openJDK and PHP SSL connection fails

1
votes

I am creating a SOAP server on a ubuntu machine, the connection is fine when using Oracle jre, but fails when using openJDK.

Can anyone help me identify the problem, or a workaround?

Below is a lot of information and source code, which hopefully will help.

$ java -version
java version "1.6.0_23"
OpenJDK Runtime Environment (IcedTea6 1.11pre) (6b23~pre11-0ubuntu1.11.10.2)
OpenJDK 64-Bit Server VM (build 20.0-b11, mixed mode)

Server code:

  public class MainClass {

    public static void main(String[] args) {
        System.out.println("Hello, world");
        int port = 8001;
        try {

            String keystoreFile = System.getProperty("user.dir") + "/keystore.pkcs12";

            System.out.println("Keystore " + keystoreFile);
            String keystorePassword = "password";

            InetAddress hostname = InetAddress.getByName("0.0.0.0");

            Object implementor = new DummyService();

            SSLContext ssl = SSLContext.getInstance("TLS");

            KeyManagerFactory keyFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            KeyStore store = KeyStore.getInstance("PKCS12");

            store.load(new FileInputStream(keystoreFile), keystorePassword.toCharArray());

            keyFactory.init(store, keystorePassword.toCharArray());

            KeyStore tstore = KeyStore.getInstance("PKCS12");
            tstore.load(new FileInputStream(keystoreFile), keystorePassword.toCharArray());
            TrustManagerFactory trustFactory = TrustManagerFactory.getInstance("SunX509");
            trustFactory.init(tstore);

            ssl.init(keyFactory.getKeyManagers(),
                    trustFactory.getTrustManagers(), null);

            HttpsConfigurator configurator = new HttpsConfigurator(ssl);


            HttpsServer httpsServer = HttpsServer.create(new InetSocketAddress(hostname, port), port);

            httpsServer.setHttpsConfigurator(configurator);

            HttpContext httpContext = httpsServer.createContext("/SoapContext/SoapPort");

            httpsServer.start();

            Endpoint endpoint = Endpoint.create(implementor);
            endpoint.publish(httpContext);
            System.out.println(httpsServer.getAddress());
        }
        catch (Exception e) {
            e.printStackTrace();
        }
    }
  }

PHP test code:

$client = new SoapClient("https://host:8001/SoapContext/SoapPort?wsdl");
var_dump($client);

Result with oracle java:

object(SoapClient)#1 (3) {
  ["_stream_context"]=>
  resource(4) of type (stream-context)
  ["_soap_version"]=>
  int(1)
  ["sdl"]=>
  resource(8) of type (Unknown)
}

Result with openJDK java:

PHP Fatal error:  SOAP-ERROR: Parsing WSDL: Couldn't load from 'https://host:8001/SoapContext/SoapPort?wsdl' : failed to load external entity "https://host:8001/SoapContext/SoapPort?wsdl"
 in /tmp/bla.php on line 9
PHP Fatal error:  Uncaught SoapFault exception: [WSDL] SOAP-ERROR: Parsing WSDL: Couldn't load from 'https://host:8001/SoapContext/SoapPort?wsdl' : failed to load external entity "https://host:8001/SoapContext/SoapPort?wsdl"
 in /tmp/bla.php:9
Stack trace:
#0 /tmp/bla.php(9): SoapClient->SoapClient('https://host...', Array)
#1 {main}
  thrown in /tmp/bla.php on line 9

Fatal error: Uncaught SoapFault exception: [WSDL] SOAP-ERROR: Parsing WSDL: Couldn't load from 'https://host:8001/SoapContext/SoapPort?wsdl' : failed to load external entity "https://host:8001/SoapContext/SoapPort?wsdl"
 in /tmp/bla.php:9
Stack trace:
#0 /tmp/bla.php(9): SoapClient->SoapClient('host...', Array)
#1 {main}
  thrown in /tmp/bla.php on line 9

(OpenJDK) openssl s_client -connect https://host:8001/SoapContext/SoapPort?wsdl -ssl3 returns:


New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 4F5625733BA7E6D790FFB02549A81A511EA097BB397BC197469174C77928EFF4
    Session-ID-ctx: 
    Master-Key: 5C0112457F7D3157FFCA03C1F5CAF7BC72CCDBD605B44E0C48663E171C8B6ED43AC1FF1DD3734F32714DDFD160E726C9
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1331045748
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)

(OpenJDK) openssl s_client -connect https://host:8001/SoapContext/SoapPort?wsdl -tls1 returns:

CONNECTED(00000003)
140061171041952:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:591:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1331045776
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
2
javaphpsslopensslopenjdk
Perhaps policy tools missing in openjdk? - Alfabravo

2 Answers

2
votes

The problem turns out to be related to the "SunPKCS11" provider, which is enabled by default in ubuntu's OpenJDK installations.
The problem can be resolved by removing sun.security.pkcs11.SunPKCS11 from $JAVA_HOME/jre/lib/security/java.security

Update: I have created a bug report for this issue, consider "affects me too" if this issue concerns you https://bugs.launchpad.net/ubuntu/+source/openjdk-6/+bug/948875.

0
votes

I have the same problem (Ubuntu 12.04 + openjdk-7-jre-headless + Tomcat with SSL):

$ curl -ik https://192.168.x.x:8443/

curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error

$ openssl s_client -connect 192.168.x.x:8443

CONNECTED(00000003)
3073509576:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:724:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 225 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

my solution was setting "ciphers" param in tomcat/conf/server.xml:

<Connector port="8443"
           protocol="HTTP/1.1"
           URIEncoding="ISO-8859-1"
           enableLookups="false"
           SSLEnabled="true" scheme="https" secure="true"
           clientAuth="flse" sslProtocol="TLS"
           keystoreFile="server.p12"
           keystoreType="PKCS12" keystorePass="changeit"
           truststoreFile="trusted.jks"
           truststoreType="JKS" truststorePass="changeit"
           ciphers="TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA"
/>

From client code you can do anything like this to limit protos and ciphers:

public static SSLParameters setupSSLParams(final SSLContext ctx) {
    List<String> protos = new ArrayList<String>();
    protos.add("TLSv1");
    protos.add("SSLv3");
    List<String> suites = new ArrayList<String>();
    suites.add("TLS_RSA_WITH_AES_256_CBC_SHA");
    suites.add("TLS_RSA_WITH_AES_128_CBC_SHA");
    suites.add("SSL_RSA_WITH_3DES_EDE_CBC_SHA");
    suites.add("SSL_RSA_WITH_RC4_128_SHA");
    SSLParameters sslParams = ctx.getSupportedSSLParameters();
    protos.retainAll(Arrays.asList(sslParams.getProtocols()));
    suites.retainAll(Arrays.asList(sslParams.getCipherSuites()));
    sslParams.setProtocols(protos.toArray(new String[0]));
    sslParams.setCipherSuites(suites.toArray(new String[0]));
    return sslParams;
}