Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Hybrid View

  1. #1

    HTTPS connection - Invalid Certificate Chain

    I am developing a web application which uses two servers, A and B. Both of these have recently been enabled for https encryption.


    Server A is the main server, serving html/css etc and server B is a lightstreamer real time data server, serving real time data updates.


    Before I enabled https on both servers, everything was working just fine, lightstreamer components were updating in the browser. However now, whilst the main server still works fine over https, the lightstreamer component has broken. The lightstreamer client can not seem to make an https connection to the lightstreamer server.


    Below are the errors generated in Safari when the lightstreamer client tries to connect to the https enabled lightstreamer server which is running on the same host. Currently this application is in development so I need a development environment where I can run and test the application on the same host (Mac OSX Mavericks).


    [Error] WebSocket network error: OSStatus Error -9807: Invalid certificate chain (localhost, line 0)

    [Error] Failed to load resource: An SSL error has occurred and a secure connection to the server cannot be made. (create_session.js, line 0)


    Any help would be greatly appreciated.
    Thanks in advance.

  2. #2
    Administrator
    Join Date
    Feb 2012
    Location
    Milano
    Posts
    716
    Hi doraintech,

    From the error message reported it seems that the browser refused the certificate of your server. One possible cause for this could be that the certificate chain is not complete.
    Please can you confirm me that you have followed the instructions provided in the "SSL Certificates.pdf" document?
    Are you using a self-signed certificate?

  3. #3
    Hi Giuseppe,

    Yes we are using a self-signed certificate as we are in development mode at the moment, we are a startup and have not moved to prod yet.

    I have certainly followed the instructions in the pdf you mentioned.

    I've just had a look in the server logs:

    11-Apr-14 16:50:51,580|ERROR|ghtstreamerLogger.connections.s sl|LS/SSL AUTH POOLED THREAD 1|Handshake error on Lightstreamer HTTPS Server: General SSLEngine problem on 192.168.1.107:63388.
    11-Apr-14 16:50:54,819|ERROR|ghtstreamerLogger.connections.s sl|LS/SSL HANDSHAKE SELECTOR 3|Handshake error on Lightstreamer HTTPS Server: Received fatal alert: bad_certificate on 192.168.1.107:63389.
    11-Apr-14 16:50:56,585|ERROR|ghtstreamerLogger.connections.s sl|LS/SSL AUTH POOLED THREAD 5|Handshake error on Lightstreamer HTTPS Server: General SSLEngine problem on 192.168.1.107:63390.
    11-Apr-14 16:50:59,820|ERROR|ghtstreamerLogger.connections.s sl|LS/SSL HANDSHAKE SELECTOR 3|Handshake error on Lightstreamer HTTPS Server: Received fatal alert: bad_certificate on 192.168.1.107:63391.
    11-Apr-14 16:51:01,577|ERROR|ghtstreamerLogger.connections.s sl|LS/SSL AUTH POOLED THREAD 6|Handshake error on Lightstreamer HTTPS Server: General SSLEngine problem on 192.168.1.107:63392.
    11-Apr-14 16:51:04,819|ERROR|ghtstreamerLogger.connections.s sl|LS/SSL HANDSHAKE SELECTOR 3|Handshake error on Lightstreamer HTTPS Server: Received fatal alert: bad_certificate on 192.168.1.107:63393.
    11-Apr-14 16:51:06,577|ERROR|ghtstreamerLogger.connections.s sl|S/SSL AUTH POOLED THREAD 10|Handshake error on Lightstreamer HTTPS Server: General SSLEngine problem on 192.168.1.107:63394.
    11-Apr-14 16:51:10,819|ERROR|ghtstreamerLogger.connections.s sl|LS/SSL HANDSHAKE SELECTOR 3|Handshake error on Lightstreamer HTTPS Server: Received fatal alert: bad_certificate on 192.168.1.107:63395.

    I am not sure why this is happening - as far as I understand the certificate is installed properly.

    What the best thing to check next?

    Thanks a lot

  4. #4
    Actually I have just looked at the SSL Certificates document again - is it important that the CN == the lightstreamer host name?

    I have enables DEBUG logging level for ssl connections, here is the full stack trace from the server:

    11-Apr-14 17:33:28,538|INFO |ghtstreamerLogger.connections.ssl|LS/SSL AUTH POOLED THREAD 6|Handshake failed on "Lightstreamer HTTPS Server" from 0:0:0:0:0:0:0:1:64837
    11-Apr-14 17:33:28,538|ERROR|ghtstreamerLogger.connections.s sl|LS/SSL AUTH POOLED THREAD 6|Handshake error on Lightstreamer HTTPS Server: General SSLEngine problem on 0:0:0:0:0:0:0:1:64837.
    11-Apr-14 17:33:28,539|DEBUG|ghtstreamerLogger.connections.s sl|LS/SSL AUTH POOLED THREAD 6|Handshake error on Lightstreamer HTTPS Server
    javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Handshaker.checkThrown(Handshaker .java:1290) ~[na:1.7.0_51]
    at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSL EngineImpl.java:513) ~[na:1.7.0_51]
    at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLE ngineImpl.java:1177) ~[na:1.7.0_51]
    at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl. java:1149) ~[na:1.7.0_51]
    at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) ~[na:1.7.0_51]
    at com.lightstreamer.j.a.b.s.a(s.java) ~[lightstreamer.jar:na]
    at com.lightstreamer.j.a.b.q.a(q.java) ~[lightstreamer.jar:na]
    at com.lightstreamer.j.a.q.a(q.java) ~[lightstreamer.jar:na]
    at com.lightstreamer.j.a.a.i.b(i.java) [lightstreamer.jar:na]
    at com.lightstreamer.j.a.a.n.a(n.java) [lightstreamer.jar:na]
    at com.lightstreamer.c.a.i.a(i.java) [lightstreamer.jar:na]
    at com.lightstreamer.c.a.o.c(o.java) [lightstreamer.jar:na]
    at com.lightstreamer.c.a.l.run(l.java) [lightstreamer.jar:na]
    Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Alerts.getSSLException(Alerts.jav a:192) ~[na:1.7.0_51]
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl .java:1683) ~[na:1.7.0_51]
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.jav a:278) ~[na:1.7.0_51]
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.jav a:270) ~[na:1.7.0_51]
    at sun.security.ssl.ServerHandshaker.clientCertificat e(ServerHandshaker.java:1675) ~[na:1.7.0_51]
    at sun.security.ssl.ServerHandshaker.processMessage(S erverHandshaker.java:176) ~[na:1.7.0_51]
    at sun.security.ssl.Handshaker.processLoop(Handshaker .java:868) ~[na:1.7.0_51]
    at sun.security.ssl.Handshaker$1.run(Handshaker.java: 808) ~[na:1.7.0_51]
    at sun.security.ssl.Handshaker$1.run(Handshaker.java: 806) ~[na:1.7.0_51]
    at java.security.AccessController.doPrivileged(Native Method) ~[na:1.7.0_51]
    at sun.security.ssl.Handshaker$DelegatedTask.run(Hand shaker.java:1227) ~[na:1.7.0_51]
    at com.lightstreamer.j.a.b.s.e(s.java) ~[lightstreamer.jar:na]
    ... 8 common frames omitted
    Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXV alidator.java:385) ~[na:1.7.0_51]
    at sun.security.validator.PKIXValidator.engineValidat e(PKIXValidator.java:292) ~[na:1.7.0_51]
    at sun.security.validator.Validator.validate(Validato r.java:260) ~[na:1.7.0_51]
    at sun.security.ssl.X509TrustManagerImpl.validate(X50 9TrustManagerImpl.java:326) ~[na:1.7.0_51]
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted (X509TrustManagerImpl.java:281) ~[na:1.7.0_51]
    at sun.security.ssl.X509TrustManagerImpl.checkClientT rusted(X509TrustManagerImpl.java:132) ~[na:1.7.0_51]
    at sun.security.ssl.ServerHandshaker.clientCertificat e(ServerHandshaker.java:1662) ~[na:1.7.0_51]
    ... 15 common frames omitted
    Caused by: sun.security.provider.certpath.SunCertPathBuilderE xception: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder. engineBuild(SunCertPathBuilder.java:196) ~[na:1.7.0_51]
    at java.security.cert.CertPathBuilder.build(CertPathB uilder.java:268) ~[na:1.7.0_51]
    at sun.security.validator.PKIXValidator.doBuild(PKIXV alidator.java:380) ~[na:1.7.0_51]
    ... 21 common frames omitted
    Last edited by doraintech; April 11th, 2014 at 11:34 AM.

  5. #5
    Administrator
    Join Date
    Feb 2012
    Location
    Milano
    Posts
    716
    Typically if the host name specified in the certificate does not match the one on which the server responds, the client web produces an alert message with the request for permission to continue.
    But this may depend on the various browsers, you have the chance to test with a different browser?

    Thank you for the snippet of log at debug level.
    From the exception stack it seems that you have set to 'Y' the parameters <force_client_auth> and/or <use_client_auth>, is it?
    Please note that if <force_client_auth> is setted a valid TLS/SSL certificate is requested to the client in order to accept the connection.

  6. #6
    Hi Giuseppe,

    I have had the chance to test with a different browser and the problem is still there, it just has a slightly different error message that it not useful.

    I have now set both <force_client_auth> and <use_client_auth> to N. You were right, they were set to Y before.

    I am now seeing a different exception: Broken Pipe


    14-Apr-14 19:56:45,732|INFO |LightstreamerLogger.init |main |TLS/SSL Server "Lightstreamer HTTPS Server" listening to *:443 ...
    14-Apr-14 19:56:45,732|INFO |LightstreamerLogger.init |main |Cipher Suites for "Lightstreamer HTTPS Server" will be forced from [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] to [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV].
    14-Apr-14 19:56:45,732|INFO |LightstreamerLogger.init |main |Handshake pool size set by default at 1.
    14-Apr-14 19:56:45,734|INFO |LightstreamerLogger.init |main |Server "Lightstreamer HTTP Server" listening to *:8080 ...
    14-Apr-14 19:56:45,979|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake failed on "Lightstreamer HTTPS Server" from 0:0:0:0:0:0:0:1:49652
    14-Apr-14 19:56:45,980|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake error on Lightstreamer HTTPS Server: Inbound closed before receiving peer's close_notify: possible truncation attack? on 0:0:0:0:0:0:0:1:49652.
    14-Apr-14 19:56:46,910|INFO |LightstreamerMonitorText |Timer-0 |Total threads = 139, Total heap = 257425408 (free = 201925584), Sessions = 0 (max = 0), New sessions = [+0, -0], Connections = 0 (max = 1), New connections = [+1, -1], In-pool threads = 47, Active threads = 0, Available threads = 47, Queued tasks = 0, Pool queue wait = 0, NIO write queue = 0, NIO write queue wait = 0, NIO write selectors = 8, NIO total selectors = 64, Subscribed items = 0, Inbound throughput = 0 updates/s (pre-filtered = 0), Outbound throughput = 0 updates/s (0 kbit/s, max = 0), Lost updates = 0 (total = 0), Total bytes sent = 0, Client messages throughput = 0 msgs/s (0 kbit/s, max = 0), Total messages handled = 0, Extra sleep = 7, Notify delay = 0
    14-Apr-14 19:56:48,457|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake failed on "Lightstreamer HTTPS Server" from 127.0.0.1:49653
    14-Apr-14 19:56:48,457|ERROR|ghtstreamerLogger.connections.s sl|LS/SSL HANDSHAKE SELECTOR 1|Handshake error on Lightstreamer HTTPS Server: Broken pipe on 127.0.0.1:49653.
    14-Apr-14 19:56:48,462|DEBUG|ghtstreamerLogger.connections.s sl|LS/SSL HANDSHAKE SELECTOR 1|Handshake error on Lightstreamer HTTPS Server
    java.io.IOException: Broken pipe
    at sun.nio.ch.FileDispatcherImpl.write0(Native Method) ~[na:1.7.0_51]
    at sun.nio.ch.SocketDispatcher.write(SocketDispatcher .java:47) ~[na:1.7.0_51]
    at sun.nio.ch.IOUtil.writeFromNativeBuffer(IOUtil.jav a:93) ~[na:1.7.0_51]
    at sun.nio.ch.IOUtil.write(IOUtil.java:65) ~[na:1.7.0_51]
    at sun.nio.ch.SocketChannelImpl.write(SocketChannelIm pl.java:487) ~[na:1.7.0_51]
    at com.lightstreamer.j.a.b.s.a(s.java) ~[lightstreamer.jar:na]
    at com.lightstreamer.j.a.b.s.a(s.java) ~[lightstreamer.jar:na]
    at com.lightstreamer.j.a.b.q.a(q.java) ~[lightstreamer.jar:na]
    at com.lightstreamer.j.a.q.a(q.java) ~[lightstreamer.jar:na]
    at com.lightstreamer.j.a.a.i.b(i.java) [lightstreamer.jar:na]
    at com.lightstreamer.j.a.a.x.a(x.java) [lightstreamer.jar:na]
    at com.lightstreamer.j.a.a.w.run(w.java) [lightstreamer.jar:na]
    14-Apr-14 19:56:51,895|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake failed on "Lightstreamer HTTPS Server" from 0:0:0:0:0:0:0:1:49654
    14-Apr-14 19:56:51,896|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake error on Lightstreamer HTTPS Server: Inbound closed before receiving peer's close_notify: possible truncation attack? on 0:0:0:0:0:0:0:1:49654.
    14-Apr-14 19:56:57,894|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake failed on "Lightstreamer HTTPS Server" from 0:0:0:0:0:0:0:1:49655
    14-Apr-14 19:56:57,895|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake error on Lightstreamer HTTPS Server: Inbound closed before receiving peer's close_notify: possible truncation attack? on 0:0:0:0:0:0:0:1:49655.
    14-Apr-14 19:57:00,044|INFO |ghtstreamerLogger.connections.ssl|LS/SSL HANDSHAKE SELECTOR 1|Handshake failed on "Lightstreamer HTTPS Server" from 127.0.0.1:49656
    14-Apr-14 19:57:00,045|ERROR|ghtstreamerLogger.connections.s sl|LS/SSL HANDSHAKE SELECTOR 1|Handshake error on Lightstreamer HTTPS Server: Broken pipe on 127.0.0.1:49656.
    14-Apr-14 19:57:00,045|DEBUG|ghtstreamerLogger.connections.s sl|LS/SSL HANDSHAKE SELECTOR 1|Handshake error on Lightstreamer HTTPS Server
    java.io.IOException: Broken pipe


    Do you have any idea what might be causing this?

    Thanks a lot
    Dorain

  7. #7
    Administrator
    Join Date
    Feb 2012
    Location
    Milano
    Posts
    716
    In these days we are aware of an issue with self-signed certificates and HTTPS connections from browsers solved by updating the Java version.
    I'm not sure that your case is of the same type but please, can you confirm the version of Java you are using, and/or give it a try with a newer version?

    Thank you.

  8. #8
    Hi - I am using Java:

    jdk1.7.0_51.jdk

    Is there an issue with this version?

    Thanks.

  9. #9
    Hi

    We are using version jdk1.7.0_51.jdk?

    Do we need to change the version?

    Thanks.

  10. #10
    Administrator
    Join Date
    Feb 2012
    Location
    Milano
    Posts
    716
    Yes, please can you try with the update 55 of Java 7?

 

 

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
All times are GMT +1. The time now is 01:02 PM.