[WF-10] SSL & Problem in Firefox
vincent.sourin Aug 18, 2016 3:12 PMHello,
I've got a problem with Wildfly 10 (latest commit of 10.x branch : df59081) and Firefox (version 48.0.1) when SSL is activated.
Here is my configuration :
<security-realm name="ssl-realm"> <server-identities> <ssl> <keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="change_it" alias="server"/> </ssl> </server-identities> </security-realm> [....] <subsystem xmlns="urn:jboss:domain:undertow:3.1"> <buffer-cache name="default"/> <server name="default-server"> <http-listener name="default" socket-binding="http" redirect-socket="https"/> <https-listener name="https" socket-binding="https" security-realm="ssl-realm" /> <host name="default-host" alias="localhost"> <location name="/" handler="welcome-content"/> <filter-ref name="server-header"/> <filter-ref name="x-powered-by-header"/> </host> </server> <servlet-container name="default"> <jsp-config/> <websockets/> </servlet-container> <handlers> <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/> </handlers> <filters> <response-header name="server-header" header-name="Server" header-value="WildFly/10"/> <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/> </filters> </subsystem>
When I try to connect to wildfly welcome page (https://localhost:8443) :
the page is partially loaded and I got this error message in Firefox console :
Secure Connection Failed SSL received a record with an incorrect Message Authentication Code. (Error code: ssl_error_bad_mac_read)
and in Wildfly I got those errors :
2016-08-18 20:48:49,487 DEBUG [io.undertow.request] (default I/O-4) Matched default handler path / 2016-08-18 20:48:49,556 DEBUG [io.undertow.request] (default I/O-11) Matched default handler path /wildfly.css 2016-08-18 20:48:49,568 DEBUG [io.undertow.request] (default I/O-6) Matched default handler path /jbosscommunity_logo_hori_white.png 2016-08-18 20:48:49,568 DEBUG [io.undertow.request] (default I/O-13) Matched default handler path /wildfly_logo.png 2016-08-18 20:48:49,572 DEBUG [io.undertow.request] (default I/O-15) Matched default handler path /bkg.gif 2016-08-18 20:48:49,609 DEBUG [io.undertow.request.io] (default I/O-13) UT005013: An IOException occurred: java.io.IOException: javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:608) at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:973) at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1068) at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:789) at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:561) at org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127) at io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:156) at io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:134) at io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:58) at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66) at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1118) at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89) at org.xnio.nio.WorkerThread.run(WorkerThread.java:567) Caused by: javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:606) ... 13 more 2016-08-18 20:48:49,610 DEBUG [io.undertow.request.io] (default task-15) UT005013: An IOException occurred: java.io.IOException: javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:608) at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:973) at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1068) at io.undertow.protocols.ssl.SslConduit.doWrap(SslConduit.java:891) at io.undertow.protocols.ssl.SslConduit.write(SslConduit.java:371) at io.undertow.server.protocol.http.HttpResponseConduit.write(HttpResponseConduit.java:599) at io.undertow.conduits.AbstractFixedLengthStreamSinkConduit.write(AbstractFixedLengthStreamSinkConduit.java:106) at io.undertow.conduits.AbstractFixedLengthStreamSinkConduit.write(AbstractFixedLengthStreamSinkConduit.java:120) at org.xnio.conduits.ConduitStreamSinkChannel.write(ConduitStreamSinkChannel.java:154) at io.undertow.channels.DetachableStreamSinkChannel.write(DetachableStreamSinkChannel.java:187) at io.undertow.server.HttpServerExchange$WriteDispatchChannel.write(HttpServerExchange.java:2000) at io.undertow.io.AsyncSenderImpl.invokeOnComplete(AsyncSenderImpl.java:398) at io.undertow.io.AsyncSenderImpl.send(AsyncSenderImpl.java:162) at io.undertow.server.handlers.resource.PathResource$1ServerTask.run(PathResource.java:178) at io.undertow.server.handlers.resource.PathResource.serveImpl(PathResource.java:247) at io.undertow.server.handlers.resource.PathResource.serve(PathResource.java:105) at io.undertow.server.handlers.resource.ResourceHandler$1.handleRequest(ResourceHandler.java:299) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:805) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:606) ... 21 more 2016-08-18 20:48:49,669 DEBUG [io.undertow.request.io] (default I/O-13) Error reading request: java.io.IOException: Une connexion existante a dû être fermée par l’hôte distant at sun.nio.ch.SocketDispatcher.read0(Native Method) at sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:43) at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:223) at sun.nio.ch.IOUtil.read(IOUtil.java:192) at sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:380) at org.xnio.nio.NioSocketConduit.read(NioSocketConduit.java:289) at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:694) at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:561) at org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127) at io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:156) at io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:134) at io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:58) at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66) at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1118) at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89) at org.xnio.nio.WorkerThread.run(WorkerThread.java:567) 2016-08-18 20:48:49,701 DEBUG [io.undertow.request.io] (default task-15) UT005013: An IOException occurred: java.io.IOException: Une connexion existante a dû être fermée par l’hôte distant at sun.nio.ch.SocketDispatcher.write0(Native Method) at sun.nio.ch.SocketDispatcher.write(SocketDispatcher.java:51) at sun.nio.ch.IOUtil.writeFromNativeBuffer(IOUtil.java:93) at sun.nio.ch.IOUtil.write(IOUtil.java:51) at sun.nio.ch.SocketChannelImpl.write(SocketChannelImpl.java:471) at org.xnio.nio.NioSocketConduit.write(NioSocketConduit.java:153) at io.undertow.protocols.ssl.SslConduit.doWrap(SslConduit.java:874) at io.undertow.protocols.ssl.SslConduit.write(SslConduit.java:371) at io.undertow.server.protocol.http.HttpResponseConduit.write(HttpResponseConduit.java:599) at io.undertow.conduits.AbstractFixedLengthStreamSinkConduit.write(AbstractFixedLengthStreamSinkConduit.java:106) at io.undertow.conduits.AbstractFixedLengthStreamSinkConduit.write(AbstractFixedLengthStreamSinkConduit.java:120) at org.xnio.conduits.ConduitStreamSinkChannel.write(ConduitStreamSinkChannel.java:154) at io.undertow.channels.DetachableStreamSinkChannel.write(DetachableStreamSinkChannel.java:187) at io.undertow.server.HttpServerExchange$WriteDispatchChannel.write(HttpServerExchange.java:2000) at io.undertow.io.AsyncSenderImpl.invokeOnComplete(AsyncSenderImpl.java:398) at io.undertow.io.AsyncSenderImpl.send(AsyncSenderImpl.java:162) at io.undertow.server.handlers.resource.PathResource$1ServerTask.run(PathResource.java:178) at io.undertow.server.handlers.resource.PathResource.serveImpl(PathResource.java:247) at io.undertow.server.handlers.resource.PathResource.serve(PathResource.java:105) at io.undertow.server.handlers.resource.ResourceHandler$1.handleRequest(ResourceHandler.java:299) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:805) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745)
Strangely, It seems to work without problem with IE11.
I try to "play" with different cypher-suites in undertow but each time I got the same errors.
Thanks in advance for your help.
Vincent.