4 Replies Latest reply on Aug 23, 2016 10:05 AM by vincent.sourin

    [WF-10] SSL & Problem in Firefox

    vincent.sourin

      Hello,

       

      I've got a problem with Wildfly 10 (latest commit of 10.x branch : df59081) and Firefox (version 48.0.1) when SSL is activated.

      Here is my configuration :

       

       <security-realm name="ssl-realm">
                      <server-identities>
                          <ssl>
                              <keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="change_it" alias="server"/>
                          </ssl>
                      </server-identities>
      </security-realm>
      [....]
      <subsystem xmlns="urn:jboss:domain:undertow:3.1">
                  <buffer-cache name="default"/>
                  <server name="default-server">
                      <http-listener name="default" socket-binding="http" redirect-socket="https"/>
                      <https-listener name="https" socket-binding="https" security-realm="ssl-realm" />
                      <host name="default-host" alias="localhost">
                          <location name="/" handler="welcome-content"/>
                          <filter-ref name="server-header"/>
                          <filter-ref name="x-powered-by-header"/>
                      </host>
                  </server>
                  <servlet-container name="default">
                      <jsp-config/>
                      <websockets/>
                  </servlet-container>
                  <handlers>
                      <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
                  </handlers>
                  <filters>
                      <response-header name="server-header" header-name="Server" header-value="WildFly/10"/>
                      <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
                  </filters>
              </subsystem>
      

       

      When I try to connect to wildfly welcome page (https://localhost:8443) :

      the page is partially loaded and I got this error message in Firefox console :

       

      Secure Connection Failed SSL received a record with an incorrect Message Authentication Code. (Error code: ssl_error_bad_mac_read) 
      

       

      and in Wildfly I got those errors :

       

      2016-08-18 20:48:49,487 DEBUG [io.undertow.request] (default I/O-4) Matched default handler path /
      2016-08-18 20:48:49,556 DEBUG [io.undertow.request] (default I/O-11) Matched default handler path /wildfly.css
      2016-08-18 20:48:49,568 DEBUG [io.undertow.request] (default I/O-6) Matched default handler path /jbosscommunity_logo_hori_white.png
      2016-08-18 20:48:49,568 DEBUG [io.undertow.request] (default I/O-13) Matched default handler path /wildfly_logo.png
      2016-08-18 20:48:49,572 DEBUG [io.undertow.request] (default I/O-15) Matched default handler path /bkg.gif
      2016-08-18 20:48:49,609 DEBUG [io.undertow.request.io] (default I/O-13) UT005013: An IOException occurred: java.io.IOException: javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
          at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:608)
          at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:973)
          at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1068)
          at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:789)
          at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:561)
          at org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127)
          at io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:156)
          at io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:134)
          at io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:58)
          at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
          at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
          at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1118)
          at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
          at org.xnio.nio.WorkerThread.run(WorkerThread.java:567)
      Caused by: javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
          at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
          at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
          at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634)
          at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561)
          at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:606)
          ... 13 more
      
      2016-08-18 20:48:49,610 DEBUG [io.undertow.request.io] (default task-15) UT005013: An IOException occurred: java.io.IOException: javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
          at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:608)
          at io.undertow.protocols.ssl.SslConduit.closed(SslConduit.java:973)
          at io.undertow.protocols.ssl.SslConduit.close(SslConduit.java:1068)
          at io.undertow.protocols.ssl.SslConduit.doWrap(SslConduit.java:891)
          at io.undertow.protocols.ssl.SslConduit.write(SslConduit.java:371)
          at io.undertow.server.protocol.http.HttpResponseConduit.write(HttpResponseConduit.java:599)
          at io.undertow.conduits.AbstractFixedLengthStreamSinkConduit.write(AbstractFixedLengthStreamSinkConduit.java:106)
          at io.undertow.conduits.AbstractFixedLengthStreamSinkConduit.write(AbstractFixedLengthStreamSinkConduit.java:120)
          at org.xnio.conduits.ConduitStreamSinkChannel.write(ConduitStreamSinkChannel.java:154)
          at io.undertow.channels.DetachableStreamSinkChannel.write(DetachableStreamSinkChannel.java:187)
          at io.undertow.server.HttpServerExchange$WriteDispatchChannel.write(HttpServerExchange.java:2000)
          at io.undertow.io.AsyncSenderImpl.invokeOnComplete(AsyncSenderImpl.java:398)
          at io.undertow.io.AsyncSenderImpl.send(AsyncSenderImpl.java:162)
          at io.undertow.server.handlers.resource.PathResource$1ServerTask.run(PathResource.java:178)
          at io.undertow.server.handlers.resource.PathResource.serveImpl(PathResource.java:247)
          at io.undertow.server.handlers.resource.PathResource.serve(PathResource.java:105)
          at io.undertow.server.handlers.resource.ResourceHandler$1.handleRequest(ResourceHandler.java:299)
          at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
          at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:805)
          at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
          at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
          at java.lang.Thread.run(Thread.java:745)
      Caused by: javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
          at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
          at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
          at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634)
          at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561)
          at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:606)
          ... 21 more
      
      2016-08-18 20:48:49,669 DEBUG [io.undertow.request.io] (default I/O-13) Error reading request: java.io.IOException: Une connexion existante a dû être fermée par l’hôte distant
          at sun.nio.ch.SocketDispatcher.read0(Native Method)
          at sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:43)
          at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:223)
          at sun.nio.ch.IOUtil.read(IOUtil.java:192)
          at sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:380)
          at org.xnio.nio.NioSocketConduit.read(NioSocketConduit.java:289)
          at io.undertow.protocols.ssl.SslConduit.doUnwrap(SslConduit.java:694)
          at io.undertow.protocols.ssl.SslConduit.read(SslConduit.java:561)
          at org.xnio.conduits.ConduitStreamSourceChannel.read(ConduitStreamSourceChannel.java:127)
          at io.undertow.server.protocol.http.HttpReadListener.handleEventWithNoRunningRequest(HttpReadListener.java:156)
          at io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:134)
          at io.undertow.server.protocol.http.HttpReadListener.handleEvent(HttpReadListener.java:58)
          at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
          at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
          at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1118)
          at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
          at org.xnio.nio.WorkerThread.run(WorkerThread.java:567)
      
      2016-08-18 20:48:49,701 DEBUG [io.undertow.request.io] (default task-15) UT005013: An IOException occurred: java.io.IOException: Une connexion existante a dû être fermée par l’hôte distant
          at sun.nio.ch.SocketDispatcher.write0(Native Method)
          at sun.nio.ch.SocketDispatcher.write(SocketDispatcher.java:51)
          at sun.nio.ch.IOUtil.writeFromNativeBuffer(IOUtil.java:93)
          at sun.nio.ch.IOUtil.write(IOUtil.java:51)
          at sun.nio.ch.SocketChannelImpl.write(SocketChannelImpl.java:471)
          at org.xnio.nio.NioSocketConduit.write(NioSocketConduit.java:153)
          at io.undertow.protocols.ssl.SslConduit.doWrap(SslConduit.java:874)
          at io.undertow.protocols.ssl.SslConduit.write(SslConduit.java:371)
          at io.undertow.server.protocol.http.HttpResponseConduit.write(HttpResponseConduit.java:599)
          at io.undertow.conduits.AbstractFixedLengthStreamSinkConduit.write(AbstractFixedLengthStreamSinkConduit.java:106)
          at io.undertow.conduits.AbstractFixedLengthStreamSinkConduit.write(AbstractFixedLengthStreamSinkConduit.java:120)
          at org.xnio.conduits.ConduitStreamSinkChannel.write(ConduitStreamSinkChannel.java:154)
          at io.undertow.channels.DetachableStreamSinkChannel.write(DetachableStreamSinkChannel.java:187)
          at io.undertow.server.HttpServerExchange$WriteDispatchChannel.write(HttpServerExchange.java:2000)
          at io.undertow.io.AsyncSenderImpl.invokeOnComplete(AsyncSenderImpl.java:398)
          at io.undertow.io.AsyncSenderImpl.send(AsyncSenderImpl.java:162)
          at io.undertow.server.handlers.resource.PathResource$1ServerTask.run(PathResource.java:178)
          at io.undertow.server.handlers.resource.PathResource.serveImpl(PathResource.java:247)
          at io.undertow.server.handlers.resource.PathResource.serve(PathResource.java:105)
          at io.undertow.server.handlers.resource.ResourceHandler$1.handleRequest(ResourceHandler.java:299)
          at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
          at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:805)
          at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
          at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
          at java.lang.Thread.run(Thread.java:745)
      

       

      Strangely, It seems to work without problem with IE11.

       

      I try to "play" with different cypher-suites in undertow but each time I got the same errors.

       

      Thanks in advance for your help.

       

      Vincent.