00 14 00 08 00 16 00  ................

0090: 0B 00 02 01 00                                     .....

Grizzly-worker(1), READ: TLSv1 Handshake, length = 149

*** ClientHello, TLSv1

RandomCookie:  GMT: 1405056815 bytes = { 166, 52, 239, 180, 173, 202, 73, 39, 37, 221, 122, 202, 62, 239, 169, 158, 96, 51, 21, 12, 129, 160, 139, 18, 157, 177, 180, 124 }

Session ID:  {}

Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]

Compression Methods:  { 0 }

Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}

Extension ec_point_formats, formats: [uncompressed]

***

[read] MD5 and SHA1 hashes:  len = 149

0000: 01 00 00 91 03 01 54 BF   77 2F A6 34 EF B4 AD CA  ......T.w/.4....

0010: 49 27 25 DD 7A CA 3E EF   A9 9E 60 33 15 0C 81 A0  I'%.z.>...`3....

0020: 8B 12 9D B1 B4 7C 00 00   2A C0 09 C0 13 00 2F C0  ........*...../.

0030: 04 C0 0E 00 33 00 32 C0   08 C0 12 00 0A C0 03 C0  ....3.2.........

0040: 0D 00 16 00 13 C0 07 C0   11 00 05 C0 02 C0 0C 00  ................

0050: 04 00 FF 01 00 00 3E 00   0A 00 34 00 32 00 17 00  ......>...4.2...

0060: 01 00 03 00 13 00 15 00   06 00 07 00 09 00 0A 00  ................

0070: 18 00 0B 00 0C 00 19 00   0D 00 0E 00 0F 00 10 00  ................

0080: 11 00 02 00 12 00 04 00   05 00 14 00 08 00 16 00  ................

0090: 0B 00 02 01 00                                     .....

%% Initialized:  [Session-1, SSL_NULL_WITH_NULL_NULL]

Grizzly-worker(1), fatal error: 40: no cipher suites in common

javax.net.ssl.SSLHandshakeException: no cipher suites in common

%% Invalidated:  [Session-1, SSL_NULL_WITH_NULL_NULL]

Grizzly-worker(1), SEND TLSv1 ALERT:  fatal, description = handshake_failure

Grizzly-worker(1), WRITE: TLSv1 Alert, length = 2

Grizzly-worker(1), fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common

 

 

Please advise,

 

Thanks Gal Siman-Tov

 

From: Oleksiy Stashok [[hidden email]]
Sent: Wednesday, January 21, 2015 3:27 AM
To: Siman Tov Gal
Cc: Meltser Tiran; Broide Uri; '[hidden email]'
Subject: Re: Trying to establish SSL connection - Fails in handshake

 

Hi,

are you running SSLEchoServer?
If yes, there is SSLEchoClient, does it work with the server?

Thank you.

WBR,
Alexey.

On 19.01.15 06:17, Siman Tov Gal wrote:

Hi Alexey,

 

Thanks for the prompt reply.

 

I took a step back and tried to launch the SSL sample from the Grizzly repository (grizzly-framework-samples-2.3.18.jar).

I used an openssl client and on handshake I got the following error:

 

30720:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

 

Note that I did not perform any setup on the SSLEngineConfigurator.

 

As far as I’ve seen other examples they should work as is, but this does not happen here.

 

Am I missing something?

 

10x,

 

Gal

 

 

 

From: Oleksiy Stashok [[hidden email]]
Sent: Monday, January 19, 2015 6:58 AM
To: Siman Tov Gal; [hidden email]
Cc: Meltser Tiran; Broide Uri
Subject: Re: Trying to establish SSL connection - Fails in handshake

 

Hi,

can you pls. share the test case so we can reproduce the problem?

Thank you.

WBR,
Alexey.

On 18.01.15 00:13, Siman Tov Gal wrote:

Hi

 

I am trying to establish a SSL handshake with my Grizzly server and an openssl client.

 

I’ve  configured the SSLEngineConfigurator with the following setup:

 

              sslContextConfig.setKeyStoreFile(keyStoreLocation);

              sslContextConfig.setKeyStorePass(keyStorePassword);

             

              // Create SSLEngine configurator

              SSLEngineConfigurator sslEngineConfigurator = new SSLEngineConfigurator(sslContextConfig.createSSLContext(),false,false,false);

              SSLSocketFactory sf = sslEngineConfigurator.getSslContext().getSocketFactory();         

             

              String[] supportedProtocols = {"TLSv1","SSLv3","TLSv1.1","TLSv1.2","SSLv2Hello"};

              sslEngineConfigurator.setEnabledProtocols(supportedProtocols);

              sslEngineConfigurator.setProtocolConfigured(true);

              String[] cipherSuites = sf.getSupportedCipherSuites();

              sslEngineConfigurator.setEnabledCipherSuites(cipherSuites);

              sslEngineConfigurator.setCipherConfigured(true);

              sslEngineConfigurator.setNeedClientAuth(false);

              sslEngineConfigurator.setWantClientAuth(false);

 

When debugging the handshake code, the point of failure was in the SSLBaseFilter:doHandshakeStep() method.

When entering the case of NEED_UNWRAP, the handshake failed due to the fact that the inputBuffer was set to null.

 

The openssl client send the following command :

 

openssl.exe s_client -debug -msg -connect localhost:50443

 

I am getting the following response :

 

8392:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:.\ssl\s23_clnt.c:601

 

Thanks in advance

 

Gal S.T

 

P.S:  I open the SSL debug info (using : -Djavax.net.debug=all)

 

Here is the output :

 

chain [0] = [

[

  Version: V3

  Subject: CN=mist mist, OU=VI, O=Comverse, L=Raanana, ST=Israel, C=IL

  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

 

  Key:  Sun RSA public key, 2048 bits

  modulus: 24414085473144772337919323012074107190618816754963514243080255494571539528736844619038076143491962690817977116723664346553272438908433680538048087195422831263971167306175278902944331875961609798287166241724881538546675318900905485132685167634098012392607384655817306725746127194856379390873270494744745754705873786404248972196545665264863541650881792842260766824580673229124863089563730094213195521617379221251195145200022967368062802615057847357727486054056179317815221853820588458878995885198226082418443238912098038011785005029767939039988128318928941102946178680941872945325579621419106798984545238312478653261279

  public exponent: 65537

  Validity: [From: Thu Jan 15 15:47:10 IST 2015,

               To: Wed Aug 10 16:47:10 IDT 2044]

  Issuer: CN=mist mist, OU=VI, O=Comverse, L=Raanana, ST=Israel, C=IL

  SerialNumber: [    5606fc55]

 

Certificate Extensions: 1

[1]: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: 27 D1 11 CB 8B AF EB 5E   D8 67 A5 58 88 CE 39 72  '......^.g.X..9r

0010: 74 DA 48 65                                        t.He

]

]

 

]

  Algorithm: [SHA1withRSA]

  Signature:

0000: 56 82 F0 A4 A6 56 A8 F8   37 3D E6 A5 1F 87 E3 9D  V....V..7=......

0010: 45 33 C6 C6 DB 5E A5 46   C7 EB 6D 12 FD 12 38 F3  E3...^.F..m...8.

0020: 0F 80 99 A6 B7 1D 1F 84   22 5E E6 B8 FA DE 7F 68  ........"^.....h

0030: 7B 0D D0 24 53 D0 DA CB   13 F3 38 E3 EA 3B 69 C1  ...$S.....8..;i.

0040: 1E 6B BB AA 32 4F CF AF   42 91 52 C5 07 49 99 AB  .k..2O..B.R..I..

0050: C5 48 29 64 17 2A 23 AF   74 B0 2C 90 01 C1 7E BE  .H)d.*#.t.,.....

0060: 37 ED DC 2E F3 59 E7 6C   0B B0 6B DF 20 5C 61 24  7....Y.l..k. \a$

0070: FB BA EB 4E 35 BD 6A AE   DB 98 59 27 D4 C1 6D 81  ...N5.j...Y'..m.

0080: 50 8A 7B 45 9C ED 73 20   74 78 6E 45 44 54 E3 3E  P..E..s txnEDT.>

0090: B8 B6 86 98 EE 3D 65 36   D8 F2 96 67 9B BD DC DE  .....=e6...g....

00A0: CF 6B 12 51 2F D3 5E B6   E4 87 9C E5 2C 91 E6 70  .k.Q/.^.....,..p

00B0: F4 2F 19 A0 08 19 BF BF   0B 25 87 16 AE 98 76 94  ./.......%....v.

00C0: 22 DD 36 99 0A FB 41 53   0D 46 C6 18 33 36 A7 4F  ".6...AS.F..36.O

00D0: DF 45 71 46 3B 02 DA 55   58 E8 65 9F 70 E6 E1 F9  .EqF;..UX.e.p...

00E0: 6D A3 B9 6D 56 01 F8 B8   E1 A0 47 E5 76 EA 25 BE  m..mV.....G.v.%.

00F0: 6B 64 1A AA 04 1D A2 61   D9 CB 3F 2C 06 FC 24 37  kd.....a..?,..$7

 

]

***

trustStore is: C:\jdk1.7.0_72\jre\lib\security\cacerts

trustStore type is : jks

trustStore provider is :

init truststore

adding as trusted cert:

  Subject: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH

  Issuer:  CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH

  Algorithm: RSA; Serial number: 0x4eb200670c035d4f

  Valid from Wed Oct 25 10:36:00 IST 2006 until Sat Oct 25 11:36:00 IDT 2036

 

adding as trusted cert:

  Subject: [hidden email], CN=http://www.valicert.com/, OU=ValiCert Class 1 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network

  Issuer:  [hidden email], CN=http://www.valicert.com/, OU=ValiCert Class 1 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network

  Algorithm: RSA; Serial number: 0x1

  Valid from Sat Jun 26 01:23:48 IDT 1999 until Wed Jun 26 01:23:48 IDT 2019

 

trigger seeding of SecureRandom

done seeding SecureRandom

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_anon_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA

***** MIST started in 10092 ms *****

Using SSLEngineImpl.

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA

Allow unsafe renegotiation: false

Allow legacy hello messages: true

Is initial handshake: true

Is secure renegotiation: false

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1

%% No cached client session

*** ClientHello, TLSv1.2

RandomCookie:  GMT: 1404790585 bytes = { 174, 154, 88, 222, 218, 55, 81, 20, 22, 53, 136, 174, 20, 168, 180, 225, 117, 54, 216, 158, 183, 119, 118, 16, 236, 221, 24, 251 }

Session ID:  {}

Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_anon_WITH_RC4_128_SHA, SSL_DH_anon_WITH_RC4_128_MD5, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_RSA_WITH_NULL_SHA256, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDH_anon_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_RC4_128_SHA, TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_MD5]

Compression Methods:  { 0 }

Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}

Extension ec_point_formats, formats: [uncompressed]

Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA

***

[write] MD5 and SHA1 hashes:  len = 263

0000: 01 00 01 03 03 03 54 BB   67 39 AE 9A 58 DE DA 37  ......T.g9..X..7

0010: 51 14 16 35 88 AE 14 A8   B4 E1 75 36 D8 9E B7 77  Q..5......u6...w

0020: 76 10 EC DD 18 FB 00 00   7E C0 23 C0 27 00 3C C0  v.........#.'.<.

0030: 25 C0 29 00 67 00 40 C0   09 C0 13 00 2F C0 04 C0  %.)[hidden email]...

0040: 0E 00 33 00 32 C0 08 C0   12 00 0A C0 03 C0 0D 00  ..3.2...........

0050: 16 00 13 C0 07 C0 11 00   05 C0 02 C0 0C 00 04 00  ................

0060: FF 00 6C C0 18 00 34 C0   17 00 1B C0 16 00 18 00  ..l...4.........

0070: 09 00 15 00 12 00 1A 00   03 00 17 00 08 00 14 00  ................

0080: 11 00 19 00 3B C0 06 C0   10 00 02 C0 01 C0 0B C0  ....;...........

0090: 15 00 01 00 1F 00 23 00   20 00 24 00 1E 00 22 00  ......#. .$...".

00A0: 26 00 29 00 28 00 2B 01   00 00 5C 00 0A 00 34 00  &.).(.+...\...4.

00B0: 32 00 17 00 01 00 03 00   13 00 15 00 06 00 07 00  2...............

00C0: 09 00 0A 00 18 00 0B 00   0C 00 19 00 0D 00 0E 00  ................

00D0: 0F 00 10 00 11 00 02 00   12 00 04 00 05 00 14 00  ................

00E0: 08 00 16 00 0B 00 02 01   00 00 0D 00 1A 00 18 06  ................

00F0: 03 06 01 05 03 05 01 04   03 04 01 03 03 03 01 02  ................

0100: 03 02 01 02 02 01 01                               .......

StartPoint-IMAP-SSL-Kernel(3) SelectorRunner, WRITE: TLSv1.2 Handshake, length = 263

[write] MD5 and SHA1 hashes:  len = 257

0000: 01 03 03 00 D8 00 00 00   20 00 C0 23 00 C0 27 00  ........ ..#..'.

0010: 00 3C 00 C0 25 00 C0 29   00 00 67 00 00 40 00 C0  .<..%..)[hidden email]..

0020: 09 06 00 40 00 C0 13 00   00 2F 00 C0 04 01 00 80  [hidden email]......

0030: 00 C0 0E 00 00 33 00 00   32 00 C0 08 00 C0 12 00  .....3..2.......

0040: 00 0A 07 00 C0 00 C0 03   02 00 80 00 C0 0D 00 00  ................

0050: 16 00 00 13 00 C0 07 05   00 80 00 C0 11 00 00 05  ................

0060: 00 C0 02 00 C0 0C 00 00   04 01 00 80 00 00 FF 00  ................

0070: 00 6C 00 C0 18 00 00 34   00 C0 17 00 00 1B 00 C0  .l.....4........

0080: 16 00 00 18 00 00 09 06   00 40 00 00 15 00 00 12  [hidden email]......

0090: 00 00 1A 00 00 03 02 00   80 00 00 17 00 00 08 00  ................

00A0: 00 14 00 00 11 00 00 19   00 00 3B 00 C0 06 04 00  ..........;.....

00B0: 80 00 C0 10 00 00 02 00   C0 01 00 C0 0B 00 C0 15  ................

00C0: 00 00 01 00 00 1F 00 00   23 00 00 20 00 00 24 00  ........#.. ..$.

00D0: 00 1E 00 00 22 00 00 26   00 00 29 00 00 28 00 00  ...."..&..)..(..

00E0: 2B 54 BB 67 39 AE 9A 58   DE DA 37 51 14 16 35 88  +T.g9..X..7Q..5.

00F0: AE 14 A8 B4 E1 75 36 D8   9E B7 77 76 10 EC DD 18  .....u6...wv....

0100: FB                                                 .

StartPoint-IMAP-SSL-Kernel(3) SelectorRunner, WRITE: SSLv2 client hello message, length = 257

[Raw write]: length = 259

0000: 81 01 01 03 03 00 D8 00   00 00 20 00 C0 23 00 C0  .......... ..#..

0010: 27 00 00 3C 00 C0 25 00   C0 29 00 00 67 00 00 40  '..<..%..)..g..@

0020: 00 C0 09 06 00 40 00 C0   13 00 00 2F 00 C0 04 01  [hidden email]....

0030: 00 80 00 C0 0E 00 00 33   00 00 32 00 C0 08 00 C0  .......3..2.....

0040: 12 00 00 0A 07 00 C0 00   C0 03 02 00 80 00 C0 0D  ................

0050: 00 00 16 00 00 13 00 C0   07 05 00 80 00 C0 11 00  ................

0060: 00 05 00 C0 02 00 C0 0C   00 00 04 01 00 80 00 00  ................

0070: FF 00 00 6C 00 C0 18 00   00 34 00 C0 17 00 00 1B  ...l.....4......

0080: 00 C0 16 00 00 18 00 00   09 06 00 40 00 00 15 00  [hidden email]....

0090: 00 12 00 00 1A 00 00 03   02 00 80 00 00 17 00 00  ................

00A0: 08 00 00 14 00 00 11 00   00 19 00 00 3B 00 C0 06  ............;...

00B0: 04 00 80 00 C0 10 00 00   02 00 C0 01 00 C0 0B 00  ................

00C0: C0 15 00 00 01 00 00 1F   00 00 23 00 00 20 00 00  ..........#.. ..

00D0: 24 00 00 1E 00 00 22 00   00 26 00 00 29 00 00 28  $....."..&..)..(

00E0: 00 00 2B 54 BB 67 39 AE   9A 58 DE DA 37 51 14 16  ..+T.g9..X..7Q..

00F0: 35 88 AE 14 A8 B4 E1 75   36 D8 9E B7 77 76 10 EC  5......u6...wv..

0100: DD 18 FB     


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

Reply | Threaded
Open this post in threaded view
|

RE: Notification of handshake failure/timeout

Siman Tov Gal

Hi Alexey

I created a new issue

GRIZZLY-1740  Provide a callback for SSL handshake failure

 

Thanks


Gal

 

 

From: Oleksiy Stashok [mailto:[hidden email]]
Sent: Thursday, February 05, 2015 4:54 AM
To: [hidden email]
Subject: Re: Notification of handshake failure/timeout

 

Hi,

 

We implemented the HandshakeListener interface (OnComplete / OnStart).

How can we be notified of other handshake events such as : handshake failure and handshake timeout (E.g: Since we do have the ability to set the timeout via setHandshakeTimeout())

timeout is applicable in blocking handshake mode. By default we use non-blocking mode.
Regarding the failure - we don't have that. Can you pls. file an issue - we'll implement that for the next version.

Thanks.

WBR,
Alexey.



 

I would like to thank you on your prompt responses to my (and my team members) queries.

 

Thanks a lot,

 

Gal

 

 

From: Oleksiy Stashok [[hidden email]]
Sent: Thursday, January 22, 2015 11:06 PM
To: Siman Tov Gal; [hidden email]
Cc: Meltser Tiran; Broide Uri; Ben-Yosef Efrat
Subject: Re: Trying to establish SSL connection - Fails in handshake

 

Hi,

yeah, I expected there's something wrong with the config.
 

Do you have any suggested solution to filter out specific protocols and ciphers  ?

Grizzly API seems to provide a “white list” for these settings. What we are looking for is an option to provide a “black list”.

Well, it's always possible to get the list of *all* available ciphers and protocols, so it's very easy to get a "white list" out of "black list".
To get the list of all supported protocols you can do something like:





 

Thanks

 

Gal

 

 

From: Oleksiy Stashok [[hidden email]]
Sent: Thursday, January 22, 2015 7:58 AM
To: [hidden email]
Subject: Re: Trying to establish SSL connection - Fails in handshake

 

Hi,

unfortunately I can't reproduce the problem locally.
How do you run the sample server, do you use maven?
Can you pls. share the entire server SSL log, not only handshake.

Thank you.

WBR,
Alexey.

On 21.01.15 01:58, Siman Tov Gal wrote:

Hi Alexey.

I have run the SSLEchoServer along with the SSLEchoClient (As taken from the Grizzly samples).

 

I have added to the SSLEchoServer runtime execution the  -Djavax.net.debug=all .

 

I got the following output during the handshake :

 

trustStore is: C:\jdk1.7.0_72\jre\lib\security\cacerts

trustStore type is : jks

trustStore provider is :

init truststore

 

trigger seeding of SecureRandom

done seeding SecureRandom

Press any key to stop the server...

Using SSLEngineImpl.

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA

Allow unsafe renegotiation: false

Allow legacy hello messages: true

Is initial handshake: true

Is secure renegotiation: false

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1

[Raw read]: length = 5

0000: 16 03 01 00 95                                     .....

[Raw read]: length = 149

0000: 01 00 00 91 03 01 54 BF   77 2F A6 34 EF B4 AD CA  ......T.w/.4....

0010: 49 27 25 DD 7A CA 3E EF   A9 9E 60 33 15 0C 81 A0  I'%.z.>...`3....

0020: 8B 12 9D B1 B4 7C 00 00   2A C0 09 C0 13 00 2F C0  ........*...../.

0030: 04 C0 0E 00 33 00 32 C0   08 C0 12 00 0A C0 03 C0  ....3.2.........

0040: 0D 00 16 00 13 C0 07 C0   11 00 05 C0 02 C0 0C 00  ................

0050: 04 00 FF 01 00 00 3E 00   0A 00 34 00 32 00 17 00  ......>...4.2...

0060: 01 00 03 00 13 00 15 00   06 00 07 00 09 00 0A 00  ................

0070: 18 00 0B 00 0C 00 19 00   0D 00 0E 00 0F 00 10 00  ................

0080: 11 00 02 00 12 00 04 00   05 00 14 00 08 00 16 00  ................

0090: 0B 00 02 01 00                                     .....

Grizzly-worker(1), READ: TLSv1 Handshake, length = 149

*** ClientHello, TLSv1

RandomCookie:  GMT: 1405056815 bytes = { 166, 52, 239, 180, 173, 202, 73, 39, 37, 221, 122, 202, 62, 239, 169, 158, 96, 51, 21, 12, 129, 160, 139, 18, 157, 177, 180, 124 }

Session ID:  {}

Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]

Compression Methods:  { 0 }

Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}

Extension ec_point_formats, formats: [uncompressed]

***

[read] MD5 and SHA1 hashes:  len = 149

0000: 01 00 00 91 03 01 54 BF   77 2F A6 34 EF B4 AD CA  ......T.w/.4....

0010: 49 27 25 DD 7A CA 3E EF   A9 9E 60 33 15 0C 81 A0  I'%.z.>...`3....

0020: 8B 12 9D B1 B4 7C 00 00   2A C0 09 C0 13 00 2F C0  ........*...../.

0030: 04 C0 0E 00 33 00 32 C0   08 C0 12 00 0A C0 03 C0  ....3.2.........

0040: 0D 00 16 00 13 C0 07 C0   11 00 05 C0 02 C0 0C 00  ................

0050: 04 00 FF 01 00 00 3E 00   0A 00 34 00 32 00 17 00  ......>...4.2...

0060: 01 00 03 00 13 00 15 00   06 00 07 00 09 00 0A 00  ................

0070: 18 00 0B 00 0C 00 19 00   0D 00 0E 00 0F 00 10 00  ................

0080: 11 00 02 00 12 00 04 00   05 00 14 00 08 00 16 00  ................

0090: 0B 00 02 01 00                                     .....

%% Initialized:  [Session-1, SSL_NULL_WITH_NULL_NULL]

Grizzly-worker(1), fatal error: 40: no cipher suites in common

javax.net.ssl.SSLHandshakeException: no cipher suites in common

%% Invalidated:  [Session-1, SSL_NULL_WITH_NULL_NULL]

Grizzly-worker(1), SEND TLSv1 ALERT:  fatal, description = handshake_failure

Grizzly-worker(1), WRITE: TLSv1 Alert, length = 2

Grizzly-worker(1), fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common

 

 

Please advise,

 

Thanks Gal Siman-Tov

 

From: Oleksiy Stashok [[hidden email]]
Sent: Wednesday, January 21, 2015 3:27 AM
To: Siman Tov Gal
Cc: Meltser Tiran; Broide Uri; '[hidden email]'
Subject: Re: Trying to establish SSL connection - Fails in handshake

 

Hi,

are you running SSLEchoServer?
If yes, there is SSLEchoClient, does it work with the server?

Thank you.

WBR,
Alexey.

On 19.01.15 06:17, Siman Tov Gal wrote:

Hi Alexey,

 

Thanks for the prompt reply.

 

I took a step back and tried to launch the SSL sample from the Grizzly repository (grizzly-framework-samples-2.3.18.jar).

I used an openssl client and on handshake I got the following error:

 

30720:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

 

Note that I did not perform any setup on the SSLEngineConfigurator.

 

As far as I’ve seen other examples they should work as is, but this does not happen here.

 

Am I missing something?

 

10x,

 

Gal

 

 

 

From: Oleksiy Stashok [[hidden email]]
Sent: Monday, January 19, 2015 6:58 AM
To: Siman Tov Gal; [hidden email]
Cc: Meltser Tiran; Broide Uri
Subject: Re: Trying to establish SSL connection - Fails in handshake

 

Hi,

can you pls. share the test case so we can reproduce the problem?

Thank you.

WBR,
Alexey.

On 18.01.15 00:13, Siman Tov Gal wrote:

Hi

 

I am trying to establish a SSL handshake with my Grizzly server and an openssl client.

 

I’ve  configured the SSLEngineConfigurator with the following setup:

 

              sslContextConfig.setKeyStoreFile(keyStoreLocation);

              sslContextConfig.setKeyStorePass(keyStorePassword);

             

              // Create SSLEngine configurator

              SSLEngineConfigurator sslEngineConfigurator = new SSLEngineConfigurator(sslContextConfig.createSSLContext(),false,false,false);

              SSLSocketFactory sf = sslEngineConfigurator.getSslContext().getSocketFactory();         

             

              String[] supportedProtocols = {"TLSv1","SSLv3","TLSv1.1","TLSv1.2","SSLv2Hello"};

              sslEngineConfigurator.setEnabledProtocols(supportedProtocols);

              sslEngineConfigurator.setProtocolConfigured(true);

              String[] cipherSuites = sf.getSupportedCipherSuites();

              sslEngineConfigurator.setEnabledCipherSuites(cipherSuites);

              sslEngineConfigurator.setCipherConfigured(true);

              sslEngineConfigurator.setNeedClientAuth(false);

              sslEngineConfigurator.setWantClientAuth(false);

 

When debugging the handshake code, the point of failure was in the SSLBaseFilter:doHandshakeStep() method.

When entering the case of NEED_UNWRAP, the handshake failed due to the fact that the inputBuffer was set to null.

 

The openssl client send the following command :

 

openssl.exe s_client -debug -msg -connect localhost:50443

 

I am getting the following response :

 

8392:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:.\ssl\s23_clnt.c:601

 

Thanks in advance

 

Gal S.T

 

P.S:  I open the SSL debug info (using : -Djavax.net.debug=all)

 

Here is the output :

 

chain [0] = [

[

  Version: V3

  Subject: CN=mist mist, OU=VI, O=Comverse, L=Raanana, ST=Israel, C=IL

  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

 

  Key:  Sun RSA public key, 2048 bits

  modulus: 24414085473144772337919323012074107190618816754963514243080255494571539528736844619038076143491962690817977116723664346553272438908433680538048087195422831263971167306175278902944331875961609798287166241724881538546675318900905485132685167634098012392607384655817306725746127194856379390873270494744745754705873786404248972196545665264863541650881792842260766824580673229124863089563730094213195521617379221251195145200022967368062802615057847357727486054056179317815221853820588458878995885198226082418443238912098038011785005029767939039988128318928941102946178680941872945325579621419106798984545238312478653261279

  public exponent: 65537

  Validity: [From: Thu Jan 15 15:47:10 IST 2015,

               To: Wed Aug 10 16:47:10 IDT 2044]

  Issuer: CN=mist mist, OU=VI, O=Comverse, L=Raanana, ST=Israel, C=IL

  SerialNumber: [    5606fc55]

 

Certificate Extensions: 1

[1]: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: 27 D1 11 CB 8B AF EB 5E   D8 67 A5 58 88 CE 39 72  '......^.g.X..9r

0010: 74 DA 48 65                                        t.He

]

]

 

]

  Algorithm: [SHA1withRSA]

  Signature:

0000: 56 82 F0 A4 A6 56 A8 F8   37 3D E6 A5 1F 87 E3 9D  V....V..7=......

0010: 45 33 C6 C6 DB 5E A5 46   C7 EB 6D 12 FD 12 38 F3  E3...^.F..m...8.

0020: 0F 80 99 A6 B7 1D 1F 84   22 5E E6 B8 FA DE 7F 68  ........"^.....h

0030: 7B 0D D0 24 53 D0 DA CB   13 F3 38 E3 EA 3B 69 C1  ...$S.....8..;i.

0040: 1E 6B BB AA 32 4F CF AF   42 91 52 C5 07 49 99 AB  .k..2O..B.R..I..

0050: C5 48 29 64 17 2A 23 AF   74 B0 2C 90 01 C1 7E BE  .H)d.*#.t.,.....

0060: 37 ED DC 2E F3 59 E7 6C   0B B0 6B DF 20 5C 61 24  7....Y.l..k. \a$

0070: FB BA EB 4E 35 BD 6A AE   DB 98 59 27 D4 C1 6D 81  ...N5.j...Y'..m.

0080: 50 8A 7B 45 9C ED 73 20   74 78 6E 45 44 54 E3 3E  P..E..s txnEDT.>

0090: B8 B6 86 98 EE 3D 65 36   D8 F2 96 67 9B BD DC DE  .....=e6...g....

00A0: CF 6B 12 51 2F D3 5E B6   E4 87 9C E5 2C 91 E6 70  .k.Q/.^.....,..p

00B0: F4 2F 19 A0 08 19 BF BF   0B 25 87 16 AE 98 76 94  ./.......%....v.

00C0: 22 DD 36 99 0A FB 41 53   0D 46 C6 18 33 36 A7 4F  ".6...AS.F..36.O

00D0: DF 45 71 46 3B 02 DA 55   58 E8 65 9F 70 E6 E1 F9  .EqF;..UX.e.p...

00E0: 6D A3 B9 6D 56 01 F8 B8   E1 A0 47 E5 76 EA 25 BE  m..mV.....G.v.%.

00F0: 6B 64 1A AA 04 1D A2 61   D9 CB 3F 2C 06 FC 24 37  kd.....a..?,..$7

 

]

***

trustStore is: C:\jdk1.7.0_72\jre\lib\security\cacerts

trustStore type is : jks

trustStore provider is :

init truststore

adding as trusted cert:

  Subject: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH

  Issuer:  CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH

  Algorithm: RSA; Serial number: 0x4eb200670c035d4f

  Valid from Wed Oct 25 10:36:00 IST 2006 until Sat Oct 25 11:36:00 IDT 2036

 

adding as trusted cert:

  Subject: [hidden email], CN=http://www.valicert.com/, OU=ValiCert Class 1 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network

  Issuer:  [hidden email], CN=http://www.valicert.com/, OU=ValiCert Class 1 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network

  Algorithm: RSA; Serial number: 0x1

  Valid from Sat Jun 26 01:23:48 IDT 1999 until Wed Jun 26 01:23:48 IDT 2019

 

trigger seeding of SecureRandom

done seeding SecureRandom

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_anon_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA

***** MIST started in 10092 ms *****

Using SSLEngineImpl.

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA

Allow unsafe renegotiation: false

Allow legacy hello messages: true

Is initial handshake: true

Is secure renegotiation: false

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1

%% No cached client session

*** ClientHello, TLSv1.2

RandomCookie:  GMT: 1404790585 bytes = { 174, 154, 88, 222, 218, 55, 81, 20, 22, 53, 136, 174, 20, 168, 180, 225, 117, 54, 216, 158, 183, 119, 118, 16, 236, 221, 24, 251 }

Session ID:  {}

Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_anon_WITH_RC4_128_SHA, SSL_DH_anon_WITH_RC4_128_MD5, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_RSA_WITH_NULL_SHA256, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDH_anon_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_RC4_128_SHA, TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_MD5]

Compression Methods:  { 0 }

Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}

Extension ec_point_formats, formats: [uncompressed]

Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA

***

[write] MD5 and SHA1 hashes:  len = 263

0000: 01 00 01 03 03 03 54 BB   67 39 AE 9A 58 DE DA 37  ......T.g9..X..7

0010: 51 14 16 35 88 AE 14 A8   B4 E1 75 36 D8 9E B7 77  Q..5......u6...w

0020: 76 10 EC DD 18 FB 00 00   7E C0 23 C0 27 00 3C C0  v.........#.'.<.

0030: 25 C0 29 00 67 00 40 C0   09 C0 13 00 2F C0 04 C0  %.)[hidden email]...

0040: 0E 00 33 00 32 C0 08 C0   12 00 0A C0 03 C0 0D 00  ..3.2...........

0050: 16 00 13 C0 07 C0 11 00   05 C0 02 C0 0C 00 04 00  ................

0060: FF 00 6C C0 18 00 34 C0   17 00 1B C0 16 00 18 00  ..l...4.........

0070: 09 00 15 00 12 00 1A 00   03 00 17 00 08 00 14 00  ................

0080: 11 00 19 00 3B C0 06 C0   10 00 02 C0 01 C0 0B C0  ....;...........

0090: 15 00 01 00 1F 00 23 00   20 00 24 00 1E 00 22 00  ......#. .$...".

00A0: 26 00 29 00 28 00 2B 01   00 00 5C 00 0A 00 34 00  &.).(.+...\...4.

00B0: 32 00 17 00 01 00 03 00   13 00 15 00 06 00 07 00  2...............

00C0: 09 00 0A 00 18 00 0B 00   0C 00 19 00 0D 00 0E 00  ................

00D0: 0F 00 10 00 11 00 02 00   12 00 04 00 05 00 14 00  ................

00E0: 08 00 16 00 0B 00 02 01   00 00 0D 00 1A 00 18 06  ................

00F0: 03 06 01 05 03 05 01 04   03 04 01 03 03 03 01 02  ................

0100: 03 02 01 02 02 01 01                               .......

StartPoint-IMAP-SSL-Kernel(3) SelectorRunner, WRITE: TLSv1.2 Handshake, length = 263

[write] MD5 and SHA1 hashes:  len = 257

0000: 01 03 03 00 D8 00 00 00   20 00 C0 23 00 C0 27 00  ........ ..#..'.

0010: 00 3C 00 C0 25 00 C0 29   00 00 67 00 00 40 00 C0  .<..%..)[hidden email]..

0020: 09 06 00 40 00 C0 13 00   00 2F 00 C0 04 01 00 80  [hidden email]......

0030: 00 C0 0E 00 00 33 00 00   32 00 C0 08 00 C0 12 00  .....3..2.......

0040: 00 0A 07 00 C0 00 C0 03   02 00 80 00 C0 0D 00 00  ................

0050: 16 00 00 13 00 C0 07 05   00 80 00 C0 11 00 00 05  ................

0060: 00 C0 02 00 C0 0C 00 00   04 01 00 80 00 00 FF 00  ................

0070: 00 6C 00 C0 18 00 00 34   00 C0 17 00 00 1B 00 C0  .l.....4........

0080: 16 00 00 18 00 00 09 06   00 40 00 00 15 00 00 12  [hidden email]......

0090: 00 00 1A 00 00 03 02 00   80 00 00 17 00 00 08 00  ................

00A0: 00 14 00 00 11 00 00 19   00 00 3B 00 C0 06 04 00  ..........;.....

00B0: 80 00 C0 10 00 00 02 00   C0 01 00 C0 0B 00 C0 15  ................

00C0: 00 00 01 00 00 1F 00 00   23 00 00 20 00 00 24 00  ........#.. ..$.

00D0: 00 1E 00 00 22 00 00 26   00 00 29 00 00 28 00 00  ...."..&..)..(..

00E0: 2B 54 BB 67 39 AE 9A 58   DE DA 37 51 14 16 35 88  +T.g9..X..7Q..5.

00F0: AE 14 A8 B4 E1 75 36 D8   9E B7 77 76 10 EC DD 18  .....u6...wv....

0100: FB                                                 .

StartPoint-IMAP-SSL-Kernel(3) SelectorRunner, WRITE: SSLv2 client hello message, length = 257

[Raw write]: length = 259

0000: 81 01 01 03 03 00 D8 00   00 00 20 00 C0 23 00 C0  .......... ..#..

0010: 27 00 00 3C 00 C0 25 00   C0 29 00 00 67 00 00 40  '..<..%..)..g..@

0020: 00 C0 09 06 00 40 00 C0   13 00 00 2F 00 C0 04 01  [hidden email]....

0030: 00 80 00 C0 0E 00 00 33   00 00 32 00 C0 08 00 C0  .......3..2.....

0040: 12 00 00 0A 07 00 C0 00   C0 03 02 00 80 00 C0 0D  ................

0050: 00 00 16 00 00 13 00 C0   07 05 00 80 00 C0 11 00  ................

0060: 00 05 00 C0 02 00 C0 0C   00 00 04 01 00 80 00 00  ................

0070: FF 00 00 6C 00 C0 18 00   00 34 00 C0 17 00 00 1B  ...l.....4......

0080: 00 C0 16 00 00 18 00 00   09 06 00 40 00 00 15 00  [hidden email]....

0090: 00 12 00 00 1A 00 00 03   02 00 80 00 00 17 00 00  ................

00A0: 08 00 00 14 00 00 11 00   00 19 00 00 3B 00 C0 06  ............;...

00B0: 04 00 80 00 C0 10 00 00   02 00 C0 01 00 C0 0B 00  ................

00C0: C0 15 00 00 01 00 00 1F   00 00 23 00 00 20 00 00  ..........#.. ..

00D0: 24 00 00 1E 00 00 22 00   00 26 00 00 29 00 00 28  $....."..&..)..(

00E0: 00 00 2B 54 BB 67 39 AE   9A 58 DE DA 37 51 14 16  ..+T.g9..X..7Q..

00F0: 35 88 AE 14 A8 B4 E1 75   36 D8 9E B7 77 76 10 EC  5......u6...wv..

0100: DD 18 FB     


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”
Reply | Threaded
Open this post in threaded view
|

Re: Notification of handshake failure/timeout

oleksiys
Administrator
Hi,

I commited the fix and created an issue #1739.
Can you pls. check if it works for you?

Thank you.

WBR,
Alexey.

On 08.02.15 23:35, Siman Tov Gal wrote:

Hi Alexey

I created a new issue

GRIZZLY-1740  Provide a callback for SSL handshake failure

 

Thanks


Gal

 

 

From: Oleksiy Stashok [[hidden email]]
Sent: Thursday, February 05, 2015 4:54 AM
To: [hidden email]
Subject: Re: Notification of handshake failure/timeout

 

Hi,

 

We implemented the HandshakeListener interface (OnComplete / OnStart).

How can we be notified of other handshake events such as : handshake failure and handshake timeout (E.g: Since we do have the ability to set the timeout via setHandshakeTimeout())

timeout is applicable in blocking handshake mode. By default we use non-blocking mode.
Regarding the failure - we don't have that. Can you pls. file an issue - we'll implement that for the next version.

Thanks.

WBR,
Alexey.



 

I would like to thank you on your prompt responses to my (and my team members) queries.

 

Thanks a lot,

 

Gal

 

 

From: Oleksiy Stashok [[hidden email]]
Sent: Thursday, January 22, 2015 11:06 PM
To: Siman Tov Gal; [hidden email]
Cc: Meltser Tiran; Broide Uri; Ben-Yosef Efrat
Subject: Re: Trying to establish SSL connection - Fails in handshake

 

Hi,

yeah, I expected there's something wrong with the config.
 

Do you have any suggested solution to filter out specific protocols and ciphers  ?

Grizzly API seems to provide a “white list” for these settings. What we are looking for is an option to provide a “black list”.

Well, it's always possible to get the list of *all* available ciphers and protocols, so it's very easy to get a "white list" out of "black list".
To get the list of all supported protocols you can do something like:





 

Thanks

 

Gal

 

 

From: Oleksiy Stashok [[hidden email]]
Sent: Thursday, January 22, 2015 7:58 AM
To: [hidden email]
Subject: Re: Trying to establish SSL connection - Fails in handshake

 

Hi,

unfortunately I can't reproduce the problem locally.
How do you run the sample server, do you use maven?
Can you pls. share the entire server SSL log, not only handshake.

Thank you.

WBR,
Alexey.

On 21.01.15 01:58, Siman Tov Gal wrote:

Hi Alexey.

I have run the SSLEchoServer along with the SSLEchoClient (As taken from the Grizzly samples).

 

I have added to the SSLEchoServer runtime execution the  -Djavax.net.debug=all .

 

I got the following output during the handshake :

 

trustStore is: C:\jdk1.7.0_72\jre\lib\security\cacerts

trustStore type is : jks

trustStore provider is :

init truststore

 

trigger seeding of SecureRandom

done seeding SecureRandom

Press any key to stop the server...

Using SSLEngineImpl.

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA

Allow unsafe renegotiation: false

Allow legacy hello messages: true

Is initial handshake: true

Is secure renegotiation: false

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1

[Raw read]: length = 5

0000: 16 03 01 00 95                                     .....

[Raw read]: length = 149

0000: 01 00 00 91 03 01 54 BF   77 2F A6 34 EF B4 AD CA  ......T.w/.4....

0010: 49 27 25 DD 7A CA 3E EF   A9 9E 60 33 15 0C 81 A0  I'%.z.>...`3....

0020: 8B 12 9D B1 B4 7C 00 00   2A C0 09 C0 13 00 2F C0  ........*...../.

0030: 04 C0 0E 00 33 00 32 C0   08 C0 12 00 0A C0 03 C0  ....3.2.........

0040: 0D 00 16 00 13 C0 07 C0   11 00 05 C0 02 C0 0C 00  ................

0050: 04 00 FF 01 00 00 3E 00   0A 00 34 00 32 00 17 00  ......>...4.2...

0060: 01 00 03 00 13 00 15 00   06 00 07 00 09 00 0A 00  ................

0070: 18 00 0B 00 0C 00 19 00   0D 00 0E 00 0F 00 10 00  ................

0080: 11 00 02 00 12 00 04 00   05 00 14 00 08 00 16 00  ................

0090: 0B 00 02 01 00                                     .....

Grizzly-worker(1), READ: TLSv1 Handshake, length = 149

*** ClientHello, TLSv1

RandomCookie:  GMT: 1405056815 bytes = { 166, 52, 239, 180, 173, 202, 73, 39, 37, 221, 122, 202, 62, 239, 169, 158, 96, 51, 21, 12, 129, 160, 139, 18, 157, 177, 180, 124 }

Session ID:  {}

Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]

Compression Methods:  { 0 }

Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}

Extension ec_point_formats, formats: [uncompressed]

***

[read] MD5 and SHA1 hashes:  len = 149

0000: 01 00 00 91 03 01 54 BF   77 2F A6 34 EF B4 AD CA  ......T.w/.4....

0010: 49 27 25 DD 7A CA 3E EF   A9 9E 60 33 15 0C 81 A0  I'%.z.>...`3....

0020: 8B 12 9D B1 B4 7C 00 00   2A C0 09 C0 13 00 2F C0  ........*...../.

0030: 04 C0 0E 00 33 00 32 C0   08 C0 12 00 0A C0 03 C0  ....3.2.........

0040: 0D 00 16 00 13 C0 07 C0   11 00 05 C0 02 C0 0C 00  ................

0050: 04 00 FF 01 00 00 3E 00   0A 00 34 00 32 00 17 00  ......>...4.2...

0060: 01 00 03 00 13 00 15 00   06 00 07 00 09 00 0A 00  ................

0070: 18 00 0B 00 0C 00 19 00   0D 00 0E 00 0F 00 10 00  ................

0080: 11 00 02 00 12 00 04 00   05 00 14 00 08 00 16 00  ................

0090: 0B 00 02 01 00                                     .....

%% Initialized:  [Session-1, SSL_NULL_WITH_NULL_NULL]

Grizzly-worker(1), fatal error: 40: no cipher suites in common

javax.net.ssl.SSLHandshakeException: no cipher suites in common

%% Invalidated:  [Session-1, SSL_NULL_WITH_NULL_NULL]

Grizzly-worker(1), SEND TLSv1 ALERT:  fatal, description = handshake_failure

Grizzly-worker(1), WRITE: TLSv1 Alert, length = 2

Grizzly-worker(1), fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common

 

 

Please advise,

 

Thanks Gal Siman-Tov

 

From: Oleksiy Stashok [[hidden email]]
Sent: Wednesday, January 21, 2015 3:27 AM
To: Siman Tov Gal
Cc: Meltser Tiran; Broide Uri; '[hidden email]'
Subject: Re: Trying to establish SSL connection - Fails in handshake

 

Hi,

are you running SSLEchoServer?
If yes, there is SSLEchoClient, does it work with the server?

Thank you.

WBR,
Alexey.

On 19.01.15 06:17, Siman Tov Gal wrote:

Hi Alexey,

 

Thanks for the prompt reply.

 

I took a step back and tried to launch the SSL sample from the Grizzly repository (grizzly-framework-samples-2.3.18.jar).

I used an openssl client and on handshake I got the following error:

 

30720:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

 

Note that I did not perform any setup on the SSLEngineConfigurator.

 

As far as I’ve seen other examples they should work as is, but this does not happen here.

 

Am I missing something?

 

10x,

 

Gal

 

 

 

From: Oleksiy Stashok [[hidden email]]
Sent: Monday, January 19, 2015 6:58 AM
To: Siman Tov Gal; [hidden email]
Cc: Meltser Tiran; Broide Uri
Subject: Re: Trying to establish SSL connection - Fails in handshake

 

Hi,

can you pls. share the test case so we can reproduce the problem?

Thank you.

WBR,
Alexey.

On 18.01.15 00:13, Siman Tov Gal wrote:

Hi

 

I am trying to establish a SSL handshake with my Grizzly server and an openssl client.

 

I’ve  configured the SSLEngineConfigurator with the following setup:

 

              sslContextConfig.setKeyStoreFile(keyStoreLocation);

              sslContextConfig.setKeyStorePass(keyStorePassword);

             

              // Create SSLEngine configurator

              SSLEngineConfigurator sslEngineConfigurator = new SSLEngineConfigurator(sslContextConfig.createSSLContext(),false,false,false);

              SSLSocketFactory sf = sslEngineConfigurator.getSslContext().getSocketFactory();         

             

              String[] supportedProtocols = {"TLSv1","SSLv3","TLSv1.1","TLSv1.2","SSLv2Hello"};

              sslEngineConfigurator.setEnabledProtocols(supportedProtocols);

              sslEngineConfigurator.setProtocolConfigured(true);

              String[] cipherSuites = sf.getSupportedCipherSuites();

              sslEngineConfigurator.setEnabledCipherSuites(cipherSuites);

              sslEngineConfigurator.setCipherConfigured(true);

              sslEngineConfigurator.setNeedClientAuth(false);

              sslEngineConfigurator.setWantClientAuth(false);

 

When debugging the handshake code, the point of failure was in the SSLBaseFilter:doHandshakeStep() method.

When entering the case of NEED_UNWRAP, the handshake failed due to the fact that the inputBuffer was set to null.

 

The openssl client send the following command :

 

openssl.exe s_client -debug -msg -connect localhost:50443

 

I am getting the following response :

 

8392:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:.\ssl\s23_clnt.c:601

 

Thanks in advance

 

Gal S.T

 

P.S:  I open the SSL debug info (using : -Djavax.net.debug=all)

 

Here is the output :

 

chain [0] = [

[

  Version: V3

  Subject: CN=mist mist, OU=VI, O=Comverse, L=Raanana, ST=Israel, C=IL

  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

 

  Key:  Sun RSA public key, 2048 bits

  modulus: 24414085473144772337919323012074107190618816754963514243080255494571539528736844619038076143491962690817977116723664346553272438908433680538048087195422831263971167306175278902944331875961609798287166241724881538546675318900905485132685167634098012392607384655817306725746127194856379390873270494744745754705873786404248972196545665264863541650881792842260766824580673229124863089563730094213195521617379221251195145200022967368062802615057847357727486054056179317815221853820588458878995885198226082418443238912098038011785005029767939039988128318928941102946178680941872945325579621419106798984545238312478653261279

  public exponent: 65537

  Validity: [From: Thu Jan 15 15:47:10 IST 2015,

               To: Wed Aug 10 16:47:10 IDT 2044]

  Issuer: CN=mist mist, OU=VI, O=Comverse, L=Raanana, ST=Israel, C=IL

  SerialNumber: [    5606fc55]

 

Certificate Extensions: 1

[1]: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: 27 D1 11 CB 8B AF EB 5E   D8 67 A5 58 88 CE 39 72  '......^.g.X..9r

0010: 74 DA 48 65                                        t.He

]

]

 

]

  Algorithm: [SHA1withRSA]

  Signature:

0000: 56 82 F0 A4 A6 56 A8 F8   37 3D E6 A5 1F 87 E3 9D  V....V..7=......

0010: 45 33 C6 C6 DB 5E A5 46   C7 EB 6D 12 FD 12 38 F3  E3...^.F..m...8.

0020: 0F 80 99 A6 B7 1D 1F 84   22 5E E6 B8 FA DE 7F 68  ........"^.....h

0030: 7B 0D D0 24 53 D0 DA CB   13 F3 38 E3 EA 3B 69 C1  ...$S.....8..;i.

0040: 1E 6B BB AA 32 4F CF AF   42 91 52 C5 07 49 99 AB  .k..2O..B.R..I..

0050: C5 48 29 64 17 2A 23 AF   74 B0 2C 90 01 C1 7E BE  .H)d.*#.t.,.....

0060: 37 ED DC 2E F3 59 E7 6C   0B B0 6B DF 20 5C 61 24  7....Y.l..k. \a$

0070: FB BA EB 4E 35 BD 6A AE   DB 98 59 27 D4 C1 6D 81  ...N5.j...Y'..m.

0080: 50 8A 7B 45 9C ED 73 20   74 78 6E 45 44 54 E3 3E  P..E..s txnEDT.>

0090: B8 B6 86 98 EE 3D 65 36   D8 F2 96 67 9B BD DC DE  .....=e6...g....

00A0: CF 6B 12 51 2F D3 5E B6   E4 87 9C E5 2C 91 E6 70  .k.Q/.^.....,..p

00B0: F4 2F 19 A0 08 19 BF BF   0B 25 87 16 AE 98 76 94  ./.......%....v.

00C0: 22 DD 36 99 0A FB 41 53   0D 46 C6 18 33 36 A7 4F  ".6...AS.F..36.O

00D0: DF 45 71 46 3B 02 DA 55   58 E8 65 9F 70 E6 E1 F9  .EqF;..UX.e.p...

00E0: 6D A3 B9 6D 56 01 F8 B8   E1 A0 47 E5 76 EA 25 BE  m..mV.....G.v.%.

00F0: 6B 64 1A AA 04 1D A2 61   D9 CB 3F 2C 06 FC 24 37  kd.....a..?,..$7

 

]

***

trustStore is: C:\jdk1.7.0_72\jre\lib\security\cacerts

trustStore type is : jks

trustStore provider is :

init truststore

adding as trusted cert:

  Subject: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH

  Issuer:  CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH

  Algorithm: RSA; Serial number: 0x4eb200670c035d4f

  Valid from Wed Oct 25 10:36:00 IST 2006 until Sat Oct 25 11:36:00 IDT 2036

 

adding as trusted cert:

  Subject: [hidden email], CN=http://www.valicert.com/, OU=ValiCert Class 1 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network

  Issuer:  [hidden email], CN=http://www.valicert.com/, OU=ValiCert Class 1 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network

  Algorithm: RSA; Serial number: 0x1

  Valid from Sat Jun 26 01:23:48 IDT 1999 until Wed Jun 26 01:23:48 IDT 2019

 

trigger seeding of SecureRandom

done seeding SecureRandom

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_anon_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA

***** MIST started in 10092 ms *****

Using SSLEngineImpl.

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA

Allow unsafe renegotiation: false

Allow legacy hello messages: true

Is initial handshake: true

Is secure renegotiation: false

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1

%% No cached client session

*** ClientHello, TLSv1.2

RandomCookie:  GMT: 1404790585 bytes = { 174, 154, 88, 222, 218, 55, 81, 20, 22, 53, 136, 174, 20, 168, 180, 225, 117, 54, 216, 158, 183, 119, 118, 16, 236, 221, 24, 251 }

Session ID:  {}

Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_anon_WITH_RC4_128_SHA, SSL_DH_anon_WITH_RC4_128_MD5, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_RSA_WITH_NULL_SHA256, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDH_anon_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_RC4_128_SHA, TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_MD5]

Compression Methods:  { 0 }

Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}

Extension ec_point_formats, formats: [uncompressed]

Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA

***

[write] MD5 and SHA1 hashes:  len = 263

0000: 01 00 01 03 03 03 54 BB   67 39 AE 9A 58 DE DA 37  ......T.g9..X..7

0010: 51 14 16 35 88 AE 14 A8   B4 E1 75 36 D8 9E B7 77  Q..5......u6...w

0020: 76 10 EC DD 18 FB 00 00   7E C0 23 C0 27 00 3C C0  v.........#.'.<.

0030: 25 C0 29 00 67 00 40 C0   09 C0 13 00 2F C0 04 C0  %.)[hidden email]...

0040: 0E 00 33 00 32 C0 08 C0   12 00 0A C0 03 C0 0D 00  ..3.2...........

0050: 16 00 13 C0 07 C0 11 00   05 C0 02 C0 0C 00 04 00  ................

0060: FF 00 6C C0 18 00 34 C0   17 00 1B C0 16 00 18 00  ..l...4.........

0070: 09 00 15 00 12 00 1A 00   03 00 17 00 08 00 14 00  ................

0080: 11 00 19 00 3B C0 06 C0   10 00 02 C0 01 C0 0B C0  ....;...........

0090: 15 00 01 00 1F 00 23 00   20 00 24 00 1E 00 22 00  ......#. .$...".

00A0: 26 00 29 00 28 00 2B 01   00 00 5C 00 0A 00 34 00  &.).(.+...\...4.

00B0: 32 00 17 00 01 00 03 00   13 00 15 00 06 00 07 00  2...............

00C0: 09 00 0A 00 18 00 0B 00   0C 00 19 00 0D 00 0E 00  ................

00D0: 0F 00 10 00 11 00 02 00   12 00 04 00 05 00 14 00  ................

00E0: 08 00 16 00 0B 00 02 01   00 00 0D 00 1A 00 18 06  ................

00F0: 03 06 01 05 03 05 01 04   03 04 01 03 03 03 01 02  ................

0100: 03 02 01 02 02 01 01                               .......

StartPoint-IMAP-SSL-Kernel(3) SelectorRunner, WRITE: TLSv1.2 Handshake, length = 263

[write] MD5 and SHA1 hashes:  len = 257

0000: 01 03 03 00 D8 00 00 00   20 00 C0 23 00 C0 27 00  ........ ..#..'.

0010: 00 3C 00 C0 25 00 C0 29   00 00 67 00 00 40 00 C0  .<..%..)[hidden email]..

0020: 09 06 00 40 00 C0 13 00   00 2F 00 C0 04 01 00 80  [hidden email]......

0030: 00 C0 0E 00 00 33 00 00   32 00 C0 08 00 C0 12 00  .....3..2.......

0040: 00 0A 07 00 C0 00 C0 03   02 00 80 00 C0 0D 00 00  ................

0050: 16 00 00 13 00 C0 07 05   00 80 00 C0 11 00 00 05  ................

0060: 00 C0 02 00 C0 0C 00 00   04 01 00 80 00 00 FF 00  ................

0070: 00 6C 00 C0 18 00 00 34   00 C0 17 00 00 1B 00 C0  .l.....4........

0080: 16 00 00 18 00 00 09 06   00 40 00 00 15 00 00 12  [hidden email]......

0090: 00 00 1A 00 00 03 02 00   80 00 00 17 00 00 08 00  ................

00A0: 00 14 00 00 11 00 00 19   00 00 3B 00 C0 06 04 00  ..........;.....

00B0: 80 00 C0 10 00 00 02 00   C0 01 00 C0 0B 00 C0 15  ................

00C0: 00 00 01 00 00 1F 00 00   23 00 00 20 00 00 24 00  ........#.. ..$.

00D0: 00 1E 00 00 22 00 00 26   00 00 29 00 00 28 00 00  ...."..&..)..(..

00E0: 2B 54 BB 67 39 AE 9A 58   DE DA 37 51 14 16 35 88  +T.g9..X..7Q..5.

00F0: AE 14 A8 B4 E1 75 36 D8   9E B7 77 76 10 EC DD 18  .....u6...wv....

0100: FB                                                 .

StartPoint-IMAP-SSL-Kernel(3) SelectorRunner, WRITE: SSLv2 client hello message, length = 257

[Raw write]: length = 259

0000: 81 01 01 03 03 00 D8 00   00 00 20 00 C0 23 00 C0  .......... ..#..

0010: 27 00 00 3C 00 C0 25 00   C0 29 00 00 67 00 00 40  '..<..%..)..g..@

0020: 00 C0 09 06 00 40 00 C0   13 00 00 2F 00 C0 04 01  [hidden email]....

0030: 00 80 00 C0 0E 00 00 33   00 00 32 00 C0 08 00 C0  .......3..2.....

0040: 12 00 00 0A 07 00 C0 00   C0 03 02 00 80 00 C0 0D  ................

0050: 00 00 16 00 00 13 00 C0   07 05 00 80 00 C0 11 00  ................

0060: 00 05 00 C0 02 00 C0 0C   00 00 04 01 00 80 00 00  ................

0070: FF 00 00 6C 00 C0 18 00   00 34 00 C0 17 00 00 1B  ...l.....4......

0080: 00 C0 16 00 00 18 00 00   09 06 00 40 00 00 15 00  [hidden email]....

0090: 00 12 00 00 1A 00 00 03   02 00 80 00 00 17 00 00  ................

00A0: 08 00 00 14 00 00 11 00   00 19 00 00 3B 00 C0 06  ............;...

00B0: 04 00 80 00 C0 10 00 00   02 00 C0 01 00 C0 0B 00  ................

00C0: C0 15 00 00 01 00 00 1F   00 00 23 00 00 20 00 00  ..........#.. ..

00D0: 24 00 00 1E 00 00 22 00   00 26 00 00 29 00 00 28  $....."..&..)..(

00E0: 00 00 2B 54 BB 67 39 AE   9A 58 DE DA 37 51 14 16  ..+T.g9..X..7Q..

00F0: 35 88 AE 14 A8 B4 E1 75   36 D8 9E B7 77 76 10 EC  5......u6...wv..

0100: DD 18 FB     


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

Reply | Threaded
Open this post in threaded view
|

RE: Notification of handshake failure/timeout

Siman Tov Gal

Hi Alexey,

 

Issue 1739 is still unresolved.

Can u clarify what you meant by “check if it works for you” ?

 

Gal

 

From: Oleksiy Stashok [mailto:[hidden email]]
Sent: Monday, February 09, 2015 10:05 PM
To: [hidden email]
Subject: Re: Notification of handshake failure/timeout

 

Hi,

I commited the fix and created an issue #1739.
Can you pls. check if it works for you?

Thank you.

WBR,
Alexey.

On 08.02.15 23:35, Siman Tov Gal wrote:

Hi Alexey

I created a new issue

GRIZZLY-1740  Provide a callback for SSL handshake failure

 

Thanks


Gal

 

 

From: Oleksiy Stashok [[hidden email]]
Sent: Thursday, February 05, 2015 4:54 AM
To: [hidden email]
Subject: Re: Notification of handshake failure/timeout

 

Hi,

 

We implemented the HandshakeListener interface (OnComplete / OnStart).

How can we be notified of other handshake events such as : handshake failure and handshake timeout (E.g: Since we do have the ability to set the timeout via setHandshakeTimeout())

timeout is applicable in blocking handshake mode. By default we use non-blocking mode.
Regarding the failure - we don't have that. Can you pls. file an issue - we'll implement that for the next version.

Thanks.

WBR,
Alexey.




 

I would like to thank you on your prompt responses to my (and my team members) queries.

 

Thanks a lot,

 

Gal

 

 

From: Oleksiy Stashok [[hidden email]]
Sent: Thursday, January 22, 2015 11:06 PM
To: Siman Tov Gal; [hidden email]
Cc: Meltser Tiran; Broide Uri; Ben-Yosef Efrat
Subject: Re: Trying to establish SSL connection - Fails in handshake

 

Hi,

yeah, I expected there's something wrong with the config.
 

Do you have any suggested solution to filter out specific protocols and ciphers  ?

Grizzly API seems to provide a “white list” for these settings. What we are looking for is an option to provide a “black list”.

Well, it's always possible to get the list of *all* available ciphers and protocols, so it's very easy to get a "white list" out of "black list".
To get the list of all supported protocols you can do something like:






 

Thanks

 

Gal

 

 

From: Oleksiy Stashok [[hidden email]]
Sent: Thursday, January 22, 2015 7:58 AM
To: [hidden email]
Subject: Re: Trying to establish SSL connection - Fails in handshake

 

Hi,

unfortunately I can't reproduce the problem locally.
How do you run the sample server, do you use maven?
Can you pls. share the entire server SSL log, not only handshake.

Thank you.

WBR,
Alexey.

On 21.01.15 01:58, Siman Tov Gal wrote:

Hi Alexey.

I have run the SSLEchoServer along with the SSLEchoClient (As taken from the Grizzly samples).

 

I have added to the SSLEchoServer runtime execution the  -Djavax.net.debug=all .

 

I got the following output during the handshake :

 

trustStore is: C:\jdk1.7.0_72\jre\lib\security\cacerts

trustStore type is : jks

trustStore provider is :

init truststore

 

trigger seeding of SecureRandom

done seeding SecureRandom

Press any key to stop the server...

Using SSLEngineImpl.

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA

Allow unsafe renegotiation: false

Allow legacy hello messages: true

Is initial handshake: true

Is secure renegotiation: false

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1

[Raw read]: length = 5

0000: 16 03 01 00 95                                     .....

[Raw read]: length = 149

0000: 01 00 00 91 03 01 54 BF   77 2F A6 34 EF B4 AD CA  ......T.w/.4....

0010: 49 27 25 DD 7A CA 3E EF   A9 9E 60 33 15 0C 81 A0  I'%.z.>...`3....

0020: 8B 12 9D B1 B4 7C 00 00   2A C0 09 C0 13 00 2F C0  ........*...../.

0030: 04 C0 0E 00 33 00 32 C0   08 C0 12 00 0A C0 03 C0  ....3.2.........

0040: 0D 00 16 00 13 C0 07 C0   11 00 05 C0 02 C0 0C 00  ................

0050: 04 00 FF 01 00 00 3E 00   0A 00 34 00 32 00 17 00  ......>...4.2...

0060: 01 00 03 00 13 00 15 00   06 00 07 00 09 00 0A 00  ................

0070: 18 00 0B 00 0C 00 19 00   0D 00 0E 00 0F 00 10 00  ................

0080: 11 00 02 00 12 00 04 00   05 00 14 00 08 00 16 00  ................

0090: 0B 00 02 01 00                                     .....

Grizzly-worker(1), READ: TLSv1 Handshake, length = 149

*** ClientHello, TLSv1

RandomCookie:  GMT: 1405056815 bytes = { 166, 52, 239, 180, 173, 202, 73, 39, 37, 221, 122, 202, 62, 239, 169, 158, 96, 51, 21, 12, 129, 160, 139, 18, 157, 177, 180, 124 }

Session ID:  {}

Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]

Compression Methods:  { 0 }

Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}

Extension ec_point_formats, formats: [uncompressed]

***

[read] MD5 and SHA1 hashes:  len = 149

0000: 01 00 00 91 03 01 54 BF   77 2F A6 34 EF B4 AD CA  ......T.w/.4....

0010: 49 27 25 DD 7A CA 3E EF   A9 9E 60 33 15 0C 81 A0  I'%.z.>...`3....

0020: 8B 12 9D B1 B4 7C 00 00   2A C0 09 C0 13 00 2F C0  ........*...../.

0030: 04 C0 0E 00 33 00 32 C0   08 C0 12 00 0A C0 03 C0  ....3.2.........

0040: 0D 00 16 00 13 C0 07 C0   11 00 05 C0 02 C0 0C 00  ................

0050: 04 00 FF 01 00 00 3E 00   0A 00 34 00 32 00 17 00  ......>...4.2...

0060: 01 00 03 00 13 00 15 00   06 00 07 00 09 00 0A 00  ................

0070: 18 00 0B 00 0C 00 19 00   0D 00 0E 00 0F 00 10 00  ................

0080: 11 00 02 00 12 00 04 00   05 00 14 00 08 00 16 00  ................

0090: 0B 00 02 01 00                                     .....

%% Initialized:  [Session-1, SSL_NULL_WITH_NULL_NULL]

Grizzly-worker(1), fatal error: 40: no cipher suites in common

javax.net.ssl.SSLHandshakeException: no cipher suites in common

%% Invalidated:  [Session-1, SSL_NULL_WITH_NULL_NULL]

Grizzly-worker(1), SEND TLSv1 ALERT:  fatal, description = handshake_failure

Grizzly-worker(1), WRITE: TLSv1 Alert, length = 2

Grizzly-worker(1), fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common

 

 

Please advise,

 

Thanks Gal Siman-Tov

 

From: Oleksiy Stashok [[hidden email]]
Sent: Wednesday, January 21, 2015 3:27 AM
To: Siman Tov Gal
Cc: Meltser Tiran; Broide Uri; '[hidden email]'
Subject: Re: Trying to establish SSL connection - Fails in handshake

 

Hi,

are you running SSLEchoServer?
If yes, there is SSLEchoClient, does it work with the server?

Thank you.

WBR,
Alexey.

On 19.01.15 06:17, Siman Tov Gal wrote:

Hi Alexey,

 

Thanks for the prompt reply.

 

I took a step back and tried to launch the SSL sample from the Grizzly repository (grizzly-framework-samples-2.3.18.jar).

I used an openssl client and on handshake I got the following error:

 

30720:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

 

Note that I did not perform any setup on the SSLEngineConfigurator.

 

As far as I’ve seen other examples they should work as is, but this does not happen here.

 

Am I missing something?

 

10x,

 

Gal

 

 

 

From: Oleksiy Stashok [[hidden email]]
Sent: Monday, January 19, 2015 6:58 AM
To: Siman Tov Gal; [hidden email]
Cc: Meltser Tiran; Broide Uri
Subject: Re: Trying to establish SSL connection - Fails in handshake

 

Hi,

can you pls. share the test case so we can reproduce the problem?

Thank you.

WBR,
Alexey.

On 18.01.15 00:13, Siman Tov Gal wrote:

Hi

 

I am trying to establish a SSL handshake with my Grizzly server and an openssl client.

 

I’ve  configured the SSLEngineConfigurator with the following setup:

 

              sslContextConfig.setKeyStoreFile(keyStoreLocation);

              sslContextConfig.setKeyStorePass(keyStorePassword);

             

              // Create SSLEngine configurator

              SSLEngineConfigurator sslEngineConfigurator = new SSLEngineConfigurator(sslContextConfig.createSSLContext(),false,false,false);

              SSLSocketFactory sf = sslEngineConfigurator.getSslContext().getSocketFactory();         

             

              String[] supportedProtocols = {"TLSv1","SSLv3","TLSv1.1","TLSv1.2","SSLv2Hello"};

              sslEngineConfigurator.setEnabledProtocols(supportedProtocols);

              sslEngineConfigurator.setProtocolConfigured(true);

              String[] cipherSuites = sf.getSupportedCipherSuites();

              sslEngineConfigurator.setEnabledCipherSuites(cipherSuites);

              sslEngineConfigurator.setCipherConfigured(true);

              sslEngineConfigurator.setNeedClientAuth(false);

              sslEngineConfigurator.setWantClientAuth(false);

 

When debugging the handshake code, the point of failure was in the SSLBaseFilter:doHandshakeStep() method.

When entering the case of NEED_UNWRAP, the handshake failed due to the fact that the inputBuffer was set to null.

 

The openssl client send the following command :

 

openssl.exe s_client -debug -msg -connect localhost:50443

 

I am getting the following response :

 

8392:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:.\ssl\s23_clnt.c:601

 

Thanks in advance

 

Gal S.T

 

P.S:  I open the SSL debug info (using : -Djavax.net.debug=all)

 

Here is the output :

 

chain [0] = [

[

  Version: V3

  Subject: CN=mist mist, OU=VI, O=Comverse, L=Raanana, ST=Israel, C=IL

  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

 

  Key:  Sun RSA public key, 2048 bits

  modulus: 24414085473144772337919323012074107190618816754963514243080255494571539528736844619038076143491962690817977116723664346553272438908433680538048087195422831263971167306175278902944331875961609798287166241724881538546675318900905485132685167634098012392607384655817306725746127194856379390873270494744745754705873786404248972196545665264863541650881792842260766824580673229124863089563730094213195521617379221251195145200022967368062802615057847357727486054056179317815221853820588458878995885198226082418443238912098038011785005029767939039988128318928941102946178680941872945325579621419106798984545238312478653261279

  public exponent: 65537

  Validity: [From: Thu Jan 15 15:47:10 IST 2015,

               To: Wed Aug 10 16:47:10 IDT 2044]

  Issuer: CN=mist mist, OU=VI, O=Comverse, L=Raanana, ST=Israel, C=IL

  SerialNumber: [    5606fc55]

 

Certificate Extensions: 1

[1]: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: 27 D1 11 CB 8B AF EB 5E   D8 67 A5 58 88 CE 39 72  '......^.g.X..9r

0010: 74 DA 48 65                                        t.He

]

]

 

]

  Algorithm: [SHA1withRSA]

  Signature:

0000: 56 82 F0 A4 A6 56 A8 F8   37 3D E6 A5 1F 87 E3 9D  V....V..7=......

0010: 45 33 C6 C6 DB 5E A5 46   C7 EB 6D 12 FD 12 38 F3  E3...^.F..m...8.

0020: 0F 80 99 A6 B7 1D 1F 84   22 5E E6 B8 FA DE 7F 68  ........"^.....h

0030: 7B 0D D0 24 53 D0 DA CB   13 F3 38 E3 EA 3B 69 C1  ...$S.....8..;i.

0040: 1E 6B BB AA 32 4F CF AF   42 91 52 C5 07 49 99 AB  .k..2O..B.R..I..

0050: C5 48 29 64 17 2A 23 AF   74 B0 2C 90 01 C1 7E BE  .H)d.*#.t.,.....

0060: 37 ED DC 2E F3 59 E7 6C   0B B0 6B DF 20 5C 61 24  7....Y.l..k. \a$

0070: FB BA EB 4E 35 BD 6A AE   DB 98 59 27 D4 C1 6D 81  ...N5.j...Y'..m.

0080: 50 8A 7B 45 9C ED 73 20   74 78 6E 45 44 54 E3 3E  P..E..s txnEDT.>

0090: B8 B6 86 98 EE 3D 65 36   D8 F2 96 67 9B BD DC DE  .....=e6...g....

00A0: CF 6B 12 51 2F D3 5E B6   E4 87 9C E5 2C 91 E6 70  .k.Q/.^.....,..p

00B0: F4 2F 19 A0 08 19 BF BF   0B 25 87 16 AE 98 76 94  ./.......%....v.

00C0: 22 DD 36 99 0A FB 41 53   0D 46 C6 18 33 36 A7 4F  ".6...AS.F..36.O

00D0: DF 45 71 46 3B 02 DA 55   58 E8 65 9F 70 E6 E1 F9  .EqF;..UX.e.p...

00E0: 6D A3 B9 6D 56 01 F8 B8   E1 A0 47 E5 76 EA 25 BE  m..mV.....G.v.%.

00F0: 6B 64 1A AA 04 1D A2 61   D9 CB 3F 2C 06 FC 24 37  kd.....a..?,..$7

 

]

***

trustStore is: C:\jdk1.7.0_72\jre\lib\security\cacerts

trustStore type is : jks

trustStore provider is :

init truststore

adding as trusted cert:

  Subject: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH

  Issuer:  CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH

  Algorithm: RSA; Serial number: 0x4eb200670c035d4f

  Valid from Wed Oct 25 10:36:00 IST 2006 until Sat Oct 25 11:36:00 IDT 2036

 

adding as trusted cert:

  Subject: [hidden email], CN=http://www.valicert.com/, OU=ValiCert Class 1 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network

  Issuer:  [hidden email], CN=http://www.valicert.com/, OU=ValiCert Class 1 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network

  Algorithm: RSA; Serial number: 0x1

  Valid from Sat Jun 26 01:23:48 IDT 1999 until Wed Jun 26 01:23:48 IDT 2019

 

trigger seeding of SecureRandom

done seeding SecureRandom

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_anon_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA

***** MIST started in 10092 ms *****

Using SSLEngineImpl.

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA

Allow unsafe renegotiation: false

Allow legacy hello messages: true

Is initial handshake: true

Is secure renegotiation: false

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1

%% No cached client session

*** ClientHello, TLSv1.2

RandomCookie:  GMT: 1404790585 bytes = { 174, 154, 88, 222, 218, 55, 81, 20, 22, 53, 136, 174, 20, 168, 180, 225, 117, 54, 216, 158, 183, 119, 118, 16, 236, 221, 24, 251 }

Session ID:  {}

Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_anon_WITH_RC4_128_SHA, SSL_DH_anon_WITH_RC4_128_MD5, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_RSA_WITH_NULL_SHA256, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDH_anon_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_RC4_128_SHA, TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_MD5]

Compression Methods:  { 0 }

Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}

Extension ec_point_formats, formats: [uncompressed]

Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA

***

[write] MD5 and SHA1 hashes:  len = 263

0000: 01 00 01 03 03 03 54 BB   67 39 AE 9A 58 DE DA 37  ......T.g9..X..7

0010: 51 14 16 35 88 AE 14 A8   B4 E1 75 36 D8 9E B7 77  Q..5......u6...w

0020: 76 10 EC DD 18 FB 00 00   7E C0 23 C0 27 00 3C C0  v.........#.'.<.

0030: 25 C0 29 00 67 00 40 C0   09 C0 13 00 2F C0 04 C0  %.)[hidden email]...

0040: 0E 00 33 00 32 C0 08 C0   12 00 0A C0 03 C0 0D 00  ..3.2...........

0050: 16 00 13 C0 07 C0 11 00   05 C0 02 C0 0C 00 04 00  ................

0060: FF 00 6C C0 18 00 34 C0   17 00 1B C0 16 00 18 00  ..l...4.........

0070: 09 00 15 00 12 00 1A 00   03 00 17 00 08 00 14 00  ................

0080: 11 00 19 00 3B C0 06 C0   10 00 02 C0 01 C0 0B C0  ....;...........

0090: 15 00 01 00 1F 00 23 00   20 00 24 00 1E 00 22 00  ......#. .$...".

00A0: 26 00 29 00 28 00 2B 01   00 00 5C 00 0A 00 34 00  &.).(.+...\...4.

00B0: 32 00 17 00 01 00 03 00   13 00 15 00 06 00 07 00  2...............

00C0: 09 00 0A 00 18 00 0B 00   0C 00 19 00 0D 00 0E 00  ................

00D0: 0F 00 10 00 11 00 02 00   12 00 04 00 05 00 14 00  ................

00E0: 08 00 16 00 0B 00 02 01   00 00 0D 00 1A 00 18 06  ................

00F0: 03 06 01 05 03 05 01 04   03 04 01 03 03 03 01 02  ................

0100: 03 02 01 02 02 01 01                               .......

StartPoint-IMAP-SSL-Kernel(3) SelectorRunner, WRITE: TLSv1.2 Handshake, length = 263

[write] MD5 and SHA1 hashes:  len = 257

0000: 01 03 03 00 D8 00 00 00   20 00 C0 23 00 C0 27 00  ........ ..#..'.

0010: 00 3C 00 C0 25 00 C0 29   00 00 67 00 00 40 00 C0  .<..%..)[hidden email]..

0020: 09 06 00 40 00 C0 13 00   00 2F 00 C0 04 01 00 80  [hidden email]......

0030: 00 C0 0E 00 00 33 00 00   32 00 C0 08 00 C0 12 00  .....3..2.......

0040: 00 0A 07 00 C0 00 C0 03   02 00 80 00 C0 0D 00 00  ................

0050: 16 00 00 13 00 C0 07 05   00 80 00 C0 11 00 00 05  ................

0060: 00 C0 02 00 C0 0C 00 00   04 01 00 80 00 00 FF 00  ................

0070: 00 6C 00 C0 18 00 00 34   00 C0 17 00 00 1B 00 C0  .l.....4........

0080: 16 00 00 18 00 00 09 06   00 40 00 00 15 00 00 12  [hidden email]......

0090: 00 00 1A 00 00 03 02 00   80 00 00 17 00 00 08 00  ................

00A0: 00 14 00 00 11 00 00 19   00 00 3B 00 C0 06 04 00  ..........;.....

00B0: 80 00 C0 10 00 00 02 00   C0 01 00 C0 0B 00 C0 15  ................

00C0: 00 00 01 00 00 1F 00 00   23 00 00 20 00 00 24 00  ........#.. ..$.

00D0: 00 1E 00 00 22 00 00 26   00 00 29 00 00 28 00 00  ...."..&..)..(..

00E0: 2B 54 BB 67 39 AE 9A 58   DE DA 37 51 14 16 35 88  +T.g9..X..7Q..5.

00F0: AE 14 A8 B4 E1 75 36 D8   9E B7 77 76 10 EC DD 18  .....u6...wv....

0100: FB                                                 .

StartPoint-IMAP-SSL-Kernel(3) SelectorRunner, WRITE: SSLv2 client hello message, length = 257

[Raw write]: length = 259

0000: 81 01 01 03 03 00 D8 00   00 00 20 00 C0 23 00 C0  .......... ..#..

0010: 27 00 00 3C 00 C0 25 00   C0 29 00 00 67 00 00 40  '..<..%..)..g..@

0020: 00 C0 09 06 00 40 00 C0   13 00 00 2F 00 C0 04 01  [hidden email]....

0030: 00 80 00 C0 0E 00 00 33   00 00 32 00 C0 08 00 C0  .......3..2.....

0040: 12 00 00 0A 07 00 C0 00   C0 03 02 00 80 00 C0 0D  ................

0050: 00 00 16 00 00 13 00 C0   07 05 00 80 00 C0 11 00  ................

0060: 00 05 00 C0 02 00 C0 0C   00 00 04 01 00 80 00 00  ................

0070: FF 00 00 6C 00 C0 18 00   00 34 00 C0 17 00 00 1B  ...l.....4......

0080: 00 C0 16 00 00 18 00 00   09 06 00 40 00 00 15 00  [hidden email]....

0090: 00 12 00 00 1A 00 00 03   02 00 80 00 00 17 00 00  ................

00A0: 08 00 00 14 00 00 11 00   00 19 00 00 3B 00 C0 06  ............;...

00B0: 04 00 80 00 C0 10 00 00   02 00 C0 01 00 C0 0B 00  ................

00C0: C0 15 00 00 01 00 00 1F   00 00 23 00 00 20 00 00  ..........#.. ..

00D0: 24 00 00 1E 00 00 22 00   00 26 00 00 29 00 00 28  $....."..&..)..(

00E0: 00 00 2B 54 BB 67 39 AE   9A 58 DE DA 37 51 14 16  ..+T.g9..X..7Q..

00F0: 35 88 AE 14 A8 B4 E1 75   36 D8 9E B7 77 76 10 EC  5......u6...wv..

0100: DD 18 FB     


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”
Reply | Threaded
Open this post in threaded view
|

Re: Notification of handshake failure/timeout

oleksiys
Administrator
Hi,

right, the issue is still open because I want to make sure it works for you first.

Can you pls. try 2.3.19-SNAPSHOT from repository
https://maven.java.net/content/repositories/snapshots/

and check if it works (the failure notification).

Thank you.

WBR,
Alexey.

On 12.02.15 06:26, Siman Tov Gal wrote:

Hi Alexey,

 

Issue 1739 is still unresolved.

Can u clarify what you meant by “check if it works for you” ?

 

Gal

 

From: Oleksiy Stashok [[hidden email]]
Sent: Monday, February 09, 2015 10:05 PM
To: [hidden email]
Subject: Re: Notification of handshake failure/timeout

 

Hi,

I commited the fix and created an issue #1739.
Can you pls. check if it works for you?

Thank you.

WBR,
Alexey.

On 08.02.15 23:35, Siman Tov Gal wrote:

Hi Alexey

I created a new issue

GRIZZLY-1740  Provide a callback for SSL handshake failure

 

Thanks


Gal

 

 

From: Oleksiy Stashok [[hidden email]]
Sent: Thursday, February 05, 2015 4:54 AM
To: [hidden email]
Subject: Re: Notification of handshake failure/timeout

 

Hi,

 

We implemented the HandshakeListener interface (OnComplete / OnStart).

How can we be notified of other handshake events such as : handshake failure and handshake timeout (E.g: Since we do have the ability to set the timeout via setHandshakeTimeout())

timeout is applicable in blocking handshake mode. By default we use non-blocking mode.
Regarding the failure - we don't have that. Can you pls. file an issue - we'll implement that for the next version.

Thanks.

WBR,
Alexey.




 

I would like to thank you on your prompt responses to my (and my team members) queries.

 

Thanks a lot,

 

Gal

 

 

From: Oleksiy Stashok [[hidden email]]
Sent: Thursday, January 22, 2015 11:06 PM
To: Siman Tov Gal; [hidden email]
Cc: Meltser Tiran; Broide Uri; Ben-Yosef Efrat
Subject: Re: Trying to establish SSL connection - Fails in handshake

 

Hi,

yeah, I expected there's something wrong with the config.
 

Do you have any suggested solution to filter out specific protocols and ciphers  ?

Grizzly API seems to provide a “white list” for these settings. What we are looking for is an option to provide a “black list”.

Well, it's always possible to get the list of *all* available ciphers and protocols, so it's very easy to get a "white list" out of "black list".
To get the list of all supported protocols you can do something like:






 

Thanks

 

Gal

 

 

From: Oleksiy Stashok [[hidden email]]
Sent: Thursday, January 22, 2015 7:58 AM
To: [hidden email]
Subject: Re: Trying to establish SSL connection - Fails in handshake

 

Hi,

unfortunately I can't reproduce the problem locally.
How do you run the sample server, do you use maven?
Can you pls. share the entire server SSL log, not only handshake.

Thank you.

WBR,
Alexey.

On 21.01.15 01:58, Siman Tov Gal wrote:

Hi Alexey.

I have run the SSLEchoServer along with the SSLEchoClient (As taken from the Grizzly samples).

 

I have added to the SSLEchoServer runtime execution the  -Djavax.net.debug=all .

 

I got the following output during the handshake :

 

trustStore is: C:\jdk1.7.0_72\jre\lib\security\cacerts

trustStore type is : jks

trustStore provider is :

init truststore

 

trigger seeding of SecureRandom

done seeding SecureRandom

Press any key to stop the server...

Using SSLEngineImpl.

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA

Allow unsafe renegotiation: false

Allow legacy hello messages: true

Is initial handshake: true

Is secure renegotiation: false

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1

[Raw read]: length = 5

0000: 16 03 01 00 95                                     .....

[Raw read]: length = 149

0000: 01 00 00 91 03 01 54 BF   77 2F A6 34 EF B4 AD CA  ......T.w/.4....

0010: 49 27 25 DD 7A CA 3E EF   A9 9E 60 33 15 0C 81 A0  I'%.z.>...`3....

0020: 8B 12 9D B1 B4 7C 00 00   2A C0 09 C0 13 00 2F C0  ........*...../.

0030: 04 C0 0E 00 33 00 32 C0   08 C0 12 00 0A C0 03 C0  ....3.2.........

0040: 0D 00 16 00 13 C0 07 C0   11 00 05 C0 02 C0 0C 00  ................

0050: 04 00 FF 01 00 00 3E 00   0A 00 34 00 32 00 17 00  ......>...4.2...

0060: 01 00 03 00 13 00 15 00   06 00 07 00 09 00 0A 00  ................

0070: 18 00 0B 00 0C 00 19 00   0D 00 0E 00 0F 00 10 00  ................

0080: 11 00 02 00 12 00 04 00   05 00 14 00 08 00 16 00  ................

0090: 0B 00 02 01 00                                     .....

Grizzly-worker(1), READ: TLSv1 Handshake, length = 149

*** ClientHello, TLSv1

RandomCookie:  GMT: 1405056815 bytes = { 166, 52, 239, 180, 173, 202, 73, 39, 37, 221, 122, 202, 62, 239, 169, 158, 96, 51, 21, 12, 129, 160, 139, 18, 157, 177, 180, 124 }

Session ID:  {}

Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]

Compression Methods:  { 0 }

Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}

Extension ec_point_formats, formats: [uncompressed]

***

[read] MD5 and SHA1 hashes:  len = 149

0000: 01 00 00 91 03 01 54 BF   77 2F A6 34 EF B4 AD CA  ......T.w/.4....

0010: 49 27 25 DD 7A CA 3E EF   A9 9E 60 33 15 0C 81 A0  I'%.z.>...`3....

0020: 8B 12 9D B1 B4 7C 00 00   2A C0 09 C0 13 00 2F C0  ........*...../.

0030: 04 C0 0E 00 33 00 32 C0   08 C0 12 00 0A C0 03 C0  ....3.2.........

0040: 0D 00 16 00 13 C0 07 C0   11 00 05 C0 02 C0 0C 00  ................

0050: 04 00 FF 01 00 00 3E 00   0A 00 34 00 32 00 17 00  ......>...4.2...

0060: 01 00 03 00 13 00 15 00   06 00 07 00 09 00 0A 00  ................

0070: 18 00 0B 00 0C 00 19 00   0D 00 0E 00 0F 00 10 00  ................

0080: 11 00 02 00 12 00 04 00   05 00 14 00 08 00 16 00  ................

0090: 0B 00 02 01 00                                     .....

%% Initialized:  [Session-1, SSL_NULL_WITH_NULL_NULL]

Grizzly-worker(1), fatal error: 40: no cipher suites in common

javax.net.ssl.SSLHandshakeException: no cipher suites in common

%% Invalidated:  [Session-1, SSL_NULL_WITH_NULL_NULL]

Grizzly-worker(1), SEND TLSv1 ALERT:  fatal, description = handshake_failure

Grizzly-worker(1), WRITE: TLSv1 Alert, length = 2

Grizzly-worker(1), fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common

 

 

Please advise,

 

Thanks Gal Siman-Tov

 

From: Oleksiy Stashok [[hidden email]]
Sent: Wednesday, January 21, 2015 3:27 AM
To: Siman Tov Gal
Cc: Meltser Tiran; Broide Uri; '[hidden email]'
Subject: Re: Trying to establish SSL connection - Fails in handshake

 

Hi,

are you running SSLEchoServer?
If yes, there is SSLEchoClient, does it work with the server?

Thank you.

WBR,
Alexey.

On 19.01.15 06:17, Siman Tov Gal wrote:

Hi Alexey,

 

Thanks for the prompt reply.

 

I took a step back and tried to launch the SSL sample from the Grizzly repository (grizzly-framework-samples-2.3.18.jar).

I used an openssl client and on handshake I got the following error:

 

30720:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

 

Note that I did not perform any setup on the SSLEngineConfigurator.

 

As far as I’ve seen other examples they should work as is, but this does not happen here.

 

Am I missing something?

 

10x,

 

Gal

 

 

 

From: Oleksiy Stashok [[hidden email]]
Sent: Monday, January 19, 2015 6:58 AM
To: Siman Tov Gal; [hidden email]
Cc: Meltser Tiran; Broide Uri
Subject: Re: Trying to establish SSL connection - Fails in handshake

 

Hi,

can you pls. share the test case so we can reproduce the problem?

Thank you.

WBR,
Alexey.

On 18.01.15 00:13, Siman Tov Gal wrote:

Hi

 

I am trying to establish a SSL handshake with my Grizzly server and an openssl client.

 

I’ve  configured the SSLEngineConfigurator with the following setup:

 

              sslContextConfig.setKeyStoreFile(keyStoreLocation);

              sslContextConfig.setKeyStorePass(keyStorePassword);

             

              // Create SSLEngine configurator

              SSLEngineConfigurator sslEngineConfigurator = new SSLEngineConfigurator(sslContextConfig.createSSLContext(),false,false,false);

              SSLSocketFactory sf = sslEngineConfigurator.getSslContext().getSocketFactory();         

             

              String[] supportedProtocols = {"TLSv1","SSLv3","TLSv1.1","TLSv1.2","SSLv2Hello"};

              sslEngineConfigurator.setEnabledProtocols(supportedProtocols);

              sslEngineConfigurator.setProtocolConfigured(true);

              String[] cipherSuites = sf.getSupportedCipherSuites();

              sslEngineConfigurator.setEnabledCipherSuites(cipherSuites);

              sslEngineConfigurator.setCipherConfigured(true);

              sslEngineConfigurator.setNeedClientAuth(false);

              sslEngineConfigurator.setWantClientAuth(false);

 

When debugging the handshake code, the point of failure was in the SSLBaseFilter:doHandshakeStep() method.

When entering the case of NEED_UNWRAP, the handshake failed due to the fact that the inputBuffer was set to null.

 

The openssl client send the following command :

 

openssl.exe s_client -debug -msg -connect localhost:50443

 

I am getting the following response :

 

8392:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:.\ssl\s23_clnt.c:601

 

Thanks in advance

 

Gal S.T

 

P.S:  I open the SSL debug info (using : -Djavax.net.debug=all)

 

Here is the output :

 

chain [0] = [

[

  Version: V3

  Subject: CN=mist mist, OU=VI, O=Comverse, L=Raanana, ST=Israel, C=IL

  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

 

  Key:  Sun RSA public key, 2048 bits

  modulus: 24414085473144772337919323012074107190618816754963514243080255494571539528736844619038076143491962690817977116723664346553272438908433680538048087195422831263971167306175278902944331875961609798287166241724881538546675318900905485132685167634098012392607384655817306725746127194856379390873270494744745754705873786404248972196545665264863541650881792842260766824580673229124863089563730094213195521617379221251195145200022967368062802615057847357727486054056179317815221853820588458878995885198226082418443238912098038011785005029767939039988128318928941102946178680941872945325579621419106798984545238312478653261279

  public exponent: 65537

  Validity: [From: Thu Jan 15 15:47:10 IST 2015,

               To: Wed Aug 10 16:47:10 IDT 2044]

  Issuer: CN=mist mist, OU=VI, O=Comverse, L=Raanana, ST=Israel, C=IL

  SerialNumber: [    5606fc55]

 

Certificate Extensions: 1

[1]: ObjectId: 2.5.29.14 Criticality=false

SubjectKeyIdentifier [

KeyIdentifier [

0000: 27 D1 11 CB 8B AF EB 5E   D8 67 A5 58 88 CE 39 72  '......^.g.X..9r

0010: 74 DA 48 65                                        t.He

]

]

 

]

  Algorithm: [SHA1withRSA]

  Signature:

0000: 56 82 F0 A4 A6 56 A8 F8   37 3D E6 A5 1F 87 E3 9D  V....V..7=......

0010: 45 33 C6 C6 DB 5E A5 46   C7 EB 6D 12 FD 12 38 F3  E3...^.F..m...8.

0020: 0F 80 99 A6 B7 1D 1F 84   22 5E E6 B8 FA DE 7F 68  ........"^.....h

0030: 7B 0D D0 24 53 D0 DA CB   13 F3 38 E3 EA 3B 69 C1  ...$S.....8..;i.

0040: 1E 6B BB AA 32 4F CF AF   42 91 52 C5 07 49 99 AB  .k..2O..B.R..I..

0050: C5 48 29 64 17 2A 23 AF   74 B0 2C 90 01 C1 7E BE  .H)d.*#.t.,.....

0060: 37 ED DC 2E F3 59 E7 6C   0B B0 6B DF 20 5C 61 24  7....Y.l..k. \a$

0070: FB BA EB 4E 35 BD 6A AE   DB 98 59 27 D4 C1 6D 81  ...N5.j...Y'..m.

0080: 50 8A 7B 45 9C ED 73 20   74 78 6E 45 44 54 E3 3E  P..E..s txnEDT.>

0090: B8 B6 86 98 EE 3D 65 36   D8 F2 96 67 9B BD DC DE  .....=e6...g....

00A0: CF 6B 12 51 2F D3 5E B6   E4 87 9C E5 2C 91 E6 70  .k.Q/.^.....,..p

00B0: F4 2F 19 A0 08 19 BF BF   0B 25 87 16 AE 98 76 94  ./.......%....v.

00C0: 22 DD 36 99 0A FB 41 53   0D 46 C6 18 33 36 A7 4F  ".6...AS.F..36.O

00D0: DF 45 71 46 3B 02 DA 55   58 E8 65 9F 70 E6 E1 F9  .EqF;..UX.e.p...

00E0: 6D A3 B9 6D 56 01 F8 B8   E1 A0 47 E5 76 EA 25 BE  m..mV.....G.v.%.

00F0: 6B 64 1A AA 04 1D A2 61   D9 CB 3F 2C 06 FC 24 37  kd.....a..?,..$7

 

]

***

trustStore is: C:\jdk1.7.0_72\jre\lib\security\cacerts

trustStore type is : jks

trustStore provider is :

init truststore

adding as trusted cert:

  Subject: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH

  Issuer:  CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH

  Algorithm: RSA; Serial number: 0x4eb200670c035d4f

  Valid from Wed Oct 25 10:36:00 IST 2006 until Sat Oct 25 11:36:00 IDT 2036

 

adding as trusted cert:

  Subject: [hidden email], CN=http://www.valicert.com/, OU=ValiCert Class 1 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network

  Issuer:  [hidden email], CN=http://www.valicert.com/, OU=ValiCert Class 1 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network

  Algorithm: RSA; Serial number: 0x1

  Valid from Sat Jun 26 01:23:48 IDT 1999 until Wed Jun 26 01:23:48 IDT 2019

 

trigger seeding of SecureRandom

done seeding SecureRandom

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_anon_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA

***** MIST started in 10092 ms *****

Using SSLEngineImpl.

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA

Allow unsafe renegotiation: false

Allow legacy hello messages: true

Is initial handshake: true

Is secure renegotiation: false

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv2Hello

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv3

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1

Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1

Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1

%% No cached client session

*** ClientHello, TLSv1.2

RandomCookie:  GMT: 1404790585 bytes = { 174, 154, 88, 222, 218, 55, 81, 20, 22, 53, 136, 174, 20, 168, 180, 225, 117, 54, 216, 158, 183, 119, 118, 16, 236, 221, 24, 251 }

Session ID:  {}

Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_anon_WITH_RC4_128_SHA, SSL_DH_anon_WITH_RC4_128_MD5, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_RSA_WITH_NULL_SHA256, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDH_anon_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_RC4_128_SHA, TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_MD5]

Compression Methods:  { 0 }

Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}

Extension ec_point_formats, formats: [uncompressed]

Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA

***

[write] MD5 and SHA1 hashes:  len = 263

0000: 01 00 01 03 03 03 54 BB   67 39 AE 9A 58 DE DA 37  ......T.g9..X..7

0010: 51 14 16 35 88 AE 14 A8   B4 E1 75 36 D8 9E B7 77  Q..5......u6...w

0020: 76 10 EC DD 18 FB 00 00   7E C0 23 C0 27 00 3C C0  v.........#.'.<.

0030: 25 C0 29 00 67 00 40 C0   09 C0 13 00 2F C0 04 C0  %.)[hidden email]...

0040: 0E 00 33 00 32 C0 08 C0   12 00 0A C0 03 C0 0D 00  ..3.2...........

0050: 16 00 13 C0 07 C0 11 00   05 C0 02 C0 0C 00 04 00  ................

0060: FF 00 6C C0 18 00 34 C0   17 00 1B C0 16 00 18 00  ..l...4.........

0070: 09 00 15 00 12 00 1A 00   03 00 17 00 08 00 14 00  ................

0080: 11 00 19 00 3B C0 06 C0   10 00 02 C0 01 C0 0B C0  ....;...........

0090: 15 00 01 00 1F 00 23 00   20 00 24 00 1E 00 22 00  ......#. .$...".

00A0: 26 00 29 00 28 00 2B 01   00 00 5C 00 0A 00 34 00  &.).(.+...\...4.

00B0: 32 00 17 00 01 00 03 00   13 00 15 00 06 00 07 00  2...............

00C0: 09 00 0A 00 18 00 0B 00   0C 00 19 00 0D 00 0E 00  ................

00D0: 0F 00 10 00 11 00 02 00   12 00 04 00 05 00 14 00  ................

00E0: 08 00 16 00 0B 00 02 01   00 00 0D 00 1A 00 18 06  ................

00F0: 03 06 01 05 03 05 01 04   03 04 01 03 03 03 01 02  ................

0100: 03 02 01 02 02 01 01                               .......

StartPoint-IMAP-SSL-Kernel(3) SelectorRunner, WRITE: TLSv1.2 Handshake, length = 263

[write] MD5 and SHA1 hashes:  len = 257

0000: 01 03 03 00 D8 00 00 00   20 00 C0 23 00 C0 27 00  ........ ..#..'.

0010: 00 3C 00 C0 25 00 C0 29   00 00 67 00 00 40 00 C0  .<..%..)[hidden email]..

0020: 09 06 00 40 00 C0 13 00   00 2F 00 C0 04 01 00 80  [hidden email]......

0030: 00 C0 0E 00 00 33 00 00   32 00 C0 08 00 C0 12 00  .....3..2.......

0040: 00 0A 07 00 C0 00 C0 03   02 00 80 00 C0 0D 00 00  ................

0050: 16 00 00 13 00 C0 07 05   00 80 00 C0 11 00 00 05  ................

0060: 00 C0 02 00 C0 0C 00 00   04 01 00 80 00 00 FF 00  ................

0070: 00 6C 00 C0 18 00 00 34   00 C0 17 00 00 1B 00 C0  .l.....4........

0080: 16 00 00 18 00 00 09 06   00 40 00 00 15 00 00 12  [hidden email]......

0090: 00 00 1A 00 00 03 02 00   80 00 00 17 00 00 08 00  ................

00A0: 00 14 00 00 11 00 00 19   00 00 3B 00 C0 06 04 00  ..........;.....

00B0: 80 00 C0 10 00 00 02 00   C0 01 00 C0 0B 00 C0 15  ................

00C0: 00 00 01 00 00 1F 00 00   23 00 00 20 00 00 24 00  ........#.. ..$.

00D0: 00 1E 00 00 22 00 00 26   00 00 29 00 00 28 00 00  ...."..&..)..(..

00E0: 2B 54 BB 67 39 AE 9A 58   DE DA 37 51 14 16 35 88  +T.g9..X..7Q..5.

00F0: AE 14 A8 B4 E1 75 36 D8   9E B7 77 76 10 EC DD 18  .....u6...wv....

0100: FB                                                 .

StartPoint-IMAP-SSL-Kernel(3) SelectorRunner, WRITE: SSLv2 client hello message, length = 257

[Raw write]: length = 259

0000: 81 01 01 03 03 00 D8 00   00 00 20 00 C0 23 00 C0  .......... ..#..

0010: 27 00 00 3C 00 C0 25 00   C0 29 00 00 67 00 00 40  '..<..%..)..g..@

0020: 00 C0 09 06 00 40 00 C0   13 00 00 2F 00 C0 04 01  [hidden email]....

0030: 00 80 00 C0 0E 00 00 33   00 00 32 00 C0 08 00 C0  .......3..2.....

0040: 12 00 00 0A 07 00 C0 00   C0 03 02 00 80 00 C0 0D  ................

0050: 00 00 16 00 00 13 00 C0   07 05 00 80 00 C0 11 00  ................

0060: 00 05 00 C0 02 00 C0 0C   00 00 04 01 00 80 00 00  ................

0070: FF 00 00 6C 00 C0 18 00   00 34 00 C0 17 00 00 1B  ...l.....4......

0080: 00 C0 16 00 00 18 00 00   09 06 00 40 00 00 15 00  [hidden email]....

0090: 00 12 00 00 1A 00 00 03   02 00 80 00 00 17 00 00  ................

00A0: 08 00 00 14 00 00 11 00   00 19 00 00 3B 00 C0 06  ............;...

00B0: 04 00 80 00 C0 10 00 00   02 00 C0 01 00 C0 0B 00  ................

00C0: C0 15 00 00 01 00 00 1F   00 00 23 00 00 20 00 00  ..........#.. ..

00D0: 24 00 00 1E 00 00 22 00   00 26 00 00 29 00 00 28  $....."..&..)..(

00E0: 00 00 2B 54 BB 67 39 AE   9A 58 DE DA 37 51 14 16  ..+T.g9..X..7Q..

00F0: 35 88 AE 14 A8 B4 E1 75   36 D8 9E B7 77 76 10 EC  5......u6...wv..

0100: DD 18 FB     


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

 


“This e-mail message may contain confidential, commercial or privileged information that constitutes proprietary information of Comverse Inc. or its subsidiaries. If you are not the intended recipient of this message, you are hereby notified that any review, use or distribution of this information is absolutely prohibited and we request that you delete all copies and contact us by e-mailing to: [hidden email]. Thank You.”

Reply | Threaded
Open this post in threaded view
|

RE: Notification of handshake failure/timeout

Siman Tov Gal