I have two WildFly server, one is the service provider, the other one the service consumer. Both have an EAR with EJBs deployed. Now I would like the service consumer bean let call the service provider bean over a SSL secured connection. But I can't get it working. The provider listens for connections with an undertow https-listener and the consumer uses a remote outgoing connection. I can call both beans from a JavaSE client with SSL, without any problems. But when the two server should talk to each other the communication stops during SSL handshake. And the server (the provider) throws an exception after both printed out the ignored/unused cipher suites:
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
The JavaSE client shows the same behavior when I set SSL_STARTTLS=true on the client side. It works, when this option isn't set at all. My problem is that in class org.jboss.as.remoting.RemoteOutboundConnectionService the endpoint is always configured with SSL_STARTTLS=true. It overwrites all what is set through the CLI.
The result is that the consumer starts sending data not encrypted. On the provider side the https-listener (org.wildfly.extension.undertow.HttpsListenerService) doesn't allow me to configure the connection. In method startListening is the OptionMap hardcoded. The result is that the provider WildFly server expects encryption right from the beginning. The exception is right, the consumer sends plain data and the provider expects encrypted data. Do you know a way how they could understand each other?
May be I should use a http-listener and use the upgrade from http to remoting for switching to encryption, but I can't get it working either.
For completeness here are some parts of my configuration:
Both WildFly server are from github, ALPHA4-SNAPSHOT from this morning.
WildFly provider config:
subsystem undertow, default-server:
<https-listener name="defaults" socket-binding="https" security-realm="HttpsRealm"/>
<http-connector name="https-remoting-connector" connector-ref="defaults" security-realm="ProviderAppRealm"/>
<remote connector-ref="https-remoting-connector" thread-pool-name="default"/>
Output on the service provider side when the communication stops:
[stdout] (default I/O-3) Using SSLEngineImpl.
[stdout] (default I/O-3) Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
*** 13 lines more ***
[stdout] (default I/O-3) Allow unsafe renegotiation: false
[stdout] (default I/O-3) Allow legacy hello messages: true
[stdout] (default I/O-3) Is initial handshake: true
[stdout] (default I/O-3) Is secure renegotiation: false
[stdout] (default I/O-3) default I/O-3, fatal error: 80: problem unwrapping net record
[stdout] (default I/O-3) javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
[stdout] (default I/O-3) default I/O-3, SEND TLSv1 ALERT: fatal, description = internal_error
[stdout] (default I/O-3) default I/O-3, WRITE: TLSv1 Alert, length = 2
[stdout] (default I/O-3) default I/O-3, called closeOutbound()
[stdout] (default I/O-3) default I/O-3, closeOutboundInternal()
[stdout] (default I/O-3) [Raw write]: length = 7
[stdout] (default I/O-3) 0000: 15 03 01 00 02 02 50 ......P
WildFly consumer config
subsystem remoting, outbound connections:
<remote-outbound-connection name="provider-one-connection" outbound-socket-binding-ref="provider-ejb" security-realm="ProviderOneRealm" protocol="https-remoting">
<property name="SASL_POLICY_NOANONYMOUS" value="false"/>
The realms contain the key- and truststores and I got no error messages that a key is missing or not trusted or a password is wrong. I tried this for the working JavaSE client and I got dedicated error messages when one of the values don't fit.
Can you tell me, what I did wrong? I think I miss something really basic, but I can't find it. Thanks a lot in advance for your help!