1

I am creating a SOAP server on a ubuntu machine, the connection is fine when using Oracle jre, but fails when using openJDK.

Can anyone help me identify the problem, or a workaround?

Below is a lot of information and source code, which hopefully will help.

$ java -version
java version "1.6.0_23"
OpenJDK Runtime Environment (IcedTea6 1.11pre) (6b23~pre11-0ubuntu1.11.10.2)
OpenJDK 64-Bit Server VM (build 20.0-b11, mixed mode)

Server code:

  public class MainClass {

    public static void main(String[] args) {
        System.out.println("Hello, world");
        int port = 8001;
        try {

            String keystoreFile = System.getProperty("user.dir") + "/keystore.pkcs12";

            System.out.println("Keystore " + keystoreFile);
            String keystorePassword = "password";

            InetAddress hostname = InetAddress.getByName("0.0.0.0");

            Object implementor = new DummyService();

            SSLContext ssl = SSLContext.getInstance("TLS");

            KeyManagerFactory keyFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            KeyStore store = KeyStore.getInstance("PKCS12");

            store.load(new FileInputStream(keystoreFile), keystorePassword.toCharArray());

            keyFactory.init(store, keystorePassword.toCharArray());

            KeyStore tstore = KeyStore.getInstance("PKCS12");
            tstore.load(new FileInputStream(keystoreFile), keystorePassword.toCharArray());
            TrustManagerFactory trustFactory = TrustManagerFactory.getInstance("SunX509");
            trustFactory.init(tstore);

            ssl.init(keyFactory.getKeyManagers(),
                    trustFactory.getTrustManagers(), null);

            HttpsConfigurator configurator = new HttpsConfigurator(ssl);


            HttpsServer httpsServer = HttpsServer.create(new InetSocketAddress(hostname, port), port);

            httpsServer.setHttpsConfigurator(configurator);

            HttpContext httpContext = httpsServer.createContext("/SoapContext/SoapPort");

            httpsServer.start();

            Endpoint endpoint = Endpoint.create(implementor);
            endpoint.publish(httpContext);
            System.out.println(httpsServer.getAddress());
        }
        catch (Exception e) {
            e.printStackTrace();
        }
    }
  }

PHP test code:

$client = new SoapClient("https://host:8001/SoapContext/SoapPort?wsdl");
var_dump($client);

Result with oracle java:

object(SoapClient)#1 (3) {
  ["_stream_context"]=>
  resource(4) of type (stream-context)
  ["_soap_version"]=>
  int(1)
  ["sdl"]=>
  resource(8) of type (Unknown)
}

Result with openJDK java:

PHP Fatal error:  SOAP-ERROR: Parsing WSDL: Couldn't load from 'https://host:8001/SoapContext/SoapPort?wsdl' : failed to load external entity "https://host:8001/SoapContext/SoapPort?wsdl"
 in /tmp/bla.php on line 9
PHP Fatal error:  Uncaught SoapFault exception: [WSDL] SOAP-ERROR: Parsing WSDL: Couldn't load from 'https://host:8001/SoapContext/SoapPort?wsdl' : failed to load external entity "https://host:8001/SoapContext/SoapPort?wsdl"
 in /tmp/bla.php:9
Stack trace:
#0 /tmp/bla.php(9): SoapClient->SoapClient('https://host...', Array)
#1 {main}
  thrown in /tmp/bla.php on line 9

Fatal error: Uncaught SoapFault exception: [WSDL] SOAP-ERROR: Parsing WSDL: Couldn't load from 'https://host:8001/SoapContext/SoapPort?wsdl' : failed to load external entity "https://host:8001/SoapContext/SoapPort?wsdl"
 in /tmp/bla.php:9
Stack trace:
#0 /tmp/bla.php(9): SoapClient->SoapClient('host...', Array)
#1 {main}
  thrown in /tmp/bla.php on line 9

(OpenJDK) openssl s_client -connect https://host:8001/SoapContext/SoapPort?wsdl -ssl3 returns:

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 4F5625733BA7E6D790FFB02549A81A511EA097BB397BC197469174C77928EFF4
    Session-ID-ctx: 
    Master-Key: 5C0112457F7D3157FFCA03C1F5CAF7BC72CCDBD605B44E0C48663E171C8B6ED43AC1FF1DD3734F32714DDFD160E726C9
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1331045748
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)

(OpenJDK) openssl s_client -connect https://host:8001/SoapContext/SoapPort?wsdl -tls1 returns:

CONNECTED(00000003)
140061171041952:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:591:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1331045776
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
Improve this question
1
  • Perhaps policy tools missing in openjdk? Commented Mar 6, 2012 at 19:09

2 Answers 2

Reset to default
2

The problem turns out to be related to the "SunPKCS11" provider, which is enabled by default in ubuntu's OpenJDK installations.
The problem can be resolved by removing sun.security.pkcs11.SunPKCS11 from $JAVA_HOME/jre/lib/security/java.security

Update: I have created a bug report for this issue, consider "affects me too" if this issue concerns you https://bugs.launchpad.net/ubuntu/+source/openjdk-6/+bug/948875.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

I have the same problem (Ubuntu 12.04 + openjdk-7-jre-headless + Tomcat with SSL):

$ curl -ik https://192.168.x.x:8443/

curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error

$ openssl s_client -connect 192.168.x.x:8443

CONNECTED(00000003)
3073509576:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:724:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 225 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

my solution was setting "ciphers" param in tomcat/conf/server.xml:

<Connector port="8443"
           protocol="HTTP/1.1"
           URIEncoding="ISO-8859-1"
           enableLookups="false"
           SSLEnabled="true" scheme="https" secure="true"
           clientAuth="flse" sslProtocol="TLS"
           keystoreFile="server.p12"
           keystoreType="PKCS12" keystorePass="changeit"
           truststoreFile="trusted.jks"
           truststoreType="JKS" truststorePass="changeit"
           ciphers="TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA"
/>

From client code you can do anything like this to limit protos and ciphers:

public static SSLParameters setupSSLParams(final SSLContext ctx) {
    List<String> protos = new ArrayList<String>();
    protos.add("TLSv1");
    protos.add("SSLv3");
    List<String> suites = new ArrayList<String>();
    suites.add("TLS_RSA_WITH_AES_256_CBC_SHA");
    suites.add("TLS_RSA_WITH_AES_128_CBC_SHA");
    suites.add("SSL_RSA_WITH_3DES_EDE_CBC_SHA");
    suites.add("SSL_RSA_WITH_RC4_128_SHA");
    SSLParameters sslParams = ctx.getSupportedSSLParameters();
    protos.retainAll(Arrays.asList(sslParams.getProtocols()));
    suites.retainAll(Arrays.asList(sslParams.getCipherSuites()));
    sslParams.setProtocols(protos.toArray(new String[0]));
    sslParams.setCipherSuites(suites.toArray(new String[0]));
    return sslParams;
}
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.