Page 1 of 2 12 LastLast
Results 1 to 10 of 19
  1. #1

    HTTPS connection - Invalid Certificate Chain

    I am developing a web application which uses two servers, A and B. Both of these have recently been enabled for https encryption.


    Server A is the main server, serving html/css etc and server B is a lightstreamer real time data server, serving real time data updates.


    Before I enabled https on both servers, everything was working just fine, lightstreamer components were updating in the browser. However now, whilst the main server still works fine over https, the lightstreamer component has broken. The lightstreamer client can not seem to make an https connection to the lightstreamer server.


    Below are the errors generated in Safari when the lightstreamer client tries to connect to the https enabled lightstreamer server which is running on the same host. Currently this application is in development so I need a development environment where I can run and test the application on the same host (Mac OSX Mavericks).


    [Error] WebSocket network error: OSStatus Error -9807: Invalid certificate chain (localhost, line 0)

    [Error] Failed to load resource: An SSL error has occurred and a secure connection to the server cannot be made. (create_session.js, line 0)


    Any help would be greatly appreciated.
    Thanks in advance.

  2. #2
    Administrator
    Join Date
    Feb 2012
    Location
    Milano
    Posts
    543
    Hi doraintech,

    From the error message reported it seems that the browser refused the certificate of your server. One possible cause for this could be that the certificate chain is not complete.
    Please can you confirm me that you have followed the instructions provided in the "SSL Certificates.pdf" document?
    Are you using a self-signed certificate?

  3. #3
    Hi Giuseppe,

    Yes we are using a self-signed certificate as we are in development mode at the moment, we are a startup and have not moved to prod yet.

    I have certainly followed the instructions in the pdf you mentioned.

    I've just had a look in the server logs:

    11-Apr-14 16:50:51,580|ERROR|ghtstreamerLogger.connections.s sl|LS/SSL AUTH POOLED THREAD 1|Handshake error on Lightstreamer HTTPS Server: General SSLEngine problem on 192.168.1.107:63388.
    11-Apr-14 16:50:54,819|ERROR|ghtstreamerLogger.connections.s sl|LS/SSL HANDSHAKE SELECTOR 3|Handshake error on Lightstreamer HTTPS Server: Received fatal alert: bad_certificate on 192.168.1.107:63389.
    11-Apr-14 16:50:56,585|ERROR|ghtstreamerLogger.connections.s sl|LS/SSL AUTH POOLED THREAD 5|Handshake error on Lightstreamer HTTPS Server: General SSLEngine problem on 192.168.1.107:63390.
    11-Apr-14 16:50:59,820|ERROR|ghtstreamerLogger.connections.s sl|LS/SSL HANDSHAKE SELECTOR 3|Handshake error on Lightstreamer HTTPS Server: Received fatal alert: bad_certificate on 192.168.1.107:63391.
    11-Apr-14 16:51:01,577|ERROR|ghtstreamerLogger.connections.s sl|LS/SSL AUTH POOLED THREAD 6|Handshake error on Lightstreamer HTTPS Server: General SSLEngine problem on 192.168.1.107:63392.
    11-Apr-14 16:51:04,819|ERROR|ghtstreamerLogger.connections.s sl|LS/SSL HANDSHAKE SELECTOR 3|Handshake error on Lightstreamer HTTPS Server: Received fatal alert: bad_certificate on 192.168.1.107:63393.
    11-Apr-14 16:51:06,577|ERROR|ghtstreamerLogger.connections.s sl|S/SSL AUTH POOLED THREAD 10|Handshake error on Lightstreamer HTTPS Server: General SSLEngine problem on 192.168.1.107:63394.
    11-Apr-14 16:51:10,819|ERROR|ghtstreamerLogger.connections.s sl|LS/SSL HANDSHAKE SELECTOR 3|Handshake error on Lightstreamer HTTPS Server: Received fatal alert: bad_certificate on 192.168.1.107:63395.

    I am not sure why this is happening - as far as I understand the certificate is installed properly.

    What the best thing to check next?

    Thanks a lot

  4. #4
    Actually I have just looked at the SSL Certificates document again - is it important that the CN == the lightstreamer host name?

    I have enables DEBUG logging level for ssl connections, here is the full stack trace from the server:

    11-Apr-14 17:33:28,538|INFO |ghtstreamerLogger.connections.ssl|LS/SSL AUTH POOLED THREAD 6|Handshake failed on "Lightstreamer HTTPS Server" from 0:0:0:0:0:0:0:1:64837
    11-Apr-14 17:33:28,538|ERROR|ghtstreamerLogger.connections.s sl|LS/SSL AUTH POOLED THREAD 6|Handshake error on Lightstreamer HTTPS Server: General SSLEngine problem on 0:0:0:0:0:0:0:1:64837.
    11-Apr-14 17:33:28,539|DEBUG|ghtstreamerLogger.connections.s sl|LS/SSL AUTH POOLED THREAD 6|Handshake error on Lightstreamer HTTPS Server
    javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Handshaker.checkThrown(Handshaker .java:1290) ~[na:1.7.0_51]
    at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSL EngineImpl.java:513) ~[na:1.7.0_51]
    at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLE ngineImpl.java:1177) ~[na:1.7.0_51]
    at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl. java:1149) ~[na:1.7.0_51]
    at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) ~[na:1.7.0_51]
    at com.lightstreamer.j.a.b.s.a(s.java) ~[lightstreamer.jar:na]
    at com.lightstreamer.j.a.b.q.a(q.java) ~[lightstreamer.jar:na]
    at com.lightstreamer.j.a.q.a(q.java) ~[lightstreamer.jar:na]
    at com.lightstreamer.j.a.a.i.b(i.java) [lightstreamer.jar:na]
    at com.lightstreamer.j.a.a.n.a(n.java) [lightstreamer.jar:na]
    at com.lightstreamer.c.a.i.a(i.java) [lightstreamer.jar:na]
    at com.lightstreamer.c.a.o.c(o.java) [lightstreamer.jar:na]
    at com.lightstreamer.c.a.l.run(l.java) [lightstreamer.jar:na]
    Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Alerts.getSSLException(Alerts.jav a:192) ~[na:1.7.0_51]
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl .java:1683) ~[na:1.7.0_51]
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.jav a:278) ~[na:1.7.0_51]
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.jav a:270) ~[na:1.7.0_51]
    at sun.security.ssl.ServerHandshaker.clientCertificat e(ServerHandshaker.java:1675) ~[na:1.7.0_51]
    at sun.security.ssl.ServerHandshaker.processMessage(S erverHandshaker.java:176) ~[na:1.7.0_51]
    at sun.security.ssl.Handshaker.processLoop(Handshaker .java:868) ~[na:1.7.0_51]
    at sun.security.ssl.Handshaker$1.run(Handshaker.java: 808) ~[na:1.7.0_51]
    at sun.security.ssl.Handshaker$1.run(Handshaker.java: 806) ~[na:1.7.0_51]
    at java.security.AccessController.doPrivileged(Native Method) ~[na:1.7.0_51]
    at sun.security.ssl.Handshaker$DelegatedTask.run(Hand shaker.java:1227) ~[na:1.7.0_51]
    at com.lightstreamer.j.a.b.s.e(s.java) ~[lightstreamer.jar:na]
    ... 8 common frames omitted
    Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXV alidator.java:385) ~[na:1.7.0_51]
    at sun.security.validator.PKIXValidator.engineValidat e(PKIXValidator.java:292) ~[na:1.7.0_51]
    at sun.security.validator.Validator.validate(Validato r.java:260) ~[na:1.7.0_51]
    at sun.security.ssl.X509TrustManagerImpl.validate(X50 9TrustManagerImpl.java:326) ~[na:1.7.0_51]
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted (X509TrustManagerImpl.java:281) ~[na:1.7.0_51]
    at sun.security.ssl.X509TrustManagerImpl.checkClientT rusted(X509TrustManagerImpl.java:132) ~[na:1.7.0_51]
    at sun.security.ssl.ServerHandshaker.clientCertificat e(ServerHandshaker.java:1662) ~[na:1.7.0_51]
    ... 15 common frames omitted
    Caused by: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder. engineBuild(SunCertPathBuilder.java:196) ~[na:1.7.0_51]
    at java.security.cert.CertPathBuilder.build(CertPathB uilder.java:268) ~[na:1.7.0_51]
    at sun.security.validator.PKIXValidator.doBuild(PKIXV alidator.java:380) ~[na:1.7.0_51]
    ... 21 common frames omitted
    Last edited by doraintech; April 11th, 2014 at 11:34 AM.

  5. #5
    Administrator
    Join Date
    Feb 2012
    Location
    Milano
    Posts
    543
    Typically if the host name specified in the certificate does not match the one on which the server responds, the client web produces an alert message with the request for permission to continue.
    But this may depend on the various browsers, you have the chance to test with a different browser?

    Thank you for the snippet of log at debug level.
    From the exception stack it seems that you have set to 'Y' the parameters <force_client_auth> and/or <use_client_auth>, is it?
    Please note that if <force_client_auth> is setted a valid TLS/SSL certificate is requested to the client in order to accept the connection.

  6. #6
    Hi Giuseppe,

    I have had the chance to test with a different browser and the problem is still there, it just has a slightly different error message that it not useful.

    I have now set both <force_client_auth> and <use_client_auth> to N. You were right, they were set to Y before.

    I am now seeing a different exception: Broken Pipe


    14-Apr-14 19:56:45,732|INFO |LightstreamerLogger.init |main |TLS/SSL Server "Lightstreamer HTTPS Server" listening to *:443 ...
    14-Apr-14 19:56:45,732|INFO |LightstreamerLogger.init |main |Cipher Suites for "Lightstreamer HTTPS Server" will be forced from [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] to [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV].
    14-Apr-14 19:56:45,732|INFO |LightstreamerLogger.init |main |Handshake pool size set by default at 1.
    14-Apr-14 19:56:45,734|INFO |LightstreamerLogger.init |main |Server "Lightstreamer HTTP Server" listening to *:8080 ...
    14-Apr-14 19:56:45,979|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake failed on "Lightstreamer HTTPS Server" from 0:0:0:0:0:0:0:1:49652
    14-Apr-14 19:56:45,980|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake error on Lightstreamer HTTPS Server: Inbound closed before receiving peer's close_notify: possible truncation attack? on 0:0:0:0:0:0:0:1:49652.
    14-Apr-14 19:56:46,910|INFO |LightstreamerMonitorText |Timer-0 |Total threads = 139, Total heap = 257425408 (free = 201925584), Sessions = 0 (max = 0), New sessions = [+0, -0], Connections = 0 (max = 1), New connections = [+1, -1], In-pool threads = 47, Active threads = 0, Available threads = 47, Queued tasks = 0, Pool queue wait = 0, NIO write queue = 0, NIO write queue wait = 0, NIO write selectors = 8, NIO total selectors = 64, Subscribed items = 0, Inbound throughput = 0 updates/s (pre-filtered = 0), Outbound throughput = 0 updates/s (0 kbit/s, max = 0), Lost updates = 0 (total = 0), Total bytes sent = 0, Client messages throughput = 0 msgs/s (0 kbit/s, max = 0), Total messages handled = 0, Extra sleep = 7, Notify delay = 0
    14-Apr-14 19:56:48,457|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake failed on "Lightstreamer HTTPS Server" from 127.0.0.1:49653
    14-Apr-14 19:56:48,457|ERROR|ghtstreamerLogger.connections.s sl|LS/SSL HANDSHAKE SELECTOR 1|Handshake error on Lightstreamer HTTPS Server: Broken pipe on 127.0.0.1:49653.
    14-Apr-14 19:56:48,462|DEBUG|ghtstreamerLogger.connections.s sl|LS/SSL HANDSHAKE SELECTOR 1|Handshake error on Lightstreamer HTTPS Server
    java.io.IOException: Broken pipe
    at sun.nio.ch.FileDispatcherImpl.write0(Native Method) ~[na:1.7.0_51]
    at sun.nio.ch.SocketDispatcher.write(SocketDispatcher .java:47) ~[na:1.7.0_51]
    at sun.nio.ch.IOUtil.writeFromNativeBuffer(IOUtil.jav a:93) ~[na:1.7.0_51]
    at sun.nio.ch.IOUtil.write(IOUtil.java:65) ~[na:1.7.0_51]
    at sun.nio.ch.SocketChannelImpl.write(SocketChannelIm pl.java:487) ~[na:1.7.0_51]
    at com.lightstreamer.j.a.b.s.a(s.java) ~[lightstreamer.jar:na]
    at com.lightstreamer.j.a.b.s.a(s.java) ~[lightstreamer.jar:na]
    at com.lightstreamer.j.a.b.q.a(q.java) ~[lightstreamer.jar:na]
    at com.lightstreamer.j.a.q.a(q.java) ~[lightstreamer.jar:na]
    at com.lightstreamer.j.a.a.i.b(i.java) [lightstreamer.jar:na]
    at com.lightstreamer.j.a.a.x.a(x.java) [lightstreamer.jar:na]
    at com.lightstreamer.j.a.a.w.run(w.java) [lightstreamer.jar:na]
    14-Apr-14 19:56:51,895|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake failed on "Lightstreamer HTTPS Server" from 0:0:0:0:0:0:0:1:49654
    14-Apr-14 19:56:51,896|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake error on Lightstreamer HTTPS Server: Inbound closed before receiving peer's close_notify: possible truncation attack? on 0:0:0:0:0:0:0:1:49654.
    14-Apr-14 19:56:57,894|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake failed on "Lightstreamer HTTPS Server" from 0:0:0:0:0:0:0:1:49655
    14-Apr-14 19:56:57,895|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake error on Lightstreamer HTTPS Server: Inbound closed before receiving peer's close_notify: possible truncation attack? on 0:0:0:0:0:0:0:1:49655.
    14-Apr-14 19:57:00,044|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake failed on "Lightstreamer HTTPS Server" from 127.0.0.1:49656
    14-Apr-14 19:57:00,045|ERROR|ghtstreamerLogger.connections.s sl|LS/SSL HANDSHAKE SELECTOR 1|Handshake error on Lightstreamer HTTPS Server: Broken pipe on 127.0.0.1:49656.
    14-Apr-14 19:57:00,045|DEBUG|ghtstreamerLogger.connections.s sl|LS/SSL HANDSHAKE SELECTOR 1|Handshake error on Lightstreamer HTTPS Server
    java.io.IOException: Broken pipe


    Do you have any idea what might be causing this?

    Thanks a lot
    Dorain

  7. #7
    Administrator
    Join Date
    Feb 2012
    Location
    Milano
    Posts
    543
    The "Inbound closed before receiving ..." and "Broken pipe on ..." error messages refer to errors due to the client that aborts the current attempt to establish the SSL connection.

    Please, can you confirm that these errors systematically happen every time and on different browsers? Ie you were never able to establish a working SSL connection?
    Could you have the chance to run a test using the pre-installed certificate included in the the factory configuration of Lightstreamer server (LS_HOME/conf/myserver.keystore)?

  8. #8
    Hi Giuseppe,

    Here are the logs generated by connections attempted from Safari browser:

    17-Apr-14 09:54:03,391|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake failed on "Lightstreamer HTTPS Server" from 0:0:0:0:0:0:0:1:49535
    17-Apr-14 09:54:03,391|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake error on Lightstreamer HTTPS Server: Inbound closed before receiving peer's close_notify: possible truncation attack? on 0:0:0:0:0:0:0:1:49535.
    17-Apr-14 09:54:08,419|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake failed on "Lightstreamer HTTPS Server" from 0:0:0:0:0:0:0:1:49536
    17-Apr-14 09:54:08,419|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake error on Lightstreamer HTTPS Server: Inbound closed before receiving peer's close_notify: possible truncation attack? on 0:0:0:0:0:0:0:1:49536.
    17-Apr-14 09:54:12,462|INFO |LightstreamerMonitorText |Timer-0 |Total threads = 137, Total heap = 257425408 (free = 230358296), Sessions = 0 (max = 0), New sessions = [+0, -0], Connections = 0 (max = 2), New connections = [+19, -19], In-pool threads = 47, Active threads = 0, Available threads = 47, Queued tasks = 0, Pool queue wait = 0, NIO write queue = 0, NIO write queue wait = 0, NIO write selectors = 8, NIO total selectors = 64, Subscribed items = 0, Inbound throughput = 0 updates/s (pre-filtered = 0), Outbound throughput = 0 updates/s (0 kbit/s, max = 0), Lost updates = 0 (total = 0), Total bytes sent = 0, Client messages throughput = 0 msgs/s (0 kbit/s, max = 0), Total messages handled = 0, Extra sleep = 0, Notify delay = 0
    17-Apr-14 09:54:13,454|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake failed on "Lightstreamer HTTPS Server" from 0:0:0:0:0:0:0:1:49537
    17-Apr-14 09:54:13,455|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake error on Lightstreamer HTTPS Server: Inbound closed before receiving peer's close_notify: possible truncation attack? on 0:0:0:0:0:0:0:1:49537.

    Here are the equivalent logs when the Firefox browser is used to load the site:

    Marker - 17 Apr 2014 09:55:59
    17-Apr-14 09:56:10,430|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake failed on "Lightstreamer HTTPS Server" from 127.0.0.1:49611
    17-Apr-14 09:56:10,430|ERROR|ghtstreamerLogger.connections.s sl|LS/SSL HANDSHAKE SELECTOR 1|Handshake error on Lightstreamer HTTPS Server: Broken pipe on 127.0.0.1:49611.
    17-Apr-14 09:56:10,431|DEBUG|ghtstreamerLogger.connections.s sl|LS/SSL HANDSHAKE SELECTOR 1|Handshake error on Lightstreamer HTTPS Server
    java.io.IOException: Broken pipe
    at sun.nio.ch.FileDispatcherImpl.write0(Native Method) ~[na:1.7.0_51]
    at sun.nio.ch.SocketDispatcher.write(SocketDispatcher .java:47) ~[na:1.7.0_51]
    at sun.nio.ch.IOUtil.writeFromNativeBuffer(IOUtil.jav a:93) ~[na:1.7.0_51]
    at sun.nio.ch.IOUtil.write(IOUtil.java:65) ~[na:1.7.0_51]
    at sun.nio.ch.SocketChannelImpl.write(SocketChannelIm pl.java:487) ~[na:1.7.0_51]
    at com.lightstreamer.j.a.b.s.a(s.java) ~[lightstreamer.jar:na]
    at com.lightstreamer.j.a.b.s.a(s.java) ~[lightstreamer.jar:na]
    at com.lightstreamer.j.a.b.q.a(q.java) ~[lightstreamer.jar:na]
    at com.lightstreamer.j.a.q.a(q.java) ~[lightstreamer.jar:na]
    at com.lightstreamer.j.a.a.i.b(i.java) [lightstreamer.jar:na]
    at com.lightstreamer.j.a.a.x.a(x.java) [lightstreamer.jar:na]
    at com.lightstreamer.j.a.a.w.run(w.java) [lightstreamer.jar:na]
    17-Apr-14 09:56:10,442|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake failed on "Lightstreamer HTTPS Server" from 127.0.0.1:49612
    17-Apr-14 09:56:10,442|ERROR|ghtstreamerLogger.connections.s sl|LS/SSL HANDSHAKE SELECTOR 1|Handshake error on Lightstreamer HTTPS Server: Broken pipe on 127.0.0.1:49612.
    17-Apr-14 09:56:10,442|DEBUG|ghtstreamerLogger.connections.s sl|LS/SSL HANDSHAKE SELECTOR 1|Handshake error on Lightstreamer HTTPS Server
    java.io.IOException: Broken pipe
    at sun.nio.ch.FileDispatcherImpl.write0(Native Method) ~[na:1.7.0_51]
    at sun.nio.ch.SocketDispatcher.write(SocketDispatcher .java:47) ~[na:1.7.0_51]
    at sun.nio.ch.IOUtil.writeFromNativeBuffer(IOUtil.jav a:93) ~[na:1.7.0_51]
    at sun.nio.ch.IOUtil.write(IOUtil.java:65) ~[na:1.7.0_51]
    at sun.nio.ch.SocketChannelImpl.write(SocketChannelIm pl.java:487) ~[na:1.7.0_51]
    at com.lightstreamer.j.a.b.s.a(s.java) ~[lightstreamer.jar:na]
    at com.lightstreamer.j.a.b.s.a(s.java) ~[lightstreamer.jar:na]
    at com.lightstreamer.j.a.b.q.a(q.java) ~[lightstreamer.jar:na]
    at com.lightstreamer.j.a.q.a(q.java) ~[lightstreamer.jar:na]
    at com.lightstreamer.j.a.a.i.b(i.java) [lightstreamer.jar:na]
    at com.lightstreamer.j.a.a.x.a(x.java) [lightstreamer.jar:na]
    at com.lightstreamer.j.a.a.w.run(w.java) [lightstreamer.jar:na]
    17-Apr-14 09:56:12,534|INFO |LightstreamerMonitorText |Timer-0 |Total threads = 138, Total heap = 257425408 (free = 218212536), Sessions = 0 (max = 0), New sessions = [+0, -0], Connections = 0 (max = 2), New connections = [+3, -3], In-pool threads = 47, Active threads = 0, Available threads = 47, Queued tasks = 0, Pool queue wait = 0, NIO write queue = 0, NIO write queue wait = 0, NIO write selectors = 8, NIO total selectors = 64, Subscribed items = 0, Inbound throughput = 0 updates/s (pre-filtered = 0), Outbound throughput = 0 updates/s (0 kbit/s, max = 0), Lost updates = 0 (total = 0), Total bytes sent = 0, Client messages throughput = 0 msgs/s (0 kbit/s, max = 0), Total messages handled = 0, Extra sleep = 0, Notify delay = 0

    Here are the logs from when Chrome tries to load the site:

    17-Apr-14 10:12:53,398|DEBUG|ghtstreamerLogger.connections.s sl|LS/SSL HANDSHAKE SELECTOR 1|Handshake completed on socket Lightstreamer HTTPS Server; selected cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA on "Lightstreamer HTTPS Server"
    17-Apr-14 10:12:53,398|DEBUG|ghtstreamerLogger.connections.s sl|SERVER POOLED THREAD 9 |During TLS/SSL read: Inbound closed before receiving peer's close_notify: possible truncation attack? on 0:0:0:0:0:0:0:1:50015.
    17-Apr-14 10:12:58,440|DEBUG|ghtstreamerLogger.connections.s sl|LS/SSL HANDSHAKE SELECTOR 1|Handshake completed on socket Lightstreamer HTTPS Server; selected cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA on "Lightstreamer HTTPS Server"
    17-Apr-14 10:12:58,440|DEBUG|ghtstreamerLogger.connections.s sl|SERVER POOLED THREAD 6 |During TLS/SSL read: Inbound closed before receiving peer's close_notify: possible truncation attack? on 0:0:0:0:0:0:0:1:50016.
    17-Apr-14 10:13:03,466|DEBUG|ghtstreamerLogger.connections.s sl|LS/SSL HANDSHAKE SELECTOR 1|Handshake completed on socket Lightstreamer HTTPS Server; selected cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA on "Lightstreamer HTTPS Server"
    17-Apr-14 10:13:03,466|DEBUG|ghtstreamerLogger.connections.s sl|SERVER POOLED THREAD 3 |During TLS/SSL read: Inbound closed before receiving peer's close_notify: possible truncation attack? on 0:0:0:0:0:0:0:1:50018.

  9. #9
    I have also tried to revert to the original keystore shipped as you mentioned but have had no luck with this - I still get the same errors as above.

    Here is my lightstreamer configuration file for reference:

    <https_server name="Lightstreamer HTTPS Server">


    <!-- Mandatory. Listening TCP port. -->

    <port>443</port>


    <!-- Optional. Size of the system buffer for incoming TCP connections
    (backlog). Overrides the default system setting. -->
    <!--
    <backlog>50</backlog>
    -->

    <!-- Optional. Settings that allow some control over the HTTP headers
    of the provided responses. See the same element inside
    <http_server> for a description. -->
    <!--
    <response_http_headers>
    <echo name="cookie" />
    <add name="my-header">MyValue</add>
    </response_http_headers>
    -->

    <!-- Optional. Can be used on a multihomed host to specify the IP address
    to bind the server socket to.
    The default is to accept connections on any/all local addresses. -->
    <!--
    <listening_interface>200.0.0.1</listening_interface>
    -->

    <!-- Optional. Settings that allow for better identifying the remote address
    of the connected clients. See the same element inside
    <http_server> for a description. -->
    <!--
    <client_identification>
    <skip_local_forwards>2</skip_local_forwards>
    <log_forwards>Y</log_forwards>
    </client_identification>
    -->

    <!-- Mandatory. Reference to the keystore used by the HTTPS service.
    The file path is relative to the conf directory.
    Currently, only Sun/Oracle's "JKS" keystore type is supported.
    This keystore implementation has some constraints:
    - only the first certificate found in the keystore is used by the
    java TLS/SSL implementation to be sent to the Client
    - the password of the keystore and the password of the included
    certificate should be the same (hence, the <keystore_password>
    subelement refers to both).
    The <keystore_file> and <keystore_password> subelements are mandatory.
    NOTE: The "myserver.keystore" certificate, which is provided out
    of the box, is obviously not valid. In order to use it for your
    experiments, remember to add a security exception to your browser. -->

    <keystore>
    <keystore_file>myserver.keystore</keystore_file>
    <keystore_password>mypassword</keystore_password>
    </keystore>


    <!-- Optional and cumulative. Pattern to be matched against the names
    of the enabled cipher suites in order to remove the matching ones
    from the enabled cipher suites set.
    Any pattern in java.util.regex.Pattern format can be specified.
    This allows for customization of the choice of the cipher suite
    to be used for an incoming https connection (note that reducing
    the set of available cipher suites may cause some client requests
    to be refused).
    Note that the selection is operated on the default set of the
    "enabled" cipher suites for the socket, not on the set of the
    "available" cipher suites. The default set of the "enabled" cipher
    suites is logged at startup by the LightstreamerLogger.connections.ssl
    logger at DEBUG level. -->
    <!-- <remove_cipher_suites>_DHE_</remove_cipher_suites> -->

    <!-- Optional. Request to provide the Metadata Adapter with the
    "principal" included in the client TLS/SSL certificate, when available.
    Can be one of the following:
    - Y: Upon each client connection, the availability of a client TLS/SSL
    certificate is checked. If available, the included
    identification data will be supplied upon calls to notifyUser.
    - N: No certificate information is supplied to notifyUser and no
    check is done on the client certificate.
    Note that a check on the client certificate can also be requested
    through <force_client_auth>.
    Default: N. -->

    <!-- <use_client_auth>N</use_client_auth> -->


    <!-- Optional. Request to only allow clients provided with a valid TLS/SSL
    certificate. Can be one of the following:
    - Y: Upon each client connection, a valid TLS/SSL certificate is
    requested to the client in order to accept the connection.
    - N: No check is done on the client certificate.
    Note that a certificate can also be requested to the client as a
    consequence of <use_client_auth>.
    Default: N. -->

    <!-- <force_client_auth>N</force_client_auth> -->


    <!-- Optional and only used when at least one of <use_client_auth> and
    <force_client_auth> is set to Y. Reference to a keystore to be used
    by the HTTPS service to accept client certificates.
    It can be used to supply client certificates that should be
    accepted, in addition to those with a valid certificate chain,
    for instance while testing with self-signed certificates.
    The file path is relative to the conf directory.
    Currently, only Sun/Oracle's "JKS" keystore type is supported.
    Note that the password to be supplied refers to the whole keystore,
    not to the various certificates.
    The <truststore_file> and <truststore_password> subelements are
    mandatory. -->
    <!--
    <truststore>
    <truststore_file>myserver.truststore</truststore_file>
    <truststore_password>mypassword</truststore_password>
    </truststore>
    -->


    </https_server>

  10. #10
    Administrator
    Join Date
    Feb 2012
    Location
    Milano
    Posts
    543
    In these days we are aware of an issue with self-signed certificates and HTTPS connections from browsers solved by updating the Java version.
    I'm not sure that your case is of the same type but please, can you confirm the version of Java you are using, and/or give it a try with a newer version?

    Thank you.

 

 

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT +1. The time now is 02:30 PM.