HTTPS connection - Invalid Certificate Chain

[doraintech]

Hi Giuseppe,

I have had the chance to test with a different browser and the problem is still there, it just has a slightly different error message that it not useful.

I have now set both <force_client_auth> and <use_client_auth> to N. You were right, they were set to Y before.

I am now seeing a different exception: Broken Pipe


14-Apr-14 19:56:45,732|INFO |LightstreamerLogger.init |main |TLS/SSL Server "Lightstreamer HTTPS Server" listening to *:443 ...
14-Apr-14 19:56:45,732|INFO |LightstreamerLogger.init |main |Cipher Suites for "Lightstreamer HTTPS Server" will be forced from [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] to [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV].
14-Apr-14 19:56:45,732|INFO |LightstreamerLogger.init |main |Handshake pool size set by default at 1.
14-Apr-14 19:56:45,734|INFO |LightstreamerLogger.init |main |Server "Lightstreamer HTTP Server" listening to *:8080 ...
14-Apr-14 19:56:45,979|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake failed on "Lightstreamer HTTPS Server" from 0:0:0:0:0:0:0:1:49652
14-Apr-14 19:56:45,980|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake error on Lightstreamer HTTPS Server: Inbound closed before receiving peer's close_notify: possible truncation attack? on 0:0:0:0:0:0:0:1:49652.
14-Apr-14 19:56:46,910|INFO |LightstreamerMonitorText |Timer-0 |Total threads = 139, Total heap = 257425408 (free = 201925584), Sessions = 0 (max = 0), New sessions = [+0, -0], Connections = 0 (max = 1), New connections = [+1, -1], In-pool threads = 47, Active threads = 0, Available threads = 47, Queued tasks = 0, Pool queue wait = 0, NIO write queue = 0, NIO write queue wait = 0, NIO write selectors = 8, NIO total selectors = 64, Subscribed items = 0, Inbound throughput = 0 updates/s (pre-filtered = 0), Outbound throughput = 0 updates/s (0 kbit/s, max = 0), Lost updates = 0 (total = 0), Total bytes sent = 0, Client messages throughput = 0 msgs/s (0 kbit/s, max = 0), Total messages handled = 0, Extra sleep = 7, Notify delay = 0
14-Apr-14 19:56:48,457|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake failed on "Lightstreamer HTTPS Server" from 127.0.0.1:49653
14-Apr-14 19:56:48,457|ERROR|ghtstreamerLogger.connections.s sl|LS/SSL HANDSHAKE SELECTOR 1|Handshake error on Lightstreamer HTTPS Server: Broken pipe on 127.0.0.1:49653.
14-Apr-14 19:56:48,462|DEBUG|ghtstreamerLogger.connections.s sl|LS/SSL HANDSHAKE SELECTOR 1|Handshake error on Lightstreamer HTTPS Server
java.io.IOException: Broken pipe
at sun.nio.ch.FileDispatcherImpl.write0(Native Method) ~[na:1.7.0_51]
at sun.nio.ch.SocketDispatcher.write(SocketDispatcher .java:47) ~[na:1.7.0_51]
at sun.nio.ch.IOUtil.writeFromNativeBuffer(IOUtil.jav a:93) ~[na:1.7.0_51]
at sun.nio.ch.IOUtil.write(IOUtil.java:65) ~[na:1.7.0_51]
at sun.nio.ch.SocketChannelImpl.write(SocketChannelIm pl.java:487) ~[na:1.7.0_51]
at com.lightstreamer.j.a.b.s.a(s.java) ~[lightstreamer.jar:na]
at com.lightstreamer.j.a.b.s.a(s.java) ~[lightstreamer.jar:na]
at com.lightstreamer.j.a.b.q.a(q.java) ~[lightstreamer.jar:na]
at com.lightstreamer.j.a.q.a(q.java) ~[lightstreamer.jar:na]
at com.lightstreamer.j.a.a.i.b(i.java) [lightstreamer.jar:na]
at com.lightstreamer.j.a.a.x.a(x.java) [lightstreamer.jar:na]
at com.lightstreamer.j.a.a.w.run(w.java) [lightstreamer.jar:na]
14-Apr-14 19:56:51,895|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake failed on "Lightstreamer HTTPS Server" from 0:0:0:0:0:0:0:1:49654
14-Apr-14 19:56:51,896|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake error on Lightstreamer HTTPS Server: Inbound closed before receiving peer's close_notify: possible truncation attack? on 0:0:0:0:0:0:0:1:49654.
14-Apr-14 19:56:57,894|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake failed on "Lightstreamer HTTPS Server" from 0:0:0:0:0:0:0:1:49655
14-Apr-14 19:56:57,895|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake error on Lightstreamer HTTPS Server: Inbound closed before receiving peer's close_notify: possible truncation attack? on 0:0:0:0:0:0:0:1:49655.
14-Apr-14 19:57:00,044|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake failed on "Lightstreamer HTTPS Server" from 127.0.0.1:49656
14-Apr-14 19:57:00,045|ERROR|ghtstreamerLogger.connections.s sl|LS/SSL HANDSHAKE SELECTOR 1|Handshake error on Lightstreamer HTTPS Server: Broken pipe on 127.0.0.1:49656.
14-Apr-14 19:57:00,045|DEBUG|ghtstreamerLogger.connections.s sl|LS/SSL HANDSHAKE SELECTOR 1|Handshake error on Lightstreamer HTTPS Server
java.io.IOException: Broken pipe


Do you have any idea what might be causing this?

Thanks a lot
Dorain

[giuseppe.corti]

The "Inbound closed before receiving ..." and "Broken pipe on ..." error messages refer to errors due to the client that aborts the current attempt to establish the SSL connection.

Please, can you confirm that these errors systematically happen every time and on different browsers? Ie you were never able to establish a working SSL connection?
Could you have the chance to run a test using the pre-installed certificate included in the the factory configuration of Lightstreamer server (LS_HOME/conf/myserver.keystore)?

[doraintech]

Hi Giuseppe,

Here are the logs generated by connections attempted from Safari browser:

17-Apr-14 09:54:03,391|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake failed on "Lightstreamer HTTPS Server" from 0:0:0:0:0:0:0:1:49535
17-Apr-14 09:54:03,391|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake error on Lightstreamer HTTPS Server: Inbound closed before receiving peer's close_notify: possible truncation attack? on 0:0:0:0:0:0:0:1:49535.
17-Apr-14 09:54:08,419|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake failed on "Lightstreamer HTTPS Server" from 0:0:0:0:0:0:0:1:49536
17-Apr-14 09:54:08,419|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake error on Lightstreamer HTTPS Server: Inbound closed before receiving peer's close_notify: possible truncation attack? on 0:0:0:0:0:0:0:1:49536.
17-Apr-14 09:54:12,462|INFO |LightstreamerMonitorText |Timer-0 |Total threads = 137, Total heap = 257425408 (free = 230358296), Sessions = 0 (max = 0), New sessions = [+0, -0], Connections = 0 (max = 2), New connections = [+19, -19], In-pool threads = 47, Active threads = 0, Available threads = 47, Queued tasks = 0, Pool queue wait = 0, NIO write queue = 0, NIO write queue wait = 0, NIO write selectors = 8, NIO total selectors = 64, Subscribed items = 0, Inbound throughput = 0 updates/s (pre-filtered = 0), Outbound throughput = 0 updates/s (0 kbit/s, max = 0), Lost updates = 0 (total = 0), Total bytes sent = 0, Client messages throughput = 0 msgs/s (0 kbit/s, max = 0), Total messages handled = 0, Extra sleep = 0, Notify delay = 0
17-Apr-14 09:54:13,454|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake failed on "Lightstreamer HTTPS Server" from 0:0:0:0:0:0:0:1:49537
17-Apr-14 09:54:13,455|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake error on Lightstreamer HTTPS Server: Inbound closed before receiving peer's close_notify: possible truncation attack? on 0:0:0:0:0:0:0:1:49537.

Here are the equivalent logs when the Firefox browser is used to load the site:

Marker - 17 Apr 2014 09:55:59
17-Apr-14 09:56:10,430|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake failed on "Lightstreamer HTTPS Server" from 127.0.0.1:49611
17-Apr-14 09:56:10,430|ERROR|ghtstreamerLogger.connections.s sl|LS/SSL HANDSHAKE SELECTOR 1|Handshake error on Lightstreamer HTTPS Server: Broken pipe on 127.0.0.1:49611.
17-Apr-14 09:56:10,431|DEBUG|ghtstreamerLogger.connections.s sl|LS/SSL HANDSHAKE SELECTOR 1|Handshake error on Lightstreamer HTTPS Server
java.io.IOException: Broken pipe
at sun.nio.ch.FileDispatcherImpl.write0(Native Method) ~[na:1.7.0_51]
at sun.nio.ch.SocketDispatcher.write(SocketDispatcher .java:47) ~[na:1.7.0_51]
at sun.nio.ch.IOUtil.writeFromNativeBuffer(IOUtil.jav a:93) ~[na:1.7.0_51]
at sun.nio.ch.IOUtil.write(IOUtil.java:65) ~[na:1.7.0_51]
at sun.nio.ch.SocketChannelImpl.write(SocketChannelIm pl.java:487) ~[na:1.7.0_51]
at com.lightstreamer.j.a.b.s.a(s.java) ~[lightstreamer.jar:na]
at com.lightstreamer.j.a.b.s.a(s.java) ~[lightstreamer.jar:na]
at com.lightstreamer.j.a.b.q.a(q.java) ~[lightstreamer.jar:na]
at com.lightstreamer.j.a.q.a(q.java) ~[lightstreamer.jar:na]
at com.lightstreamer.j.a.a.i.b(i.java) [lightstreamer.jar:na]
at com.lightstreamer.j.a.a.x.a(x.java) [lightstreamer.jar:na]
at com.lightstreamer.j.a.a.w.run(w.java) [lightstreamer.jar:na]
17-Apr-14 09:56:10,442|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake failed on "Lightstreamer HTTPS Server" from 127.0.0.1:49612
17-Apr-14 09:56:10,442|ERROR|ghtstreamerLogger.connections.s sl|LS/SSL HANDSHAKE SELECTOR 1|Handshake error on Lightstreamer HTTPS Server: Broken pipe on 127.0.0.1:49612.
17-Apr-14 09:56:10,442|DEBUG|ghtstreamerLogger.connections.s sl|LS/SSL HANDSHAKE SELECTOR 1|Handshake error on Lightstreamer HTTPS Server
java.io.IOException: Broken pipe
at sun.nio.ch.FileDispatcherImpl.write0(Native Method) ~[na:1.7.0_51]
at sun.nio.ch.SocketDispatcher.write(SocketDispatcher .java:47) ~[na:1.7.0_51]
at sun.nio.ch.IOUtil.writeFromNativeBuffer(IOUtil.jav a:93) ~[na:1.7.0_51]
at sun.nio.ch.IOUtil.write(IOUtil.java:65) ~[na:1.7.0_51]
at sun.nio.ch.SocketChannelImpl.write(SocketChannelIm pl.java:487) ~[na:1.7.0_51]
at com.lightstreamer.j.a.b.s.a(s.java) ~[lightstreamer.jar:na]
at com.lightstreamer.j.a.b.s.a(s.java) ~[lightstreamer.jar:na]
at com.lightstreamer.j.a.b.q.a(q.java) ~[lightstreamer.jar:na]
at com.lightstreamer.j.a.q.a(q.java) ~[lightstreamer.jar:na]
at com.lightstreamer.j.a.a.i.b(i.java) [lightstreamer.jar:na]
at com.lightstreamer.j.a.a.x.a(x.java) [lightstreamer.jar:na]
at com.lightstreamer.j.a.a.w.run(w.java) [lightstreamer.jar:na]
17-Apr-14 09:56:12,534|INFO |LightstreamerMonitorText |Timer-0 |Total threads = 138, Total heap = 257425408 (free = 218212536), Sessions = 0 (max = 0), New sessions = [+0, -0], Connections = 0 (max = 2), New connections = [+3, -3], In-pool threads = 47, Active threads = 0, Available threads = 47, Queued tasks = 0, Pool queue wait = 0, NIO write queue = 0, NIO write queue wait = 0, NIO write selectors = 8, NIO total selectors = 64, Subscribed items = 0, Inbound throughput = 0 updates/s (pre-filtered = 0), Outbound throughput = 0 updates/s (0 kbit/s, max = 0), Lost updates = 0 (total = 0), Total bytes sent = 0, Client messages throughput = 0 msgs/s (0 kbit/s, max = 0), Total messages handled = 0, Extra sleep = 0, Notify delay = 0

Here are the logs from when Chrome tries to load the site:

17-Apr-14 10:12:53,398|DEBUG|ghtstreamerLogger.connections.s sl|LS/SSL HANDSHAKE SELECTOR 1|Handshake completed on socket Lightstreamer HTTPS Server; selected cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA on "Lightstreamer HTTPS Server"
17-Apr-14 10:12:53,398|DEBUG|ghtstreamerLogger.connections.s sl|SERVER POOLED THREAD 9 |During TLS/SSL read: Inbound closed before receiving peer's close_notify: possible truncation attack? on 0:0:0:0:0:0:0:1:50015.
17-Apr-14 10:12:58,440|DEBUG|ghtstreamerLogger.connections.s sl|LS/SSL HANDSHAKE SELECTOR 1|Handshake completed on socket Lightstreamer HTTPS Server; selected cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA on "Lightstreamer HTTPS Server"
17-Apr-14 10:12:58,440|DEBUG|ghtstreamerLogger.connections.s sl|SERVER POOLED THREAD 6 |During TLS/SSL read: Inbound closed before receiving peer's close_notify: possible truncation attack? on 0:0:0:0:0:0:0:1:50016.
17-Apr-14 10:13:03,466|DEBUG|ghtstreamerLogger.connections.s sl|LS/SSL HANDSHAKE SELECTOR 1|Handshake completed on socket Lightstreamer HTTPS Server; selected cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA on "Lightstreamer HTTPS Server"
17-Apr-14 10:13:03,466|DEBUG|ghtstreamerLogger.connections.s sl|SERVER POOLED THREAD 3 |During TLS/SSL read: Inbound closed before receiving peer's close_notify: possible truncation attack? on 0:0:0:0:0:0:0:1:50018.

[doraintech]

I have also tried to revert to the original keystore shipped as you mentioned but have had no luck with this - I still get the same errors as above.

Here is my lightstreamer configuration file for reference:

<https_server name="Lightstreamer HTTPS Server">


<!-- Mandatory. Listening TCP port. -->

<port>443</port>


<!-- Optional. Size of the system buffer for incoming TCP connections
(backlog). Overrides the default system setting. -->
<!--
<backlog>50</backlog>
-->

<!-- Optional. Settings that allow some control over the HTTP headers
of the provided responses. See the same element inside
<http_server> for a description. -->
<!--
<response_http_headers>
<echo name="cookie" />
<add name="my-header">MyValue</add>
</response_http_headers>
-->

<!-- Optional. Can be used on a multihomed host to specify the IP address
to bind the server socket to.
The default is to accept connections on any/all local addresses. -->
<!--
<listening_interface>200.0.0.1</listening_interface>
-->

<!-- Optional. Settings that allow for better identifying the remote address
of the connected clients. See the same element inside
<http_server> for a description. -->
<!--
<client_identification>
<skip_local_forwards>2</skip_local_forwards>
<log_forwards>Y</log_forwards>
</client_identification>
-->

<!-- Mandatory. Reference to the keystore used by the HTTPS service.
The file path is relative to the conf directory.
Currently, only Sun/Oracle's "JKS" keystore type is supported.
This keystore implementation has some constraints:
- only the first certificate found in the keystore is used by the
java TLS/SSL implementation to be sent to the Client
- the password of the keystore and the password of the included
certificate should be the same (hence, the <keystore_password>
subelement refers to both).
The <keystore_file> and <keystore_password> subelements are mandatory.
NOTE: The "myserver.keystore" certificate, which is provided out
of the box, is obviously not valid. In order to use it for your
experiments, remember to add a security exception to your browser. -->

<keystore>
<keystore_file>myserver.keystore</keystore_file>
<keystore_password>mypassword</keystore_password>
</keystore>


<!-- Optional and cumulative. Pattern to be matched against the names
of the enabled cipher suites in order to remove the matching ones
from the enabled cipher suites set.
Any pattern in java.util.regex.Pattern format can be specified.
This allows for customization of the choice of the cipher suite
to be used for an incoming https connection (note that reducing
the set of available cipher suites may cause some client requests
to be refused).
Note that the selection is operated on the default set of the
"enabled" cipher suites for the socket, not on the set of the
"available" cipher suites. The default set of the "enabled" cipher
suites is logged at startup by the LightstreamerLogger.connections.ssl
logger at DEBUG level. -->
<!-- <remove_cipher_suites>_DHE_</remove_cipher_suites> -->

<!-- Optional. Request to provide the Metadata Adapter with the
"principal" included in the client TLS/SSL certificate, when available.
Can be one of the following:
- Y: Upon each client connection, the availability of a client TLS/SSL
certificate is checked. If available, the included
identification data will be supplied upon calls to notifyUser.
- N: No certificate information is supplied to notifyUser and no
check is done on the client certificate.
Note that a check on the client certificate can also be requested
through <force_client_auth>.
Default: N. -->

<!-- <use_client_auth>N</use_client_auth> -->


<!-- Optional. Request to only allow clients provided with a valid TLS/SSL
certificate. Can be one of the following:
- Y: Upon each client connection, a valid TLS/SSL certificate is
requested to the client in order to accept the connection.
- N: No check is done on the client certificate.
Note that a certificate can also be requested to the client as a
consequence of <use_client_auth>.
Default: N. -->

<!-- <force_client_auth>N</force_client_auth> -->


<!-- Optional and only used when at least one of <use_client_auth> and
<force_client_auth> is set to Y. Reference to a keystore to be used
by the HTTPS service to accept client certificates.
It can be used to supply client certificates that should be
accepted, in addition to those with a valid certificate chain,
for instance while testing with self-signed certificates.
The file path is relative to the conf directory.
Currently, only Sun/Oracle's "JKS" keystore type is supported.
Note that the password to be supplied refers to the whole keystore,
not to the various certificates.
The <truststore_file> and <truststore_password> subelements are
mandatory. -->
<!--
<truststore>
<truststore_file>myserver.truststore</truststore_file>
<truststore_password>mypassword</truststore_password>
</truststore>
-->


</https_server>