4 Replies Latest reply on Mar 2, 2007 10:06 AM by Claudia Richter

    SSLHandshakeException when connecting to JNDI

    Claudia Richter Newbie

      Hello,
      I have an issue with a Server, that is not registering correctly with an JNDI Server (I have this issue with sslsocket as well as with sslmultiplex). In my understandung a JNDI Server should not need to have a certificate all Servers need to trust. I this right? And if so, can anybody tell me where this Exception might come from?

      My Server is running on localhost:1101 and my JNDI runs on the same machine on Port 1099

      Here is the Logging Stack of my Server:

      reqistering with JNDI server
      2007-02-27 14:59:40,664 WARN [main] org.jboss.remoting.detection.jndi.JNDIDetector: Detector: org.jboss.remoting.detection.jndi.JNDIDetector could not be loaded because the NetworkRegistry is not registered
      2007-02-27 14:59:40,664 WARN [main] org.jboss.remoting.detection.jndi.JNDIDetector: This means that only the broadcasting of detection messages will be functional and will not be able to discover other servers.
      susseccfully reqistered with JNDI Server
      2007-02-27 14:59:41,680 INFO [Remoting Detector - Heartbeat Thread: 1] org.jboss.remoting.detection.jndi.JNDIDetector: Added 3087152660c52e45x-3af92cc0x110ba7efe6bx-7ffb56 to registry.
      2007-02-27 14:59:52,273 ERROR [SocketServerInvoker#0-1101] org.jboss.remoting.transport.sslsocket.SSLSocketServerInvoker: Failed to accept socket connection
      java.lang.reflect.InvocationTargetException
       at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
       at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
       at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
       at java.lang.reflect.Constructor.newInstance(Unknown Source)
       at org.jboss.remoting.transport.socket.ServerThread.createServerSocket(ServerThread.java:198)
       at org.jboss.remoting.transport.socket.ServerThread.<init>(ServerThread.java:95)
       at org.jboss.remoting.transport.socket.SocketServerInvoker.processInvocation(SocketServerInvoker.java:492)
       at org.jboss.remoting.transport.socket.SocketServerInvoker.run(SocketServerInvoker.java:444)
       at java.lang.Thread.run(Unknown Source)
      Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
       at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
       at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(Unknown Source)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(Unknown Source)
       at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown Source)
       at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
       at java.io.BufferedOutputStream.flush(Unknown Source)
       at java.io.ObjectOutputStream$BlockDataOutputStream.flush(Unknown Source)
       at java.io.ObjectOutputStream.flush(Unknown Source)
       at org.jboss.remoting.transport.socket.ServerSocketWrapper.createOutputStream(ServerSocketWrapper.java:65)
       at org.jboss.remoting.transport.socket.ClientSocketWrapper.createStreams(ClientSocketWrapper.java:75)
       at org.jboss.remoting.transport.socket.ClientSocketWrapper.<init>(ClientSocketWrapper.java:54)
       at org.jboss.remoting.transport.socket.ServerSocketWrapper.<init>(ServerSocketWrapper.java:50)
       ... 9 more
      2007-02-27 14:59:52,335 ERROR [SocketServerInvoker#0-1101] org.jboss.remoting.transport.sslsocket.SSLSocketServerInvoker: Failed to accept socket connection
      java.lang.reflect.InvocationTargetException
       at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
       at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
       at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
       at java.lang.reflect.Constructor.newInstance(Unknown Source)
       at org.jboss.remoting.transport.socket.ServerThread.createServerSocket(ServerThread.java:198)
       at org.jboss.remoting.transport.socket.ServerThread.<init>(ServerThread.java:95)
       at org.jboss.remoting.transport.socket.SocketServerInvoker.processInvocation(SocketServerInvoker.java:492)
       at org.jboss.remoting.transport.socket.SocketServerInvoker.run(SocketServerInvoker.java:444)
       at java.lang.Thread.run(Unknown Source)
      Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
       at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
       at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(Unknown Source)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(Unknown Source)
       at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown Source)
       at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
       at java.io.BufferedOutputStream.flush(Unknown Source)
       at java.io.ObjectOutputStream$BlockDataOutputStream.flush(Unknown Source)
       at java.io.ObjectOutputStream.flush(Unknown Source)
       at org.jboss.remoting.transport.socket.ServerSocketWrapper.createOutputStream(ServerSocketWrapper.java:65)
       at org.jboss.remoting.transport.socket.ClientSocketWrapper.createStreams(ClientSocketWrapper.java:75)
       at org.jboss.remoting.transport.socket.ClientSocketWrapper.<init>(ClientSocketWrapper.java:54)
       at org.jboss.remoting.transport.socket.ServerSocketWrapper.<init>(ServerSocketWrapper.java:50)
       ... 9 more
      2007-02-27 14:59:52,664 INFO [Remoting Detector - Heartbeat Thread: 12] org.jboss.remoting.detection.jndi.JNDIDetector: Added 3087152660c52e45x-3af92cc0x110ba7efe6bx-7ffb56 to registry.
      




      I have a Client that shall request all available Servers from the JNDI. Here is what the Client logged:

      connecting to JNDI Server
      2007-02-27 14:59:51,367 INFO [main] jndiClient.JNDIConnector: setting up connection to JNDI Server
      2007-02-27 14:59:51,398 INFO [main] jndiClient.JNDIConnector: register NetworkRegistry with MBean Server
      2007-02-27 14:59:51,664 INFO [main] jndiClient.JNDIConnector: getting available Servers from JNDI
      2007-02-27 14:59:52,273 WARN [main] org.jboss.remoting.ConnectionValidator: ConnectionValidator could not successfully ping server (InvokerLocator [sslsocket://localhost:1101/]
      2007-02-27 14:59:52,335 WARN [Remoting Detector - Heartbeat Thread: 0] org.jboss.remoting.ConnectionValidator: ConnectionValidator could not successfully ping server (InvokerLocator [sslsocket://localhost:1101/]
      2007-02-27 14:59:52,351 ERROR [Remoting Detector - Heartbeat Thread: 0] org.jboss.remoting.detection.jndi.JNDIDetector: Exception getting detection messages from JNDI server.
      javax.naming.NameNotFoundException: 3087152660c52e45x-3af92cc0x110ba7efe6bx-7ffb56 not bound
       at org.jnp.server.NamingServer.getBinding(NamingServer.java:529)
       at org.jnp.server.NamingServer.getBinding(NamingServer.java:537)
       at org.jnp.server.NamingServer.unbind(NamingServer.java:242)
       at org.jnp.server.NamingServer.unbind(NamingServer.java:215)
       at sun.reflect.GeneratedMethodAccessor19.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
       at java.lang.reflect.Method.invoke(Unknown Source)
       at sun.rmi.server.UnicastServerRef.dispatch(Unknown Source)
       at sun.rmi.transport.Transport$1.run(Unknown Source)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.rmi.transport.Transport.serviceCall(Unknown Source)
       at sun.rmi.transport.tcp.TCPTransport.handleMessages(Unknown Source)
       at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(Unknown Source)
       at java.lang.Thread.run(Unknown Source)
       at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(Unknown Source)
       at sun.rmi.transport.StreamRemoteCall.executeCall(Unknown Source)
       at sun.rmi.server.UnicastRef.invoke(Unknown Source)
       at org.jnp.server.NamingServer_Stub.unbind(Unknown Source)
       at org.jnp.interfaces.NamingContext.unbind(NamingContext.java:752)
       at org.jnp.interfaces.NamingContext.unbind(NamingContext.java:737)
       at org.jboss.remoting.detection.jndi.JNDIDetector.unregisterDetection(JNDIDetector.java:499)
       at org.jboss.remoting.detection.jndi.JNDIDetector.checkRemoteDetectionMsg(JNDIDetector.java:286)
       at org.jboss.remoting.detection.jndi.JNDIDetector.heartbeat(JNDIDetector.java:220)
       at org.jboss.remoting.detection.AbstractDetector$Heartbeat.run(AbstractDetector.java:698)
       at java.util.TimerThread.mainLoop(Unknown Source)
       at java.util.TimerThread.run(Unknown Source)
      


      Can anybody help me?

        • 1. Re: SSLHandshakeException when connecting to JNDI
          Ron Sigal Master

          Hi,

          The detectors will periodically ping the servers they know about to see if they are still alive. The ping is an actual invocation on the server, so, for sslsocket, there will be an SSL handshake, for which the client will need a truststore. Note the line

          2007-02-27 14:59:52,273 WARN [main] org.jboss.remoting.ConnectionValidator: ConnectionValidator could not successfully ping server (InvokerLocator [sslsocket://localhost:1101/]
          


          in the client log, which corresponds in time to the line

          2007-02-27 14:59:52,273 ERROR [SocketServerInvoker#0-1101] org.jboss.remoting.transport.sslsocket.SSLSocketServerInvoker: Failed to accept socket connection


          in the server log. That looks like a handshake failure. See the client SimpleSSLDetectorClient in org.jboss.remoting.samples.detection.jndi.ssl for an example of a detector in the presence of servers using an ssl transport. Note that the server, SimpleSSLDetectorServer, must be configured to use sslsocket with a system arg like -Dargs=sslsocket-1101.

          • 2. Re: SSLHandshakeException when connecting to JNDI
            Claudia Richter Newbie

             


            The detectors will periodically ping the servers they know about to see if they are still alive. The ping is an actual invocation on the server, so, for sslsocket, there will be an SSL handshake, for which the client will need a truststore.


            Well the problem is, that I have a Client and a Server that run perfectly when using no JNDI detection. They use trusted certificates. Only when JNDI detection is enabled I have the problem. And even when JNDI detection is enabled my Client is able to connect to my Server (as long as the Server is still alive). Just the detection does not work.


            See the client SimpleSSLDetectorClient in org.jboss.remoting.samples.detection.jndi.ssl for an example of a detector in the presence of servers using an ssl transport. Note that the server, SimpleSSLDetectorServer, must be configured to use sslsocket with a system arg like -Dargs=sslsocket-1101.


            Where can I find the org.jboss.remoting.samples.detection.jndi.ssl package? I didn't find it within the Remoting 2.0.0 CR1 or the Remoting 2.0.0 GA sources I downloaded. I could only find org.jboss.remoting.samples.detection.jndi and org.jboss.remoting.samples.detection.multicast packages.

            • 3. Re: SSLHandshakeException when connecting to JNDI
              Ron Sigal Master

              Ah. It turns out that org.jboss.remoting.samples.detection.jndi.ssl, and the facility it demonstrates, were created after the release of Remoting 2.0.0.GA, so you would have to find it them in the CVS repository. You could look in the HEAD branch, but the remoting_2_x branch is more reliable since that's where most active development is taking place.

              As for your problem, it should be fixed by those changes. In particular, the detector, just like your client, needs access to a truststore to be able to ping the server. Before JBREM-581: "can not do connection validation with ssl transport (only impacts detection)", there was no way to tell JNDIDetector about a truststore, but JNDIDetector now has a constructor

              public JNDIDetector(Map config);


              which allows the application to pass to the JNDIDetector the same truststore information that the client gets.

              By the way, for information about checking code out of the JBoss CVS repository, see

              http://wiki.jboss.org/wiki/Wiki.jsp?page=JBossRemoting_source_and_build

              • 4. Re: SSLHandshakeException when connecting to JNDI
                Claudia Richter Newbie

                Thank you Ron. I exchanged the detection packages in may application with those from the CVS repository and used the new Constructor. And voila.... it runs. Thanks a lot.