Problems connecting via HTTPS/SSL through own Java client -

-

i'm trying establish connection trackobot.com receive json data. server allows connections through https/ssl. here code:

java.lang.system.setproperty("https.protocols", "tlsv1,tlsv1.1,tlsv1.2"); url url = new url("https://trackobot.com/profile/history.json?username=user&token=tocken");      inputstream = url.openstream();  jsonparser parser = json.createparser(is);

opensteam throws javax.net.ssl.sslhandshakeexception: received fatal alert: handshake_failure

i read through several posts related similar problems none of suggestions helped. appropriate certificate in truststore. when try connect to, example, google.com there no error. so, problem seems in handshake-specifics of server i'm trying connect to.

i ran code using -djavax.net.debug=ssl returning this:

keystore :  keystore type : jks keystore provider :  init keystore init keymanager of type sunx509 truststore is: /library/java/javavirtualmachines/jdk1.8.0_25.jdk/contents/home/jre/lib/security/cacerts truststore type : jks truststore provider :  init truststore  [here removed hundreds of „adding trusted cert“:… lines]  trigger seeding of securerandom done seeding securerandom ignoring unavailable cipher suite: tls_dhe_dss_with_aes_256_gcm_sha384 ignoring unavailable cipher suite: tls_rsa_with_aes_256_cbc_sha ignoring unavailable cipher suite: tls_dhe_rsa_with_aes_256_gcm_sha384 ignoring unavailable cipher suite: tls_ecdh_ecdsa_with_aes_256_cbc_sha ignoring unavailable cipher suite: tls_ecdhe_ecdsa_with_aes_256_gcm_sha384 ignoring unavailable cipher suite: tls_rsa_with_aes_256_cbc_sha256 ignoring unavailable cipher suite: tls_dhe_dss_with_aes_256_cbc_sha ignoring unavailable cipher suite: tls_ecdh_ecdsa_with_aes_256_gcm_sha384 ignoring unavailable cipher suite: tls_ecdh_rsa_with_aes_256_cbc_sha384 ignoring unavailable cipher suite: tls_rsa_with_aes_256_gcm_sha384 ignoring unavailable cipher suite: tls_ecdh_ecdsa_with_aes_256_cbc_sha384 ignoring unavailable cipher suite: tls_ecdhe_rsa_with_aes_256_cbc_sha384 ignoring unavailable cipher suite: tls_ecdh_rsa_with_aes_256_cbc_sha ignoring unavailable cipher suite: tls_ecdh_rsa_with_aes_256_gcm_sha384 ignoring unavailable cipher suite: tls_ecdhe_ecdsa_with_aes_256_cbc_sha384 ignoring unavailable cipher suite: tls_dhe_rsa_with_aes_256_cbc_sha256 ignoring unavailable cipher suite: tls_ecdhe_ecdsa_with_aes_256_cbc_sha ignoring unavailable cipher suite: tls_dhe_dss_with_aes_256_cbc_sha256 ignoring unavailable cipher suite: tls_dhe_rsa_with_aes_256_cbc_sha ignoring unavailable cipher suite: tls_ecdhe_rsa_with_aes_256_cbc_sha ignoring unavailable cipher suite: tls_ecdhe_rsa_with_aes_256_gcm_sha384 allow unsafe renegotiation: false allow legacy hello messages: true initial handshake: true secure renegotiation: false main, setsotimeout(0) called ignoring unsupported cipher suite: tls_ecdhe_ecdsa_with_aes_128_cbc_sha256 tlsv1 ignoring unsupported cipher suite: tls_ecdhe_rsa_with_aes_128_cbc_sha256 tlsv1 ignoring unsupported cipher suite: tls_rsa_with_aes_128_cbc_sha256 tlsv1 ignoring unsupported cipher suite: tls_ecdh_ecdsa_with_aes_128_cbc_sha256 tlsv1 ignoring unsupported cipher suite: tls_ecdh_rsa_with_aes_128_cbc_sha256 tlsv1 ignoring unsupported cipher suite: tls_dhe_rsa_with_aes_128_cbc_sha256 tlsv1 ignoring unsupported cipher suite: tls_dhe_dss_with_aes_128_cbc_sha256 tlsv1 ignoring unsupported cipher suite: tls_ecdhe_ecdsa_with_aes_128_cbc_sha256 tlsv1.1 ignoring unsupported cipher suite: tls_ecdhe_rsa_with_aes_128_cbc_sha256 tlsv1.1 ignoring unsupported cipher suite: tls_rsa_with_aes_128_cbc_sha256 tlsv1.1 ignoring unsupported cipher suite: tls_ecdh_ecdsa_with_aes_128_cbc_sha256 tlsv1.1 ignoring unsupported cipher suite: tls_ecdh_rsa_with_aes_128_cbc_sha256 tlsv1.1 ignoring unsupported cipher suite: tls_dhe_rsa_with_aes_128_cbc_sha256 tlsv1.1 ignoring unsupported cipher suite: tls_dhe_dss_with_aes_128_cbc_sha256 tlsv1.1 %% no cached client session *** clienthello, tlsv1.2 randomcookie:  gmt: 1433943269 bytes = { 109, 198, 189, 148, 62, 6, 19, 126, 179, 214, 250, 99, 207, 117, 162, 47, 62, 176, 222, 247, 98, 29, 155, 63, 255, 100, 171, 187 } session id:  {} cipher suites: [tls_ecdhe_ecdsa_with_aes_128_cbc_sha256, tls_ecdhe_rsa_with_aes_128_cbc_sha256, tls_rsa_with_aes_128_cbc_sha256, tls_ecdh_ecdsa_with_aes_128_cbc_sha256, tls_ecdh_rsa_with_aes_128_cbc_sha256, tls_dhe_rsa_with_aes_128_cbc_sha256, tls_dhe_dss_with_aes_128_cbc_sha256, tls_ecdhe_ecdsa_with_aes_128_cbc_sha, tls_ecdhe_rsa_with_aes_128_cbc_sha, tls_rsa_with_aes_128_cbc_sha, tls_ecdh_ecdsa_with_aes_128_cbc_sha, tls_ecdh_rsa_with_aes_128_cbc_sha, tls_dhe_rsa_with_aes_128_cbc_sha, tls_dhe_dss_with_aes_128_cbc_sha, tls_ecdhe_ecdsa_with_aes_128_gcm_sha256, tls_ecdhe_rsa_with_aes_128_gcm_sha256, tls_rsa_with_aes_128_gcm_sha256, tls_ecdh_ecdsa_with_aes_128_gcm_sha256, tls_ecdh_rsa_with_aes_128_gcm_sha256, tls_dhe_rsa_with_aes_128_gcm_sha256, tls_dhe_dss_with_aes_128_gcm_sha256, tls_ecdhe_ecdsa_with_3des_ede_cbc_sha, tls_ecdhe_rsa_with_3des_ede_cbc_sha, ssl_rsa_with_3des_ede_cbc_sha, tls_ecdh_ecdsa_with_3des_ede_cbc_sha, tls_ecdh_rsa_with_3des_ede_cbc_sha, ssl_dhe_rsa_with_3des_ede_cbc_sha, ssl_dhe_dss_with_3des_ede_cbc_sha, tls_ecdhe_ecdsa_with_rc4_128_sha, tls_ecdhe_rsa_with_rc4_128_sha, ssl_rsa_with_rc4_128_sha, tls_ecdh_ecdsa_with_rc4_128_sha, tls_ecdh_rsa_with_rc4_128_sha, ssl_rsa_with_rc4_128_md5, tls_empty_renegotiation_info_scsv] compression methods:  { 0 } extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1} extension ec_point_formats, formats: [uncompressed] extension signature_algorithms, signature_algorithms: sha512withecdsa, sha512withrsa, sha384withecdsa, sha384withrsa, sha256withecdsa, sha256withrsa, sha224withecdsa, sha224withrsa, sha1withecdsa, sha1withrsa, sha1withdsa, md5withrsa extension server_name, server_name: [type=host_name (0), value=trackobot.com] *** main, write: tlsv1.2 handshake, length = 229 main, read: tlsv1.2 alert, length = 2 main, recv tlsv1.2 alert:  fatal, handshake_failure main, called closesocket() main, handling exception: javax.net.ssl.sslhandshakeexception: received fatal alert: handshake_failure javax.net.ssl.sslhandshakeexception: received fatal alert: handshake_failure     @ sun.security.ssl.alerts.getsslexception(alerts.java:192)     @ sun.security.ssl.alerts.getsslexception(alerts.java:154)     @ sun.security.ssl.sslsocketimpl.recvalert(sslsocketimpl.java:1991)     @ sun.security.ssl.sslsocketimpl.readrecord(sslsocketimpl.java:1104)     @ sun.security.ssl.sslsocketimpl.performinitialhandshake(sslsocketimpl.java:1343)     @ sun.security.ssl.sslsocketimpl.starthandshake(sslsocketimpl.java:1371)     @ sun.security.ssl.sslsocketimpl.starthandshake(sslsocketimpl.java:1355)     @ sun.net.www.protocol.https.httpsclient.afterconnect(httpsclient.java:563)     @ sun.net.www.protocol.https.abstractdelegatehttpsurlconnection.connect(abstractdelegatehttpsurlconnection.java:185)     @ sun.net.www.protocol.http.httpurlconnection.getinputstream0(httpurlconnection.java:1511)     @ sun.net.www.protocol.http.httpurlconnection.getinputstream(httpurlconnection.java:1439)     @ sun.net.www.protocol.https.httpsurlconnectionimpl.getinputstream(httpsurlconnectionimpl.java:254)     @ java.net.url.openstream(url.java:1038)     @ trackbot.readhistory(trackbot.java:37)     @ hsanalytics.main(hsanalytics.java:6) ende

furthermore, use openssl , perl script (analyze-ssl.pl) check server.

for openssl s_client -connect trackobot.com:443 got:

connected(00000003) depth=2 /c=il/o=startcom ltd./ou=secure digital certificate signing/cn=startcom certification authority verify error:num=19:self signed certificate in certificate chain verify return:0 --- certificate chain  0 s:/c=ch/cn=www.trackobot.com/emailaddress=df1c792ce8e2fc342c0c63c2fab9c6fe-1805689@contact.gandi.net    i:/c=il/o=startcom ltd./ou=secure digital certificate signing/cn=startcom class 1 primary intermediate server ca  1 s:/c=il/o=startcom ltd./ou=secure digital certificate signing/cn=startcom class 1 primary intermediate server ca    i:/c=il/o=startcom ltd./ou=secure digital certificate signing/cn=startcom certification authority  2 s:/c=il/o=startcom ltd./ou=secure digital certificate signing/cn=startcom certification authority    i:/c=il/o=startcom ltd./ou=secure digital certificate signing/cn=startcom certification authority --- server certificate -----begin certificate----- miigatccbvggawibagihbaei9isk1janbgkqhkig9w0baqsfadcbjdelmakga1ue bhmcsuwxfjaubgnvbaotdvn0yxj0q29tiex0zc4xkzapbgnvbastilnly3vyzsbe awdpdgfsienlcnrpzm [...] bncztkntrp7wpfw6dppdjzt8bd0rpp0b8fvukqkuujp fegspzhxqvap3gzdunvlelz4pxsc/06x9xlpua4knnkipmvk0djyxkdpguaw6yh9 i3sprrgd/b5aoxdpydm1qrgc+hto3ydnab29crfx13mfief9en6yrmlzmwj/dmjo rcvkqpjoxtlodmx9gwgdj27ublq/4f/q9nlvfx4v00eyyqymyy6imlouwebvwoav zorzlly9pmepxjtkcw== -----end certificate----- subject=/c=ch/cn=www.trackobot.com/emailaddress=df1c792ce8e2fc342c0c63c2fab9c6fe-1805689@contact.gandi.net issuer=/c=il/o=startcom ltd./ou=secure digital certificate signing/cn=startcom class 1 primary intermediate server ca --- no client certificate ca names sent --- ssl handshake has read 5848 bytes , written 328 bytes --- new, tlsv1/sslv3, cipher dhe-rsa-aes256-sha server public key 2048 bit secure renegotiation supported compression: none expansion: none ssl-session:     protocol  : tlsv1     cipher    : dhe-rsa-aes256-sha     session-id: a868799d47c550929adf026fdc48cabd2444c96fddab86036196029bf7754d1b     session-id-ctx:      master-key: 6c0e428129970c6b1e358e134b12125373bed6ff50d55004a68a9042ad4e51c6d70bb8480266cc1bd1f11b093e212bfc     key-arg   : none     start time: 1433943895     timeout   : 300 (sec)     verify return code: 0 (ok) ---

for analyze-ssl trackobot.com:443 got:

-- trackobot.com port 443  ! server sent unused chain certificate '/c=il/o=startcom ltd./ou=secure digital certificate signing/cn=startcom certification authority'  ! server sent unused chain certificate '/c=il/o=startcom ltd./ou=secure digital certificate signing/cn=startcom certification authority'  * maximum ssl version  : tlsv1_2 (sslv23)  * supported ssl versions handshake used , preferred cipher(s):    * handshake protocols ciphers    * sslv23    tlsv1_2   ecdhe-rsa-aes256-gcm-sha384    * tlsv1_2   tlsv1_2   ecdhe-rsa-aes256-gcm-sha384    * tlsv1_1   tlsv1_1   ecdhe-rsa-aes256-sha    * tlsv1     tlsv1     ecdhe-rsa-aes256-sha    * sslv3     failed: ssl connect attempt failed because of handshake problems error:14094410:ssl routines:ssl3_read_bytes:sslv3 alert handshake failure   * cipher order      : server  * sni supported        : ok  * certificate verified : ok  * chain on 5.102.146.151    * [0/0] bits=2048, ocsp_uri=http://ocsp.startssl.com/sub/class1/server/ca, /c=ch/cn=www.trackobot.com/emailaddress=df1c792ce8e2fc342c0c63c2fab9c6fe-1805689@contact.gandi.net san=dns:www.trackobot.com,dns:trackobot.com    * [1/1] bits=2048, ocsp_uri=http://ocsp.startssl.com/ca, /c=il/o=startcom ltd./ou=secure digital certificate signing/cn=startcom class 1 primary intermediate server ca    * [2/-] bits=4096, ocsp_uri=, /c=il/o=startcom ltd./ou=secure digital certificate signing/cn=startcom certification authority    * [-/2] bits=4096, ocsp_uri=, /c=il/o=startcom ltd./ou=secure digital certificate signing/cn=startcom certification authority  * ocsp stapling        : no stapled response  * ocsp status          : (soft error: no ocsp_uri /c=il/o=startcom ltd./ou=secure digital certificate signing/cn=startcom certification authority)

versions:

mac osx 10.10.3 openssl 0.9.8zd 8 jan 2015 java version "1.8.0_25" java(tm) se runtime environment (build 1.8.0_25-b17) java hotspot(tm) 64-bit server vm (build 25.25-b02, mixed mode)

can spot java program fails? can meet handshake requirements of server? issue?

according https://www.ssllabs.com, server supports cipher suites

tls_ecdhe_rsa_with_aes_256_gcm_sha384  tls_ecdhe_rsa_with_aes_256_cbc_sha384 tls_ecdhe_rsa_with_aes_256_cbc_sha  tls_dhe_rsa_with_aes_256_gcm_sha384 tls_dhe_rsa_with_aes_256_cbc_sha256 tls_dhe_rsa_with_aes_256_cbc_sha

they listed "unavailable cipher suite" can see in debug messages.

in jre/lib/security/local_policy.jar, see

// countries have import limits on crypto strength. policy file // worldwide importable.  grant {     permission javax.crypto.cryptopermission "des", 64;     permission javax.crypto.cryptopermission "desede", *;     permission javax.crypto.cryptopermission "rc2", 128,                                       "javax.crypto.spec.rc2parameterspec", 128;     permission javax.crypto.cryptopermission "rc4", 128;     permission javax.crypto.cryptopermission "rc5", 128,            "javax.crypto.spec.rc5parameterspec", *, 12, *;     permission javax.crypto.cryptopermission "rsa", *;     permission javax.crypto.cryptopermission *, 128; };

download , install "(jce) unlimited strength jurisdiction policy files" - http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html - , can confirm problem solved. read me file says

due import control restrictions of countries, version of jce policy files bundled in java runtime environment, or jre(tm), 8 environment allow "strong" limited cryptography used. download bundle (the 1 including readme file) provides "unlimited strength" policy files contain no restrictions on cryptographic strengths.


Comments

Post a Comment

Popular posts from this blog

javascript - gulp-nodemon - nodejs restart after file change - Error: listen EADDRINUSE events.js:85 -

-
i'm running nodejs 0.12.3 - gulp 3.10.8 , gulp-nodemon 2.0.3. gulpfile.js : gulp.task('serve', ['build'], function() { gulp.start('fb-flo'); nodemon({ script: paths.server, env: { 'node_env': 'development' }, // env: { 'node_env': 'production' }, execmap: { 'js': 'node_modules/babel/bin/babel-node --stage 1' //es7 cote server }, delay: '0ms', watch: ['src/shared/', 'src/server/'], ignore: ['src/shared/components'], tasks: function (changedfiles) { var tasks = []; changedfiles.foreach(function (file) { if (path.extname(file) === '.jsx' && !~tasks.indexof('bundlejs')) tasks.push('bundlejs'); if (path.extname(file) === '.less' && !~tasks.indexof('compileless')) tasks.push('compileless'); }); return tasks; } ...
Read more

Fatal Python error: Py_Initialize: unable to load the file system codec. ImportError: No module named 'encodings' -

-
i trying make simple python program opening list of webpages user manually download reports site. don't have previous experience preparing exe files.. , i'm in learning process python coding. of done on windows 7 x64 this python code: #!c:/python34/python.exe -u splinter import * import time import os import csv #---------------------------------- raporty = [] open('../raporty.csv', newline='') csvfile: contents = csv.reader(csvfile, delimiter=' ', quotechar='|') row in contents: r = ', '.join(row) r = r.replace(',','') raporty.append(r) #--not implemented yet zmienne = [] open('../zmienne.csv', newline='') csvfile: contents = csv.reader(csvfile, delimiter=' ', quotechar='|') row in contents: r = ', '.join(row) r = r.replace(',','') zmienne.append(r) print("start") browser = browser(...
Read more

javascript - oscilloscope of speaker input stops rendering after a few seconds -

-
the following script reads audio user's microphone , renders oscilloscope on html canvas. the source taken example of mozilla developer network: visualizations web audio api and here fiddle: http://jsfiddle.net/b7j8pktp/ mozgetusermedia (note: code has no fork mechanism different browsers: works firefox) it works fine few seconds , stops rendering. whereas works totally stable: http://mdn.github.io/voice-change-o-matic/ the problem can reduced following code. microphone activation icon (next the address bar in firefox) disappears after 5 seconds: navigator.mozgetusermedia({audio: true}, function() {}, function() {} ); ( http://jsfiddle.net/b7j8pktp/2/ ) this known bug in firefox. take stream getusermedia call , hook window so: navigator.mozgetusermedia({audio: true}, function(stream) { window.stream = stream; // rest of code }, function err() { // handle error }); hopefully can fixed soon. problem we're f...
Read more