0 Replies Latest reply on Dec 9, 2014 11:04 PM by David Matthews

    SSLException Received Fatal Alert

    David Matthews Newbie

      I am attempting to integrate as a HTTPS Web Service client running on JBOSS EAP 6.1, Apache CXF 3, JDK 1.7 and I keep getting this error. I've created my keystore and truststore. It doesn't appear I have things configured correctly on the client side because it's not actually getting any Hello message from the server. Can anyone point me in the right direction?


      13:48:12,612 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

      13:48:12,613 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA

      13:48:12,614 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

      13:48:12,615 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

      13:48:12,616 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

      13:48:12,617 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

      13:48:12,617 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_ECDH_anon_WITH_AES_256_CBC_SHA

      13:48:12,618 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA

      13:48:12,619 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

      13:48:12,620 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256

      13:48:12,621 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256

      13:48:12,622 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

      13:48:12,623 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

      13:48:12,623 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA

      13:48:12,624 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

      13:48:12,625 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

      13:48:12,626 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA

      13:48:12,726 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

      13:48:12,727 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA

      13:48:12,728 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

      13:48:12,729 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

      13:48:12,730 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256

      13:48:12,731 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

      13:48:12,731 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256

      13:48:12,732 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

      13:48:12,733 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

      13:48:12,734 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

      13:48:12,734 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256

      13:48:12,735 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

      13:48:12,735 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

      13:48:12,736 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

      13:48:12,737 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA

      13:48:12,737 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

      13:48:12,738 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

      13:48:12,739 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256

      13:48:12,740 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

      13:48:12,741 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA

      13:48:12,742 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256

      13:48:12,759 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Allow unsafe renegotiation: false
      13:48:12,761 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Allow legacy hello messages: true
      13:48:12,762 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Is initial handshake: true
      13:48:12,762 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Is secure renegotiation: false

      13:48:12,764 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) http-example.com/10.61.198.114:8080-2, setSoTimeout(60000) called

      13:48:12,766 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3

      13:48:12,767 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

      13:48:12,768 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

      13:48:12,769 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for SSLv3

      13:48:12,770 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

      13:48:12,772 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for SSLv3

      13:48:12,773 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for SSLv3

      13:48:12,774 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1

      13:48:12,775 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

      13:48:12,777 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

      13:48:12,778 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1

      13:48:12,809 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

      13:48:12,810 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1

      13:48:12,810 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1

      13:48:12,812 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

      13:48:12,812 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

      13:48:12,813 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256

      13:48:12,814 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256

      13:48:12,814 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256

      13:48:12,815 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

      13:48:12,816 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256

      13:48:12,820 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) %% No cached client session

      13:48:12,827 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) *** ClientHello, TLSv1

      13:48:12,829 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) RandomCookie:  GMT: 1401384476 bytes = { 19, 2, 165, 94, 47, 172, 204, 147, 160, 102, 93, 255, 3, 249, 103, 124, 199, 138, 248, 125, 188, 15, 27, 179, 109, 121, 148, 78 }

      13:48:12,830 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Session ID:  {}

      13:48:12,830 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_KRB5_WITH_RC4_128_SHA, TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5]

      13:48:12,844 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Compression Methods:  { 0 }

      13:48:12,845 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}

      13:48:12,848 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Extension ec_point_formats, formats: [uncompressed]

      13:48:12,848 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) Extension server_name, server_name: [host_name: example.com]

      13:48:12,849 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) ***

      13:48:12,850 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) http-example.com/10.61.198.114:8080-2, WRITE: TLSv1 Handshake, length = 221

      13:48:12,853 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) http-example.com/10.61.198.114:8080-2, READ: TLSv1 Alert, length = 2

      13:48:12,855 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) http-example.com/10.61.198.114:8080-2, RECV TLSv1 ALERT:  fatal, unexpected_message

      13:48:12,856 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) http-example.com/10.61.198.114:8080-2, called closeSocket()

      13:48:12,856 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) http-example.com/10.61.198.114:8080-2, handling exception: javax.net.ssl.SSLException: Received fatal alert: unexpected_message

      13:48:12,858 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) http-example.com/10.61.198.114:8080-2, called close()

      13:48:12,858 INFO  [stdout] (http-example.com/10.61.198.114:8080-2) http-example.com/10.61.198.114:8080-2, called closeInternal(true)



      Here is my cxf config:


      <http:conduit name="*.http-conduit">

        
      <http:tlsClientParameters>
        
      <sec:keyManagers keyPassword="changeit">
        
      <sec:keyStore type="JKS" password="changeit"
        file
      ="d:/keystore/test.jks"/>
        
      </sec:keyManagers>
        
      <sec:trustManagers>
        
      <sec:keyStore type="JKS" password="changeit"
        file
      ="d:/Java/lib/security/cacerts"/>
        
      </sec:trustManagers>
        
      <sec:cipherSuitesFilter>
        
      <!-- these filters ensure that a ciphersuite with
        export
      -suitable or null encryption is used,
        but exclude anonymous
      Diffie-Hellman key change as
        
      this is vulnerable to man-in-the-middle attacks -->
        
      <sec:include>.*_EXPORT_.*</sec:include>
        
      <sec:include>.*_EXPORT1024_.*</sec:include>
        
      <sec:include>.*_WITH_DES_.*</sec:include>
        
      <sec:include>.*_WITH_AES_.*</sec:include>
        
      <sec:include>.*_WITH_NULL_.*</sec:include>
        
      <sec:exclude>.*_DH_anon_.*</sec:exclude>
        
      </sec:cipherSuitesFilter>
        
      </http:tlsClientParameters>
        
      <http:authorization>
        
      <sec:UserName>username</sec:UserName>
        
      <sec:Password>password</sec:Password>
        
      </http:authorization>
        
      <http:client AutoRedirect="true" Connection="Keep-Alive"/>

       
      </http:conduit>