Please take a look at this (from a case I had)
That could help
On UVMS server, we use AdoptOpenJDK 11 LTS (= 11.0.11+9)
I changed the log level to 3 and tried again. I got error SSL routines:SSL_CHECK_SERVERHELLO_TLSEXT:tls invalid ecpointformat list
I found out it was linked to a bug in an old OpenSSL version (see article https://stackoverflow.com/questions/10678695/in-python-3-2-i-can-open-and-read-an-https-web-page-with-http-client-but-urlli)
The workaround is to remove Elliptic Curve ciphers from the list of supported algorithms in the JVM
I updated the conf\security\java.security configuration file in the JRE11
Original line
#jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, \
# DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
# include jdk.disabled.namedCurves
Modified line => disable ALL EC algorithms
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
I restarted UVMS
UNISSL set -enable on -msport 4443 returned success.
After restart, the node is now SSL Enabled
Original Message:
Sent: 05-10-2020 12:20 PM
From: Flavien
Subject: Dollar Universe - SSL Configuration
DUAS SSL
Quelques éléments de plus, trouvé une erreur interessante mais je ne sais pas quoi en faire.
Problème pendant le handshake ssl : SSL_CHECK_SERVERHELLO_TLSEXT:tls invalid ecpointformat list
OS : Windows Server 2019 / Windows Server 2012R2
DUAS/UVMS Version: 6.10.31
Java Version : OpenJRE8U212b04 / Zulu8.46.0.19-ca-jdk8.0.252-win_x64
Note:
- DUAS & UVMS sont sur la même machine
- J'ai bien ajouté le certificat du DUAS dans le KeyStore d'UVMS
- Le certificat d'UVMS fait partis des TRUSTEDCACERT de DUAS
- Les tests effectués sont avec le pare-feu désactivé
- Port SSL 4443
Configuration DUAS
J'ai activé le log en mode trace sur DUAS et UVMC et j'ai une erreur Java :(
LOG DUAS
| 2020-05-12 22:01:19 |INFO |X|ssl|pid=2000.1576| o_set_ca_additional_certi | 2 additional SSL CA certificates
| 2020-05-12 22:01:19 |TRACE|X|ssl|pid=2000.1576| k_ReadILocal | local passphrase is [158931353940950000000000F09FB8]
| 2020-05-12 22:01:19 |TRACE|X|ssl|pid=2000.1576| u_io_connect | Call u_io_callsrv_connect_r: vl_noeud=[local], vl_company=[UNI610], vl_espace=[X], **connexion=[000000000013FA88], *connexion=[0000000000000000]
| 2020-05-12 22:01:19 |TRACE|X|ssl|pid=2000.1576| u_io_callsrv_connect_r | Begin: pf_node=[local], pf_io_company=[UNI610], pf_io_area=[X], **pf_connexion=[000000000013FA88], *pf_connexion=[0000000000000000]
| 2020-05-12 22:01:19 |TRACE|X|ssl|pid=2000.1576| u_io_callsrv_connect_r | Connecting IO server: node=[], service=[]
| 2020-05-12 22:01:19 |TRACE|X|ssl|pid=2000.1576| o_connect_auth | target is [UNI610]/[X]/[local]/[SIO]
| 2020-05-12 22:01:19 |INFO |X|ssl|pid=2000.1576| k_connect | u_req_serv - connection not established, making it...
| 2020-05-12 22:01:19 |INFO |X|ssl|pid=2000.1576| k_connect | socket not connected (-1), making connection... (time-out is 0)
| 2020-05-12 22:01:19 |TRACE|X|ssl|pid=2000.1576| u_connect | serv[UNI610_local_SIO_X/26665], host[/127.0.0.1]
| 2020-05-12 22:01:19 |INFO |X|ssl|pid=2000.1576| u_connect | calling 'socket' system call
| 2020-05-12 22:01:19 |INFO |X|ssl|pid=2000.1576| u_connect | socket returns 168
| 2020-05-12 22:01:19 |INFO |X|ssl|pid=2000.1576| u_connect | calling setsockopt on socket 168
| 2020-05-12 22:01:19 |TRACE|X|ssl|pid=2000.1576| u_connect | socket 168 created
| 2020-05-12 22:01:19 |TRACE|X|ssl|pid=2000.1576| u_retrieve_ipaddress_from | specified IP: 127.0.0.1
| 2020-05-12 22:01:19 |TRACE|X|ssl|pid=2000.1576| u_retrieve_ipaddress_from | inet_addr(ip '127.0.0.1') returns ip addr 16777343
| 2020-05-12 22:01:19 |INFO |X|ssl|pid=2000.1576| u_connect | calling connect on socket 168
| 2020-05-12 22:01:20 |INFO |X|ssl|pid=2000.1576| u_connect | connect returns -1
| 2020-05-12 22:01:20 |ERROR|X|ssl|pid=2000.1576| u_connect | connect(socket 168) returns error
| 2020-05-12 22:01:20 |TRACE|X|ssl|pid=2000.1576| u_close_socket | Closing socket 168.
| 2020-05-12 22:01:20 |INFO |X|ssl|pid=2000.1576| u_ferm_dial_serv | ok (terminated)
| 2020-05-12 22:01:20 |TRACE|X|ssl|pid=2000.1576| u_io_connect | **connexion=[000000000013FA88] *connexion=[0000000000000000]
| 2020-05-12 22:01:20 |INFO |X|ssl|pid=2000.1576| k_connect | u_req_serv - connection not established, making it...
| 2020-05-12 22:01:20 |INFO |X|ssl|pid=2000.1576| k_connect | socket not connected (-1), making connection... (time-out is 15)
| 2020-05-12 22:01:20 |INFO |X|ssl|pid=2000.1576| owls_ssl_client_startup | ssl client starting up
| 2020-05-12 22:01:21 |INFO |X|ssl|pid=2000.1576| owls_ssl_client_startup | Additional CA certificate loaded: C:\Program Files\AUTOMIC\DUAS\UNI610_2012R2-U1\data\security\uvms.cer
| 2020-05-12 22:01:21 |INFO |X|ssl|pid=2000.1576| owls_ssl_client_startup | Additional CA certificate loaded: C:\Program Files\AUTOMIC\DUAS\UNI610_2012R2-U1\data\security\ldap.cer
| 2020-05-12 22:01:21 |TRACE|X|ssl|pid=2000.1576| owls_ssl_client_startup | set cipher list successful (1)
| 2020-05-12 22:01:21 |TRACE|X|ssl|pid=2000.1576| o_connect_ssl | serv[AUT/23313], host[2012R2-U1.pepito.dc/]
| 2020-05-12 22:01:21 |INFO |X|ssl|pid=2000.1576| o_connect_ssl | calling 'socket' system call
| 2020-05-12 22:01:21 |INFO |X|ssl|pid=2000.1576| o_connect_ssl | socket returns 512
| 2020-05-12 22:01:21 |INFO |X|ssl|pid=2000.1576| o_connect_ssl | calling setsockopt on socket 512
| 2020-05-12 22:01:21 |TRACE|X|ssl|pid=2000.1576| o_connect_ssl | socket 512 created
| 2020-05-12 22:01:21 |TRACE|X|ssl|pid=2000.1576| o_connect_ssl | Searching host '2012R2-U1.pepito.dc'...
| 2020-05-12 22:01:21 |INFO |X|ssl|pid=2000.1576| u_gethostbyname_mf | calling gethostbyname(2012R2-U1.pepito.dc)
| 2020-05-12 22:01:21 |INFO |X|ssl|pid=2000.1576| u_gethostbyname_mf | return gethostbyname
| 2020-05-12 22:01:21 |INFO |X|ssl|pid=2000.1576| o_connect_ssl | calling connect on socket 512
| 2020-05-12 22:01:21 |INFO |X|ssl|pid=2000.1576| o_connect_ssl | connect returns 0
| 2020-05-12 22:01:21 |TRACE|X|ssl|pid=2000.1576| o_connect_ssl | Connection to service on port 4443 successful (socket 512)
| 2020-05-12 22:01:21 |TRACE|X|ssl|pid=2000.1576| o_connect_ssl | beginning to create ssl socket and handshake with ssl server on socket 512
| 2020-05-12 22:01:21 |TRACE|X|ssl|pid=2000.1576| o_connect_ssl | create ssl socket successfully on raw socket 512
| 2020-05-12 22:01:21 |ERROR|X|ssl|pid=2000.1576| o_connect_ssl | ssl session connect error, SSL connect error, error:1411809D:SSL routines:SSL_CHECK_SERVERHELLO_TLSEXT:tls invalid ecpointformat list
| 2020-05-12 22:01:21 |TRACE|X|ssl|pid=2000.1576| o_close_socket_ssl | Clean shut down ssl socket 512
| 2020-05-12 22:01:21 |TRACE|X|ssl|pid=2000.1576| o_close_socket_ssl | calling close on ssl socket 512
| 2020-05-12 22:01:21 |TRACE|X|ssl|pid=2000.1576| o_close_socket_ssl | Closing ssl socket 512.
| 2020-05-12 22:01:21 |ERROR|X|ssl|pid=2000.1576| o_update_uvms_specif | Update is unable to connect to UVMS: 200
LOG UVMS
| 2020-05-12 22:01:21 |TRACE| SSL-Work-Processor | com.orsyp.central.server.SSLServerConnector$SSLServerRunnable | New connection created. | 2020-05-12 22:01:21 |TRACE| SSL-Work-Processor | com.orsyp.central.server.SSLServerConnector$SSLServerRunnable | New connection created. | 2020-05-12 22:01:21 |TRACE| SSL-Work-Processor | com.orsyp.central.server.SSLServerConnector$SSLServerRunnable | Creating new connection. | 2020-05-12 22:01:21 |DEBUG| uvms-pool-1-tid-4 | com.orsyp.central.server.UniWorker | A new client is managed by the thread uvms-pool-1-tid-4. | 2020-05-12 22:01:21 |TRACE| uvms-pool-1-tid-4 | com.orsyp.central.server.UniWorker | Connection closed com.orsyp.UniverseException: read at com.orsyp.comm.server.CommunicationProtocolState.readBuffStream(CommunicationProtocolState.java:127) at com.orsyp.comm.server.CommunicationProtocolState.initiateHelloProtocolCommunication(CommunicationProtocolState.java:49) at com.orsyp.comm.server.ssl.SSLUniSocket.helloSocket(SSLUniSocket.java:186) at com.orsyp.comm.server.ssl.SSLUniSocket.readStream(SSLUniSocket.java:170) at com.orsyp.central.server.UniWorker.readHeaderMessages(UniWorker.java:131) at com.orsyp.central.server.UniWorker.run(UniWorker.java:101) at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) at java.base/java.lang.Thread.run(Thread.java:834)Caused by: javax.net.ssl.SSLException: readHandshakeRecord at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1068) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:395) at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:711) at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:794) at java.base/java.io.FilterInputStream.read(FilterInputStream.java:133) at com.orsyp.comm.server.log.NetworkTrafficLogInputStream.read(NetworkTrafficLogInputStream.java:42) at java.base/java.io.BufferedInputStream.fill(BufferedInputStream.java:252) at java.base/java.io.BufferedInputStream.read1(BufferedInputStream.java:292) at java.base/java.io.BufferedInputStream.read(BufferedInputStream.java:351) at com.orsyp.comm.server.ssl.SSLUniSocket.read(SSLUniSocket.java:342) at com.orsyp.comm.server.CommunicationProtocolState.readBuffStream(CommunicationProtocolState.java:108) ... 8 more Suppressed: java.net.SocketException: Connection reset by peer: socket write error at java.base/java.net.SocketOutputStream.socketWrite0(Native Method) at java.base/java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:110) at java.base/java.net.SocketOutputStream.write(SocketOutputStream.java:150) at java.base/sun.security.ssl.SSLSocketOutputRecord.encodeAlert(SSLSocketOutputRecord.java:81) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:357) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:269) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:400) ... 17 moreCaused by: java.net.SocketException: Connection reset by peer: socket write error at java.base/java.net.SocketOutputStream.socketWrite0(Native Method) at java.base/java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:110) at java.base/java.net.SocketOutputStream.write(SocketOutputStream.java:150) at java.base/sun.security.ssl.SSLSocketOutputRecord.flush(SSLSocketOutputRecord.java:251) at java.base/sun.security.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:89) at java.base/sun.security.ssl.ECDHServerKeyExchange$ECDHServerKeyExchangeProducer.produce(ECDHServerKeyExchange.java:504) at java.base/sun.security.ssl.ClientHello$T12ClientHelloConsumer.consume(ClientHello.java:1102) at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:854) at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:813) at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422) at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:183) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:168) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1148) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1057) ... 18 more| 2020-05-12 22:01:21 |DEBUG| uvms-pool-1-tid-4 | com.orsyp.central.server.UniWorker | Client managed by the thread uvms-pool-1-tid-4 terminated.
Voir PJ dans POST#1