4 Replies Latest reply on Aug 10, 2017 11:30 AM by Jörg Frommann

    SSL error connecting to AWS S3 storage in Wildfly 10

    Jörg Frommann Newbie
      I am facing a SSL error when using the Amazon AWS Java SDK in Wildfly 10. Wildfly is running local for now, not in EC2. When i execute the code directly in the JVM or in older Wildfly versions everything works fine.

       

      Simple code sample for demonstration purposes:

       

      AmazonS3 amazonS3 = AmazonS3ClientBuilder.standard().withRegion(Regions.EU_CENTRAL_1).withCredentials(new AWSStaticCredentialsProvider(new BasicAWSCredentials(ACCESS_KEY, SECRET_KEY))).build();

      amazonS3.putObject(BUCKET, "test/test.txt", "Test");

       

      -->

       

      Caused by: java.security.ProviderException: Could not derive key

          at sun.security.ec.ECDHKeyAgreement.engineGenerateSecret(ECDHKeyAgreement.java:133)

          at sun.security.ec.ECDHKeyAgreement.engineGenerateSecret(ECDHKeyAgreement.java:163)

          at javax.crypto.KeyAgreement.generateSecret(KeyAgreement.java:648)

          at sun.security.ssl.ECDHCrypt.getAgreedSecret(ECDHCrypt.java:102)

          at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1061)

          at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:348)

          at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)

          at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)

          at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)

          at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)

          at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)

          ... 127 more

      Caused by: java.security.InvalidAlgorithmParameterException

          at sun.security.ec.ECDHKeyAgreement.deriveKey(Native Method)

          at sun.security.ec.ECDHKeyAgreement.engineGenerateSecret(ECDHKeyAgreement.java:130)

          ... 137 more

       

      Works in (without error)

      • Wildfly 8.2.1 (Java 7 and 8)
      • Wildfly 9.0.2 (Java 8)
      • JVM directly (Java 8)

       

      Works NOT in

      • Wildfly 10.0.10 (Java 8)
      • Wildfly 10.1.0 (Java 8)
      • Wildfly 11.0.0 Beta 1 (Java 8)

       

      JVMs tested

      • 1.7.0_60
      • 1.8.0_25
      • 1.8.0_74
      • 1.8.0_144 (main JVM)

       

      Truststore / Keystore

      JVM default

       

      Obviously there must have been changes in Wildfly 10 which cause the error (directly or indirectly) since running the same code using the same JVM shows different behaviour in Wildfly 9 and 10. Any hint to solve this error for Wildfly 10 would be highly appreciated!

        • 1. Re: SSL error connecting to AWS S3 storage in Wildfly 10
          Martin Choma Master

          Compare logs turning on -Djavax.net.debug=all to see what is going on.

           

          Probably what happens here is, that for some reason since wildfly 10 TLS_ECDHE_* cipher suite is selected during handshake. But it is not able to success. Until wildfly 10 it was some other cipher suite, which was able to finish SSL handshake.

          Probably there has changed client side protocol / cipher suite set between wildfly versions. But logs should reveal that.

           

          What is your java vendor? I recall OpenJDK had some problems with EC ciphers suites.

           

          Does AmazonS3ClientBuilder has options to tweak SSL handshake information. Protocol / cipher suite? That way you can configure protocol/cipher suite explicitely to be same as on wildfly 9.

          • 2. Re: SSL error connecting to AWS S3 storage in Wildfly 10
            Jörg Frommann Newbie

            My Java vendor is Oracle so that should not be the problem. I don't know very much about SSL but to me it seems that both Wildfly 9 and 10 are using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA as cipher suite. In Wildfly 10 the handshake seems to be tried four times, in Wildfly 9 seems to be only one handshake.

             

            Wildfly 10

             

            11:04:17,168 INFO  [stdout] (ServerService Thread Pool -- 11) ServerService Thread Pool -- 11, READ: TLSv1.2 Handshake, length = 87

            11:04:17,168 INFO  [stdout] (ServerService Thread Pool -- 11) *** ServerHello, TLSv1.2

            11:04:17,169 INFO  [stdout] (ServerService Thread Pool -- 11) RandomCookie:  GMT: 1485405579 bytes = { 225, 154, 100, 167, 164, 82, 47, 78, 246, 142, 69, 99, 20, 168, 45, 238, 198, 246, 2, 238, 99, 52, 189, 226, 234, 156, 118, 193 }

            11:04:17,169 INFO  [stdout] (ServerService Thread Pool -- 11) Session ID:  {73, 37, 245, 48, 33, 224, 209, 215, 12, 88, 136, 45, 203, 212, 41, 178, 70, 56, 248, 3, 253, 192, 184, 238, 31, 238, 114, 33, 65, 223, 56, 30}

            11:04:17,169 INFO  [stdout] (ServerService Thread Pool -- 11) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

            11:04:17,169 INFO  [stdout] (ServerService Thread Pool -- 11) Compression Method: 0

            11:04:17,169 INFO  [stdout] (ServerService Thread Pool -- 11) Extension ec_point_formats, formats: [uncompressed]

            11:04:17,169 INFO  [stdout] (ServerService Thread Pool -- 11) Extension renegotiation_info, renegotiated_connection: <empty>

            11:04:17,169 INFO  [stdout] (ServerService Thread Pool -- 11) ***

            11:04:17,170 INFO  [stdout] (ServerService Thread Pool -- 11) %% Initialized:  [Session-4, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]

            11:04:17,170 INFO  [stdout] (ServerService Thread Pool -- 11) ** TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

            11:04:17,170 INFO  [stdout] (ServerService Thread Pool -- 11) [read] MD5 and SHA1 hashes:  len = 87

            ...

            11:04:17,316 INFO  [stdout] (ServerService Thread Pool -- 11) Found trusted certificate:

            11:04:17,316 INFO  [stdout] (ServerService Thread Pool -- 11) [

            11:04:17,316 INFO  [stdout] (ServerService Thread Pool -- 11) [

            11:04:17,316 INFO  [stdout] (ServerService Thread Pool -- 11)   Version: V3

            11:04:17,316 INFO  [stdout] (ServerService Thread Pool -- 11)   Subject: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE

            11:04:17,316 INFO  [stdout] (ServerService Thread Pool -- 11)   Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

            11:04:17,316 INFO  [stdout] (ServerService Thread Pool -- 11)

            11:04:17,316 INFO  [stdout] (ServerService Thread Pool -- 11)   Key:  RSA Public Key

            11:04:17,316 INFO  [stdout] (ServerService Thread Pool -- 11)             modulus: a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a39

            11:04:17,317 INFO  [stdout] (ServerService Thread Pool -- 11)     public exponent: 10001

            11:04:17,317 INFO  [stdout] (ServerService Thread Pool -- 11)

            11:04:17,317 INFO  [stdout] (ServerService Thread Pool -- 11)   Validity: [From: Fri May 12 20:46:00 CEST 2000,

            11:04:17,317 INFO  [stdout] (ServerService Thread Pool -- 11)                To: Tue May 13 01:59:00 CEST 2025]

            11:04:17,317 INFO  [stdout] (ServerService Thread Pool -- 11)   Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE

            11:04:17,317 INFO  [stdout] (ServerService Thread Pool -- 11)   SerialNumber: [    020000b9]

            11:04:17,317 INFO  [stdout] (ServerService Thread Pool -- 11)

            11:04:17,317 INFO  [stdout] (ServerService Thread Pool -- 11) Certificate Extensions: 3

            11:04:17,317 INFO  [stdout] (ServerService Thread Pool -- 11) [1]: ObjectId: 2.5.29.19 Criticality=true

            11:04:17,317 INFO  [stdout] (ServerService Thread Pool -- 11) BasicConstraints:[

            11:04:17,317 INFO  [stdout] (ServerService Thread Pool -- 11)   CA:true

            11:04:17,317 INFO  [stdout] (ServerService Thread Pool -- 11)   PathLen:3

            11:04:17,317 INFO  [stdout] (ServerService Thread Pool -- 11) ]

            11:04:17,317 INFO  [stdout] (ServerService Thread Pool -- 11)

            11:04:17,317 INFO  [stdout] (ServerService Thread Pool -- 11) [2]: ObjectId: 2.5.29.15 Criticality=true

            11:04:17,317 INFO  [stdout] (ServerService Thread Pool -- 11) KeyUsage [

            11:04:17,317 INFO  [stdout] (ServerService Thread Pool -- 11)   Key_CertSign

            11:04:17,317 INFO  [stdout] (ServerService Thread Pool -- 11)   Crl_Sign

            11:04:17,317 INFO  [stdout] (ServerService Thread Pool -- 11) ]

            11:04:17,317 INFO  [stdout] (ServerService Thread Pool -- 11)

            11:04:17,317 INFO  [stdout] (ServerService Thread Pool -- 11) [3]: ObjectId: 2.5.29.14 Criticality=false

            11:04:17,317 INFO  [stdout] (ServerService Thread Pool -- 11) SubjectKeyIdentifier [

            11:04:17,317 INFO  [stdout] (ServerService Thread Pool -- 11) KeyIdentifier [

            11:04:17,317 INFO  [stdout] (ServerService Thread Pool -- 11) 0000: E5 9D 59 30 82 47 58 CC   AC FA 08 54 36 86 7B 3A  ..Y0.GX....T6..:

            11:04:17,317 INFO  [stdout] (ServerService Thread Pool -- 11) 0010: B5 04 4D F0                                        ..M.

            11:04:17,317 INFO  [stdout] (ServerService Thread Pool -- 11) ]

            11:04:17,317 INFO  [stdout] (ServerService Thread Pool -- 11) ]

            11:04:17,317 INFO  [stdout] (ServerService Thread Pool -- 11)

            11:04:17,317 INFO  [stdout] (ServerService Thread Pool -- 11) ]

            11:04:17,317 INFO  [stdout] (ServerService Thread Pool -- 11)   Algorithm: [SHA1withRSA]

            11:04:17,317 INFO  [stdout] (ServerService Thread Pool -- 11)   Signature:

            ...

            11:04:17,317 INFO  [stdout] (ServerService Thread Pool -- 11)

            11:04:17,317 INFO  [stdout] (ServerService Thread Pool -- 11) ]

            11:04:17,317 INFO  [stdout] (ServerService Thread Pool -- 11) [read] MD5 and SHA1 hashes:  len = 2724

            ...

            11:04:17,467 INFO  [stdout] (ServerService Thread Pool -- 11) ServerService Thread Pool -- 11, READ: TLSv1.2 Handshake, length = 333

            11:04:17,468 INFO  [stdout] (ServerService Thread Pool -- 11) *** ECDH ServerKeyExchange

            11:04:17,468 INFO  [stdout] (ServerService Thread Pool -- 11) Signature Algorithm SHA256withRSA

            11:04:17,468 INFO  [stdout] (ServerService Thread Pool -- 11) Server key: EC Public Key

            11:04:17,468 INFO  [stdout] (ServerService Thread Pool -- 11)             X: 775f4a8a443c1c1e940ac8c37bd397ce96d4930a64351a7be4d46fbaffb10884

            11:04:17,468 INFO  [stdout] (ServerService Thread Pool -- 11)             Y: aa57907ac2e3d4f30570770fc435b7e891e2cbccf2486b24d214c68850e89018

            11:04:17,468 INFO  [stdout] (ServerService Thread Pool -- 11)

            11:04:17,470 INFO  [stdout] (ServerService Thread Pool -- 11) [read] MD5 and SHA1 hashes:  len = 333

            ...

            11:04:17,486 INFO  [stdout] (ServerService Thread Pool -- 11) [Raw read]: length = 5

            11:04:17,487 INFO  [stdout] (ServerService Thread Pool -- 11) 0000: 16 03 03 00 04                                     .....

            11:04:17,487 INFO  [stdout] (ServerService Thread Pool -- 11) [Raw read]: length = 4

            11:04:17,487 INFO  [stdout] (ServerService Thread Pool -- 11) 0000: 0E 00 00 00 

            11:04:17,487 INFO  [stdout] (ServerService Thread Pool -- 11) ServerService Thread Pool -- 11, READ: TLSv1.2 Handshake, length = 4

            11:04:17,487 INFO  [stdout] (ServerService Thread Pool -- 11) *** ServerHelloDone

            11:04:17,487 INFO  [stdout] (ServerService Thread Pool -- 11) [read] MD5 and SHA1 hashes:  len = 4

            11:04:17,488 INFO  [stdout] (ServerService Thread Pool -- 11) 0000: 0E 00 00 00                                        ....

            11:04:17,488 INFO  [stdout] (ServerService Thread Pool -- 11) *** ECDHClientKeyExchange

            11:04:17,489 INFO  [stdout] (ServerService Thread Pool -- 11) ECDH Public value:  { 4, 66, 138, 161, 91, 228, 183, 97, 173, 66, 22, 64, 254, 150, 218, 252, 135, 250, 245, 24, 239, 205, 81, 94, 86, 24, 17, 29, 19, 163, 247, 202, 107, 189, 96, 224, 160, 66, 233, 20, 142, 58, 221, 93, 242, 26, 88, 129, 22, 200, 108, 227, 198, 80, 71, 73, 124, 114, 15, 184, 73, 3, 163, 138, 60 }

            11:04:17,489 INFO  [stdout] (ServerService Thread Pool -- 11) [write] MD5 and SHA1 hashes:  len = 70

            11:04:17,490 INFO  [stdout] (ServerService Thread Pool -- 11) 0000: 10 00 00 42 41 04 42 8A   A1 5B E4 B7 61 AD 42 16  ...BA.B..[..a.B.

            11:04:17,491 INFO  [stdout] (ServerService Thread Pool -- 11) 0010: 40 FE 96 DA FC 87 FA F5   18 EF CD 51 5E 56 18 11  @..........Q^V..

            11:04:17,492 INFO  [stdout] (ServerService Thread Pool -- 11) 0020: 1D 13 A3 F7 CA 6B BD 60   E0 A0 42 E9 14 8E 3A DD  .....k.`..B...:.

            11:04:17,493 INFO  [stdout] (ServerService Thread Pool -- 11) 0030: 5D F2 1A 58 81 16 C8 6C   E3 C6 50 47 49 7C 72 0F  ]..X...l..PGI.r.

            11:04:17,493 INFO  [stdout] (ServerService Thread Pool -- 11) 0040: B8 49 03 A3 8A 3C                                  .I...<

            11:04:17,493 INFO  [stdout] (ServerService Thread Pool -- 11) ServerService Thread Pool -- 11, WRITE: TLSv1.2 Handshake, length = 70

            11:04:17,493 INFO  [stdout] (ServerService Thread Pool -- 11) [Raw write]: length = 75

            11:04:17,494 INFO  [stdout] (ServerService Thread Pool -- 11) 0000: 16 03 03 00 46 10 00 00   42 41 04 42 8A A1 5B E4  ....F...BA.B..[.

            11:04:17,495 INFO  [stdout] (ServerService Thread Pool -- 11) 0010: B7 61 AD 42 16 40 FE 96   DA FC 87 FA F5 18 EF CD  .a.B.@..........

            11:04:17,496 INFO  [stdout] (ServerService Thread Pool -- 11) 0020: 51 5E 56 18 11 1D 13 A3   F7 CA 6B BD 60 E0 A0 42  Q^V.......k.`..B

            11:04:17,496 INFO  [stdout] (ServerService Thread Pool -- 11) 0030: E9 14 8E 3A DD 5D F2 1A   58 81 16 C8 6C E3 C6 50  ...:.]..X...l..P

            11:04:17,497 INFO  [stdout] (ServerService Thread Pool -- 11) 0040: 47 49 7C 72 0F B8 49 03   A3 8A 3C                 GI.r..I...<

            11:04:17,497 INFO  [stdout] (ServerService Thread Pool -- 11) ServerService Thread Pool -- 11, handling exception: java.security.ProviderException: Could not derive key

            11:04:17,497 INFO  [stdout] (ServerService Thread Pool -- 11) %% Invalidated:  [Session-4, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]

            11:04:17,497 INFO  [stdout] (ServerService Thread Pool -- 11) ServerService Thread Pool -- 11, SEND TLSv1.2 ALERT:  fatal, description = internal_error

            11:04:17,497 INFO  [stdout] (ServerService Thread Pool -- 11) ServerService Thread Pool -- 11, WRITE: TLSv1.2 Alert, length = 2

            11:04:17,498 INFO  [stdout] (ServerService Thread Pool -- 11) [Raw write]: length = 7

            11:04:17,498 INFO  [stdout] (ServerService Thread Pool -- 11) 0000: 15 03 03 00 02 02 50                               ......P

            11:04:17,498 INFO  [stdout] (ServerService Thread Pool -- 11) ServerService Thread Pool -- 11, called closeSocket()

            11:04:17,499 ERROR [de.picturesafe.test.aws.AwsTestHack] (ServerService Thread Pool -- 11) Failed to write to AWS S3 storage!: com.amazonaws.SdkClientException: Unable to execute HTTP request: java.security.ProviderException: Could not derive key

             

            Wildfly 9

             

            11:11:20,156 INFO  [stdout] (ServerService Thread Pool -- 6) ServerService Thread Pool -- 6, READ: TLSv1.2 Handshake, length = 87

            11:11:20,157 INFO  [stdout] (ServerService Thread Pool -- 6) *** ServerHello, TLSv1.2

            11:11:20,158 INFO  [stdout] (ServerService Thread Pool -- 6) RandomCookie:  GMT: 1485340722 bytes = { 52, 128, 202, 141, 146, 197, 51, 194, 219, 222, 189, 221, 225, 201, 145, 105, 115, 84, 22, 1, 58, 216, 131, 130, 145, 42, 1, 72 }

            11:11:20,158 INFO  [stdout] (ServerService Thread Pool -- 6) Session ID:  {117, 84, 223, 77, 218, 154, 115, 116, 31, 33, 18, 122, 80, 187, 5, 188, 97, 84, 178, 247, 125, 38, 155, 38, 51, 155, 185, 75, 235, 110, 125, 156}

            11:11:20,158 INFO  [stdout] (ServerService Thread Pool -- 6) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

            11:11:20,158 INFO  [stdout] (ServerService Thread Pool -- 6) Compression Method: 0

            11:11:20,158 INFO  [stdout] (ServerService Thread Pool -- 6) Extension ec_point_formats, formats: [uncompressed]

            11:11:20,158 INFO  [stdout] (ServerService Thread Pool -- 6) Extension renegotiation_info, renegotiated_connection: <empty>

            11:11:20,159 INFO  [stdout] (ServerService Thread Pool -- 6) ***

            11:11:20,161 INFO  [stdout] (ServerService Thread Pool -- 6) %% Initialized:  [Session-1, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]

            11:11:20,161 INFO  [stdout] (ServerService Thread Pool -- 6) ** TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

            11:11:20,161 INFO  [stdout] (ServerService Thread Pool -- 6) [read] MD5 and SHA1 hashes:  len = 87

            ...

            11:11:20,488 INFO  [stdout] (ServerService Thread Pool -- 6) Found trusted certificate:

            11:11:20,490 INFO  [stdout] (ServerService Thread Pool -- 6) [

            11:11:20,490 INFO  [stdout] (ServerService Thread Pool -- 6) [

            11:11:20,490 INFO  [stdout] (ServerService Thread Pool -- 6)   Version: V3

            11:11:20,490 INFO  [stdout] (ServerService Thread Pool -- 6)   Subject: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE

            11:11:20,491 INFO  [stdout] (ServerService Thread Pool -- 6)   Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

            11:11:20,491 INFO  [stdout] (ServerService Thread Pool -- 6)

            11:11:20,491 INFO  [stdout] (ServerService Thread Pool -- 6)   Key:  Sun RSA public key, 2048 bits

            11:11:20,491 INFO  [stdout] (ServerService Thread Pool -- 6)   modulus: 20579176651421167987106471718888186309534186253587759121109122482694167416584428920295678216035822449451639581023765122994089008826314029843654807108803739729565431642116323937940944378450034252354609020536286175863324156219063038927409933070688727356676027216359532593504366119272034244698731524943132462329205729047681997715455240148827523651706429854757422624117805863121520494307655271426986078917217383478420381375139154341613794371303682232583316393601620034638044186782252195438345309455714637508276892061355357785328168602107026282695945834955006612147350315937204256563720794300123948598669913435346712336953

            11:11:20,491 INFO  [stdout] (ServerService Thread Pool -- 6)   public exponent: 65537

            11:11:20,491 INFO  [stdout] (ServerService Thread Pool -- 6)   Validity: [From: Fri May 12 20:46:00 CEST 2000,

            11:11:20,491 INFO  [stdout] (ServerService Thread Pool -- 6)                To: Tue May 13 01:59:00 CEST 2025]

            11:11:20,491 INFO  [stdout] (ServerService Thread Pool -- 6)   Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE

            11:11:20,491 INFO  [stdout] (ServerService Thread Pool -- 6)   SerialNumber: [    020000b9]

            11:11:20,491 INFO  [stdout] (ServerService Thread Pool -- 6)

            11:11:20,491 INFO  [stdout] (ServerService Thread Pool -- 6) Certificate Extensions: 3

            11:11:20,491 INFO  [stdout] (ServerService Thread Pool -- 6) [1]: ObjectId: 2.5.29.19 Criticality=true

            11:11:20,491 INFO  [stdout] (ServerService Thread Pool -- 6) BasicConstraints:[

            11:11:20,491 INFO  [stdout] (ServerService Thread Pool -- 6)   CA:true

            11:11:20,491 INFO  [stdout] (ServerService Thread Pool -- 6)   PathLen:3

            11:11:20,491 INFO  [stdout] (ServerService Thread Pool -- 6) ]

            11:11:20,491 INFO  [stdout] (ServerService Thread Pool -- 6)

            11:11:20,491 INFO  [stdout] (ServerService Thread Pool -- 6) [2]: ObjectId: 2.5.29.15 Criticality=true

            11:11:20,491 INFO  [stdout] (ServerService Thread Pool -- 6) KeyUsage [

            11:11:20,491 INFO  [stdout] (ServerService Thread Pool -- 6)   Key_CertSign

            11:11:20,491 INFO  [stdout] (ServerService Thread Pool -- 6)   Crl_Sign

            11:11:20,491 INFO  [stdout] (ServerService Thread Pool -- 6) ]

            11:11:20,491 INFO  [stdout] (ServerService Thread Pool -- 6)

            11:11:20,491 INFO  [stdout] (ServerService Thread Pool -- 6) [3]: ObjectId: 2.5.29.14 Criticality=false

            11:11:20,491 INFO  [stdout] (ServerService Thread Pool -- 6) SubjectKeyIdentifier [

            11:11:20,491 INFO  [stdout] (ServerService Thread Pool -- 6) KeyIdentifier [

            11:11:20,491 INFO  [stdout] (ServerService Thread Pool -- 6) 0000: E5 9D 59 30 82 47 58 CC   AC FA 08 54 36 86 7B 3A  ..Y0.GX....T6..:

            11:11:20,491 INFO  [stdout] (ServerService Thread Pool -- 6) 0010: B5 04 4D F0                                        ..M.

            11:11:20,491 INFO  [stdout] (ServerService Thread Pool -- 6) ]

            11:11:20,491 INFO  [stdout] (ServerService Thread Pool -- 6) ]

            11:11:20,492 INFO  [stdout] (ServerService Thread Pool -- 6)

            11:11:20,492 INFO  [stdout] (ServerService Thread Pool -- 6) ]

            ...

            11:11:20,492 INFO  [stdout] (ServerService Thread Pool -- 6)   Algorithm: [SHA1withRSA]

            11:11:20,492 INFO  [stdout] (ServerService Thread Pool -- 6)   Signature:

            ...

            11:11:20,492 INFO  [stdout] (ServerService Thread Pool -- 6)

            11:11:20,492 INFO  [stdout] (ServerService Thread Pool -- 6) ]

            11:11:20,492 INFO  [stdout] (ServerService Thread Pool -- 6) [read] MD5 and SHA1 hashes:  len = 2724

            ...

            11:11:20,643 INFO  [stdout] (ServerService Thread Pool -- 6) ServerService Thread Pool -- 6, READ: TLSv1.2 Handshake, length = 333

            11:11:20,651 INFO  [stdout] (ServerService Thread Pool -- 6) *** ECDH ServerKeyExchange

            11:11:20,651 INFO  [stdout] (ServerService Thread Pool -- 6) Signature Algorithm SHA256withRSA

            11:11:20,651 INFO  [stdout] (ServerService Thread Pool -- 6) Server key: EC Public Key

            11:11:20,651 INFO  [stdout] (ServerService Thread Pool -- 6)             X: 9c4d1e3e0dbafd3351fa9f4532eb64acdf64dcd4d4dad7846fe28c7645633a6e

            11:11:20,651 INFO  [stdout] (ServerService Thread Pool -- 6)             Y: f5f2a0c1287cb34efd593bc19e4f0c8bc71cedc692cee1615c7b1f0c5c5c6c88

            11:11:20,651 INFO  [stdout] (ServerService Thread Pool -- 6)

            11:11:20,689 INFO  [stdout] (ServerService Thread Pool -- 6) [read] MD5 and SHA1 hashes:  len = 333

            ...

            11:11:20,705 INFO  [stdout] (ServerService Thread Pool -- 6) [Raw read]: length = 5

            11:11:20,706 INFO  [stdout] (ServerService Thread Pool -- 6) 0000: 16 03 03 00 04                                     .....

            11:11:20,706 INFO  [stdout] (ServerService Thread Pool -- 6) [Raw read]: length = 4

            11:11:20,706 INFO  [stdout] (ServerService Thread Pool -- 6) 0000: 0E 00 00 00                         

            11:11:20,706 INFO  [stdout] (ServerService Thread Pool -- 6) ServerService Thread Pool -- 6, READ: TLSv1.2 Handshake, length = 4

            11:11:20,706 INFO  [stdout] (ServerService Thread Pool -- 6) *** ServerHelloDone

            11:11:20,706 INFO  [stdout] (ServerService Thread Pool -- 6) [read] MD5 and SHA1 hashes:  len = 4

            11:11:20,707 INFO  [stdout] (ServerService Thread Pool -- 6) 0000: 0E 00 00 00                                        ....

            11:11:20,707 INFO  [stdout] (ServerService Thread Pool -- 6) *** ECDHClientKeyExchange

            11:11:20,709 INFO  [stdout] (ServerService Thread Pool -- 6) ECDH Public value:  { 4, 116, 59, 202, 227, 69, 248, 162, 91, 136, 183, 79, 186, 240, 169, 255, 228, 248, 37, 63, 35, 186, 46, 85, 163, 54, 192, 19, 121, 41, 155, 224, 203, 182, 186, 162, 42, 111, 205, 2, 29, 129, 214, 54, 11, 239, 155, 249, 114, 218, 3, 195, 236, 155, 179, 165, 189, 0, 27, 107, 15, 106, 209, 79, 47 }

            11:11:20,709 INFO  [stdout] (ServerService Thread Pool -- 6) [write] MD5 and SHA1 hashes:  len = 70

            ...

            11:11:20,713 INFO  [stdout] (ServerService Thread Pool -- 6) ServerService Thread Pool -- 6, WRITE: TLSv1.2 Handshake, length = 70

            11:11:20,713 INFO  [stdout] (ServerService Thread Pool -- 6) [Raw write]: length = 75

            ...

            11:11:20,720 INFO  [stdout] (ServerService Thread Pool -- 6) SESSION KEYGEN:

            11:11:20,720 INFO  [stdout] (ServerService Thread Pool -- 6) PreMaster Secret:

            11:11:20,721 INFO  [stdout] (ServerService Thread Pool -- 6) 0000: 3B 92 0C 31 9B 2E 3D 01   DA 2A 4D A4 57 4A 85 EE  ;..1..=..*M.WJ..

            11:11:20,721 INFO  [stdout] (ServerService Thread Pool -- 6) 0010: 86 98 D9 CC D1 65 CF A4   C9 39 70 3D 39 04 B8 88  .....e...9p=9...

            11:11:20,725 INFO  [stdout] (ServerService Thread Pool -- 6) CONNECTION KEYGEN:

            11:11:20,725 INFO  [stdout] (ServerService Thread Pool -- 6) Client Nonce:

            11:11:20,726 INFO  [stdout] (ServerService Thread Pool -- 6) 0000: 59 89 80 38 3C 01 BD 32   93 F2 29 45 6C BD 07 D4  Y..8<..2..)El...

            11:11:20,726 INFO  [stdout] (ServerService Thread Pool -- 6) 0010: D1 28 1C 45 77 02 94 15   30 5D 82 7F F4 B0 3D DC  .(.Ew...0]....=.

            11:11:20,726 INFO  [stdout] (ServerService Thread Pool -- 6) Server Nonce:

            11:11:20,727 INFO  [stdout] (ServerService Thread Pool -- 6) 0000: 59 89 80 32 34 80 CA 8D   92 C5 33 C2 DB DE BD DD  Y..24.....3.....

            11:11:20,728 INFO  [stdout] (ServerService Thread Pool -- 6) 0010: E1 C9 91 69 73 54 16 01   3A D8 83 82 91 2A 01 48  ...isT..:....*.H

            11:11:20,728 INFO  [stdout] (ServerService Thread Pool -- 6) Master Secret:

            11:11:20,729 INFO  [stdout] (ServerService Thread Pool -- 6) 0000: E1 0D 76 58 AE 2C FC 3A   05 03 86 BE 32 60 BD 9E  ..vX.,.:....2`..

            11:11:20,729 INFO  [stdout] (ServerService Thread Pool -- 6) 0010: C8 6D AF EB 67 B3 92 9F   A6 72 58 D6 92 F8 50 F6  .m..g....rX...P.

            11:11:20,730 INFO  [stdout] (ServerService Thread Pool -- 6) 0020: 0B D3 50 35 85 5B 94 94   0A B8 2B 5E AB B1 EC 97  ..P5.[....+^....

            11:11:20,730 INFO  [stdout] (ServerService Thread Pool -- 6) Client MAC write Secret:

            11:11:20,731 INFO  [stdout] (ServerService Thread Pool -- 6) 0000: 33 C9 C5 C6 D2 D4 90 DB   C2 1F C7 9F 0A 7D 77 D5  3.............w.

            11:11:20,731 INFO  [stdout] (ServerService Thread Pool -- 6) 0010: E2 31 43 BC                                        .1C.

            11:11:20,731 INFO  [stdout] (ServerService Thread Pool -- 6) Server MAC write Secret:

            11:11:20,732 INFO  [stdout] (ServerService Thread Pool -- 6) 0000: B0 8B FE 75 10 0F 76 8D   7D E7 5F 01 D7 7C 57 CA  ...u..v..._...W.

            11:11:20,733 INFO  [stdout] (ServerService Thread Pool -- 6) 0010: 75 82 C0 ED                                        u...

            11:11:20,733 INFO  [stdout] (ServerService Thread Pool -- 6) Client write key:

            11:11:20,733 INFO  [stdout] (ServerService Thread Pool -- 6) 0000: E0 FC 74 8D C4 77 36 6D   9E 2B 8B 2A 00 EF 1B 57  ..t..w6m.+.*...W

            11:11:20,733 INFO  [stdout] (ServerService Thread Pool -- 6) Server write key:

            11:11:20,734 INFO  [stdout] (ServerService Thread Pool -- 6) 0000: E2 E6 29 12 A5 66 83 5D   DB D8 E9 0E B1 9A 44 44  ..)..f.]......DD

            11:11:20,734 INFO  [stdout] (ServerService Thread Pool -- 6) ... no IV derived for this protocol

            11:11:20,736 INFO  [stdout] (ServerService Thread Pool -- 6) ServerService Thread Pool -- 6, WRITE: TLSv1.2 Change Cipher Spec, length = 1

            11:11:20,736 INFO  [stdout] (ServerService Thread Pool -- 6) [Raw write]: length = 6

            11:11:20,737 INFO  [stdout] (ServerService Thread Pool -- 6) 0000: 14 03 03 00 01 01                                  ......

            11:11:20,748 INFO  [stdout] (ServerService Thread Pool -- 6) *** Finished

            11:11:20,748 INFO  [stdout] (ServerService Thread Pool -- 6) verify_data:  { 22, 0, 35, 220, 179, 115, 57, 8, 177, 117, 120, 184 }

            11:11:20,748 INFO  [stdout] (ServerService Thread Pool -- 6) ***

             

            The AmazonS3ClientBuilder does not have options to tweak SSL handshake. IT uses Apache HttpComponents inside but i could not find a way to access the HttpClient.

            • 3. Re: SSL error connecting to AWS S3 storage in Wildfly 10
              Martin Choma Master

              There was issue [JBEAP-2070] Unable to create HTTPS connection using *ECDH_RSA* cipher suites / kECDHr cipher string - JBoss Issue Track…  . Thing was in later version of wildfly, wildfly started to handle self signed certificate stricter compared to previous. However, it was about wildfly acting as TLS server. Not sure if this could be somehow applied also to wildfly as TLS client.

               

              dlofthouse. what do you think?

               

              Could you try https.cipherSuites system property, but I doubt Apache httpcomponents rely on java HttpUrlConnection.

              • 4. Re: SSL error connecting to AWS S3 storage in Wildfly 10
                Jörg Frommann Newbie

                I found a way to make the Amazon client use a different cipher suite. I had to configure a custom SocketFactory to achieve that.

                 

                ClientConfiguration clientConfiguration = new ClientConfiguration();

                        clientConfiguration.getApacheHttpClientConfig().setSslSocketFactory(

                                new SSLConnectionSocketFactory(

                                        SSLContexts.custom().build(),

                                        new String[] {"TLSv1.2", "TLSv1.1", "TLSv1"},

                                        new String[] {"TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA256"},

                //                           new DefaultHostnameVerifier()));

                                        new NoopHostnameVerifier()));

                AmazonS3 amazonS3 = AmazonS3ClientBuilder.standard()

                                .withClientConfiguration(clientConfiguration)

                                .withRegion(Regions.EU_CENTRAL_1)

                                .withCredentials(new AWSStaticCredentialsProvider(new BasicAWSCredentials(ACCESS_KEY, SECRET_KEY)))

                                .build();

                amazonS3.putObject(BUCKET, "test/test.txt", "Test");

                 

                I had to turn off hostname verification via NoopHostnameVerifier because it did not work with the TLS_RSA_ cipher suites when the bucket has dots in its name.

                 

                Amazon supports several TLS_ECDHE_ cipher suites as you can see here: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html#secure-connections-supported-ciphers

                Interestingly none of them works within Wildfly 10, only the TLS_RSA_ cypher suites work. What changed in Wildfly 10 that made the TLS_ECDHE_ cipher suites unusable for client connections?