javax.net.ssl.SSLProtocolException: Handshake message sequence violation, 2

java authentication ssl client
18,496

Solution 1

In my experience this exception happens when a client certificate has expired. You can verify your JKS client certificate by 

keytool -list -keystore client.keystore.jks  -v

and check the the Valid from ... to ...

Solution 2

I think, there is no general fix for this error. The best way is to start over and follow exactly steps mentioned in https://kafka.apache.org/documentation/#security_ssl_ca.

I had have the same error. It was caused by my mistake - I missed alias in the last step when I registered signed CA request file. Below steps works for me.

    - name: Generate keystore certificate
      command: "keytool -genkey -keystore /home/vagrant/auth/kafka.client{{kafka_broker_id}}.keystore.jks -validity 365 -storepass clientpass -keypass clientpass -dname 'CN=broker{{kafka_broker_id}}' -alias client-broker{{kafka_broker_id}} -storetype pkcs12"

    # getting signed version of certicate - first step
    - name: Certification request certificate 
      command: "keytool -keystore /home/vagrant/auth/kafka.client{{kafka_broker_id}}.keystore.jks -certreq -file /home/vagrant/auth/client-cert-file-broker{{kafka_broker_id}} -alias client-broker{{kafka_broker_id}} -storepass clientpass -keypass clientpass"

    # output will be signed certificate of kafka broker
    - name: Generate keystore certificate
      command: "openssl x509 -req -CA /home/vagrant/ssl/ca-cert -CAkey /home/vagrant/ssl/ca-key -in /home/vagrant/auth/client-cert-file-broker{{kafka_broker_id}} -out /home/vagrant/auth/client-cert-signed-{{kafka_broker_id}} -days 365 -CAcreateserial -passin pass:serversecret"

    - name: Import public CA to client keystore
      command: "keytool -keystore /home/vagrant/auth/kafka.client{{kafka_broker_id}}.keystore.jks -alias CARoot -import -file /home/vagrant/ssl/ca-cert -storepass clientpass -keypass clientpass -noprompt"

    - name: Import signed host certificate by CA to keystore.jks
      command: "keytool -keystore /home/vagrant/auth/kafka.client{{kafka_broker_id}}.keystore.jks -import -file /home/vagrant/auth/client-cert-signed-{{kafka_broker_id}} -alias client-broker{{kafka_broker_id}} -storepass clientpass -keypass clientpass -noprompt"

To make authentification works correctly you need to add truststore - could be used the one from Kafka broker.

Solution 3

This issue occurs when the client certificate does not have clientAuth in extended key usage.

See https://security.stackexchange.com/a/84822 And for Java, how it might be implemented on the server you're talking to: https://docs.oracle.com/javase/10/docs/api/javax/net/ssl/X509ExtendedTrustManager.html

Share:
18,496
Admin
Author by

Admin

Updated on June 05, 2022

Comments

  • Admin
    Admin almost 2 years

    I am trying to establish a TLS secured (with client authentication) connection over the XMPP protocol. I am using the standard port rather than dedicated SSL port, which apparently is deprecated. The startTLS process never completes the handshake.

    I am receiving: javax.net.ssl.SSLProtocolException: Handshake message sequence violation, 2

    Excerpts from debug show that my client receives an unexpected message from server. The CertificateRequest is sent from server but CA list is empty.

    Are there very many things that can cause this handshake violoation (2)? What might cause the server not to send the acceptable authorities which are configured in its truststore?

    Thanks for any insight.

    UPDATED: 

    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@ PROTOTYPE: TLS client authentication XMPP connection. @@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
USER: 111111
OS:   Windows 7
Java: C:\Program Files (x86)\Java\jdk1.8.0_45\jre
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Loading trusted authorities from trust store...
adding as trusted cert:
...(trimmed)

Loading credentials from key store...
***
found key for : Signing Certificate - John K. Doe
chain [0] = [
...(trimmed)
***
Initializing SSL context for TLS...
trigger seeding of SecureRandom
done seeding SecureRandom
Using SSLEngineImpl.
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@ PROTOTYPE: Built XMPP connection configuration. @@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Connection instantiated.
10:17:24 AM SENT (0): <stream:stream xmlns='jabber:client' to='steerage.org' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' xml:lang='en'>
10:17:24 AM RECV (0): <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="steerage.org" id="e7e393bd" xml:lang="en" version="1.0"><stream:features><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>EXTERNAL</mechanism></mechanisms></stream:features>
10:17:24 AM SENT (0): <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'></starttls>
10:17:24 AM RECV (0): <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1433793908 bytes = { 4, 180, 17, 97, 147, 6, 68, 124, 234, 40, 155, 145, 132, 27, 164, 29, 175, 239, 139, 23, 14, 133, 162, 215, 44, 220, 241, 2 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Extension server_name, server_name: [type=host_name (0), value=steerage.org]
***
Smack Packet Reader (0), WRITE: TLSv1.2 Handshake, length = 239
Smack Packet Reader (0), READ: TLSv1.2 Handshake, length = 3708
*** ServerHello, TLSv1.2
RandomCookie:  GMT: 1433793908 bytes = { 238, 60, 108, 5, 104, 190, 219, 147, 215, 187, 195, 89, 114, 224, 165, 213, 141, 48, 112, 176, 129, 42, 78, 190, 196, 119, 143, 101 }
Session ID:  {85, 118, 245, 116, 90, 98, 141, 24, 47, 246, 162, 187, 92, 255, 11, 153, 45, 237, 178, 52, 9, 196, 116, 50, 61, 190, 48, 63, 26, 70, 155, 58}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized:  [Session-1, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256]
** TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=steerage....(trimmed)

***
Found trusted certificate:
[
[
  Version: V3
  Subject: CN=TKT Root CA 2, ...(trimmed)

*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 256 bits
  public x coord: 16285061615265061295479758192758299168932729034919494399422438099012833644130
  public y coord: 91712186275093768179410924600166089746856150468196826634149937267800342978949
  parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
Cert Authorities:
<Empty>
*** ServerHelloDone
matching alias: john.k.doe.1258700011
matching alias: Card Authentication Certificate
matching alias: Authentication Certificate - John K. Doe
matching alias: Encryption Certificate - John K. Doe (Archived) - 12/4/2013
matching alias: [email protected]
matching alias: Signing Certificate - John K. Doe
matching alias: Encryption Certificate - John K. Doe
org.jivesoftware.smack.SmackException$NoResponseException: No response received within reply timeout. Timeout was 5000ms (~5s). Used filter: No filter used or filter was 'null'.
    at org.jivesoftware.smack.SmackException$NoResponseException.newWith(SmackException.java:106)
    at org.jivesoftware.smack.SmackException$NoResponseException.newWith(SmackException.java:85)
    at org.jivesoftware.smack.SynchronizationPoint.checkForResponse(SynchronizationPoint.java:192)
    at org.jivesoftware.smack.SynchronizationPoint.checkIfSuccessOrWait(SynchronizationPoint.java:114)
    at org.jivesoftware.smack.SynchronizationPoint.checkIfSuccessOrWaitOrThrow(SynchronizationPoint.java:97)
    at org.jivesoftware.smack.tcp.XMPPTCPConnection.connectInternal(XMPPTCPConnection.java:837)
    at org.jivesoftware.smack.AbstractXMPPConnection.connect(AbstractXMPPConnection.java:360)
    at pke4chat.TestProtoType.main(TestProtoType.java:87)
10:17:29 AM SENT (0): <presence id='c06He-3' type='unavailable'><c xmlns='http://jabber.org/protocol/caps' hash='sha-1' node='http://www.igniterealtime.org/projects/smack' ver='NfJ3flI83zSdUDzCEICtbypursw='/></presence>
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=John K. Doe, ...(trimmed)

***
*** ECDHClientKeyExchange
ECDH Public value:  { 4, 183, 254, 13, 26, 104, 205, 105, 32, 193, 10, 62, 33, 82, 142, 4, 183, 231, 178, 204, 126, 170, 178, 111, 33, 155, 241, 187, 146, 182, 254, 138, 117, 145, 170, 80, 32, 176, 179, 113, 157, 193, 210, 75, 2, 195, 132, 111, 210, 183, 73, 98, 15, 201, 170, 127, 36, 15, 233, 126, 38, 225, 193, 6, 71 }
Smack Packet Reader (0), WRITE: TLSv1.2 Handshake, length = 5387
SESSION KEYGEN:
PreMaster Secret:
0000: D3 5B D2 C9 4A AD 9A E6   F4 DE 3C 3C 0B D5 A2 C2  .[..J.....<<....
0010: CA A3 BA BE 2A 50 BA 27   3F 1E D1 34 94 CD 84 A4  ....*P.'?..4....
CONNECTION KEYGEN:
Client Nonce:
0000: 55 76 F5 74 04 B4 11 61   93 06 44 7C EA 28 9B 91  Uv.t...a..D..(..
0010: 84 1B A4 1D AF EF 8B 17   0E 85 A2 D7 2C DC F1 02  ............,...
Server Nonce:
0000: 55 76 F5 74 EE 3C 6C 05   68 BE DB 93 D7 BB C3 59  Uv.t.<l.h......Y
0010: 72 E0 A5 D5 8D 30 70 B0   81 2A 4E BE C4 77 8F 65  r....0p..*N..w.e
Master Secret:
0000: 61 9B 54 1F AB B0 F6 B1   D4 3C F9 79 0E D8 E1 AD  a.T......<.y....
0010: 29 3C E1 55 8D EF 2E 8D   13 3B 94 BB 32 5F C8 7F  )<.U.....;..2_..
0020: 13 A8 48 B6 C5 0F 50 A4   B5 41 82 C6 A3 F0 41 95  ..H...P..A....A.
Client MAC write Secret:
0000: 42 1B F0 67 9E 1D 81 44   3A 76 8D D1 AD 4D 48 A4  B..g...D:v...MH.
0010: B6 27 70 12 08 FB CF 5D   39 7F 51 05 6D 08 61 F7  .'p....]9.Q.m.a.
Server MAC write Secret:
0000: DD 40 97 24 B0 96 00 A6   CD 49 02 7A 60 75 32 A2  .@.$.....I.z`u2.
0010: 80 41 FD 38 48 06 67 A7   51 E4 44 8E 72 AB 75 C4  .A.8H.g.Q.D.r.u.
Client write key:
0000: DE 5A B7 2D 9D 0F 2F C3   C9 82 D9 EA 88 0D 14 A3  .Z.-../.........
Server write key:
0000: A1 66 08 7C AB 23 56 B9   8F 09 2B 78 67 19 1F BF  .f...#V...+xg...
... no IV derived for this protocol
Jun 09, 2015 10:17:34 AM org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketWriter shutdown
WARNING: shutdownDone was not marked as successful by the writer thread
org.jivesoftware.smack.SmackException$NoResponseException: No response received within reply timeout. Timeout was 5000ms (~5s). Used filter: No filter used or filter was 'null'.
    at org.jivesoftware.smack.SmackException$NoResponseException.newWith(SmackException.java:106)
    at org.jivesoftware.smack.SmackException$NoResponseException.newWith(SmackException.java:85)
    at org.jivesoftware.smack.SynchronizationPoint.checkForResponse(SynchronizationPoint.java:192)
    at org.jivesoftware.smack.SynchronizationPoint.checkIfSuccessOrWait(SynchronizationPoint.java:114)
    at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketWriter.shutdown(XMPPTCPConnection.java:1265)
    at org.jivesoftware.smack.tcp.XMPPTCPConnection.shutdown(XMPPTCPConnection.java:494)
    at org.jivesoftware.smack.tcp.XMPPTCPConnection.shutdown(XMPPTCPConnection.java:476)
    at org.jivesoftware.smack.AbstractXMPPConnection.disconnect(AbstractXMPPConnection.java:666)
    at org.jivesoftware.smack.AbstractXMPPConnection.disconnect(AbstractXMPPConnection.java:646)
    at pke4chat.TestProtoType.main(TestProtoType.java:105)

main, called close()
main, called closeInternal(true)
*** CertificateVerify
Signature Algorithm SHA512withRSA
Smack Packet Reader (0), WRITE: TLSv1.2 Handshake, length = 264
Smack Packet Reader (0), WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data:  { 49, 187, 92, 176, 21, 132, 60, 183, 10, 47, 235, 93 }
***
Smack Packet Reader (0), WRITE: TLSv1.2 Handshake, length = 80
main, SEND TLSv1.2 ALERT:  warning, description = close_notify
main, WRITE: TLSv1.2 Alert, length = 64
main, called closeSocket(true)
Smack Packet Writer (0), handling exception: java.net.SocketException: Socket closed
%% Invalidated:  [Session-1, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256]
Smack Packet Writer (0), called closeSocket()
Smack Packet Reader (0), handling exception: java.net.SocketException: Socket closed
  • fzmaster
    fzmaster almost 6 years
    Did not work for me. Acctualy, I created my certificate.
  • fzmaster
    fzmaster almost 6 years
    I also have this problem in Kafka when ssl.client.auth=required is set. But, If you remove this line of config, you will take away the reason for using security in Kafka. So, there should be another way of solving this.
  • Kalli
    Kalli over 5 years
    no. this is not about disabling ssl or security. if you enable ssl, the client will connect to server and communication is encrypted with server certificate. the client can also verify the auth of the server using the server certificate. If you do enable this parameter "ssl.client.auth=required" then additional checking takes place. the server will ask for a certificate from the client. if the client can't auth, the communication will not take place. this is the problem. if you want to enable this, then you need to give add the client certificate also to broker if not trusted
  • tgcloud
    tgcloud over 5 years
    @Anders: I was facing Similar issue, after reading your answer I noticed my certificate valid from next day, since my ntp was not configured properly.! Fixing ntp, and regenerating certs, resolve the my issue.! Thanks
  • Fourat
    Fourat about 5 years
    Please provide more details in your answer.
  • Frischling
    Frischling over 4 years
    expired certificate was not the case for me, maybe Extended Key Usages has to inclue clientAuth as suggested by @Deca
  • Frischling
    Frischling over 4 years
    I can confirm the error and the wrong ExtendedKeyUsage.
  • Frischling
    Frischling over 4 years
    still, removing client auth is reducing security, depending on how secure you need to be. I for example can't switch of client.auth.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

SSL Handshake_failure in Java test client while connecting to server with two-way authentication
Socket Authentication Server?
Unable to find valid certification path to requested target while CAS authentication
Web service authentication using https giving error
SSLHandshakeException: no cipher suites in common
How to configure client authentication with apache.commons.net.ftps?
Java Certificate Client SSL: unable to find valid certification path to requested target
Error while geting Firebase Phone Auth OTP
Flutter Websocket client ssl handshake failure
Should I use OAuth (or what else) for the backend of a mobile app? - There is only *one* "third-party" application in such cases