Examples with SSLHandshakeException javax.net.ssl.SSLHandshakeException used on opensource projects

Example 1 with SSLHandshakeException

use of javax.net.ssl.SSLHandshakeException in project camel by apache.

the class SslContextParametersMailRouteTest method testSendAndReceiveMailsWithCustomTrustStore.

@Test
public void testSendAndReceiveMailsWithCustomTrustStore() throws Exception {
    context.addRoutes(new RouteBuilder() {

        public void configure() {
            from("direct:in").to("smtps://" + smtpHost + "?username=" + username + "&password=" + password + "&sslContextParameters=#sslContextParameters");
        }
    });
    context.start();
    Map<String, Object> headers = new HashMap<String, Object>();
    headers.put("To", email);
    headers.put("From", email);
    headers.put("Reply-to", email);
    headers.put("Subject", "SSL/TLS Test");
    try {
        template.sendBodyAndHeaders("direct:in", "Test Email Body", headers);
        fail("Should have thrown exception");
    } catch (CamelExecutionException e) {
        assertTrue(e.getCause().getCause() instanceof SSLHandshakeException);
        assertTrue(e.getCause().getCause().getMessage().contains("unable to find valid certification path to requested target"));
    }
}

Example 2 with SSLHandshakeException

use of javax.net.ssl.SSLHandshakeException in project hadoop by apache.

the class TestSSLHttpServer method testExcludedCiphers.

/**
   * Test that verifies that excluded ciphers (SSL_RSA_WITH_RC4_128_SHA,
   * TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,
   * TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA) are not
   * available for negotiation during SSL connection.
   */
@Test
public void testExcludedCiphers() throws Exception {
    URL url = new URL(baseUrl, "/echo?a=b&c=d");
    HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
    SSLSocketFactory sslSocketF = clientSslFactory.createSSLSocketFactory();
    PrefferedCipherSSLSocketFactory testPreferredCipherSSLSocketF = new PrefferedCipherSSLSocketFactory(sslSocketF, excludeCiphers.split(","));
    conn.setSSLSocketFactory(testPreferredCipherSSLSocketF);
    assertFalse("excludedCipher list is empty", excludeCiphers.isEmpty());
    try {
        InputStream in = conn.getInputStream();
        ByteArrayOutputStream out = new ByteArrayOutputStream();
        IOUtils.copyBytes(in, out, 1024);
        fail("No Ciphers in common, SSLHandshake must fail.");
    } catch (SSLHandshakeException ex) {
        LOG.info("No Ciphers in common, expected succesful test result.", ex);
    }
}

Example 3 with SSLHandshakeException

use of javax.net.ssl.SSLHandshakeException in project hadoop by apache.

the class TestSSLHttpServer method testExclusiveEnabledCiphers.

/** Test verifies that mutually exclusive server's disabled cipher suites and
   * client's enabled cipher suites can successfully establish TLS connection.
   */
@Test
public void testExclusiveEnabledCiphers() throws Exception {
    URL url = new URL(baseUrl, "/echo?a=b&c=d");
    HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
    SSLSocketFactory sslSocketF = clientSslFactory.createSSLSocketFactory();
    PrefferedCipherSSLSocketFactory testPreferredCipherSSLSocketF = new PrefferedCipherSSLSocketFactory(sslSocketF, exclusiveEnabledCiphers.split(","));
    conn.setSSLSocketFactory(testPreferredCipherSSLSocketF);
    assertFalse("excludedCipher list is empty", exclusiveEnabledCiphers.isEmpty());
    try {
        InputStream in = conn.getInputStream();
        ByteArrayOutputStream out = new ByteArrayOutputStream();
        IOUtils.copyBytes(in, out, 1024);
        assertEquals(out.toString(), "a:b\nc:d\n");
        LOG.info("Atleast one additional enabled cipher than excluded ciphers," + " expected successful test result.");
    } catch (SSLHandshakeException ex) {
        fail("Atleast one additional cipher available for successful handshake." + " Unexpected test failure: " + ex);
    }
}

Example 4 with SSLHandshakeException

use of javax.net.ssl.SSLHandshakeException in project hadoop by apache.

the class TestSSLFactory method testServerWeakCiphers.

@Test
public void testServerWeakCiphers() throws Exception {
    // a simple test case to verify that SSL server rejects weak cipher suites,
    // inspired by https://docs.oracle.com/javase/8/docs/technotes/guides/
    //            security/jsse/samples/sslengine/SSLEngineSimpleDemo.java
    // set up a client and a server SSLEngine object, and let them exchange
    // data over ByteBuffer instead of network socket.
    GenericTestUtils.setLogLevel(SSLFactory.LOG, Level.DEBUG);
    final Configuration conf = createConfiguration(true, true);
    SSLFactory serverSSLFactory = new SSLFactory(SSLFactory.Mode.SERVER, conf);
    SSLFactory clientSSLFactory = new SSLFactory(SSLFactory.Mode.CLIENT, conf);
    serverSSLFactory.init();
    clientSSLFactory.init();
    SSLEngine serverSSLEngine = serverSSLFactory.createSSLEngine();
    SSLEngine clientSSLEngine = clientSSLFactory.createSSLEngine();
    // client selects cipher suites excluded by server
    clientSSLEngine.setEnabledCipherSuites(excludeCiphers.split(","));
    // use the same buffer size for server and client.
    SSLSession session = clientSSLEngine.getSession();
    int appBufferMax = session.getApplicationBufferSize();
    int netBufferMax = session.getPacketBufferSize();
    ByteBuffer clientOut = ByteBuffer.wrap("client".getBytes());
    ByteBuffer clientIn = ByteBuffer.allocate(appBufferMax);
    ByteBuffer serverOut = ByteBuffer.wrap("server".getBytes());
    ByteBuffer serverIn = ByteBuffer.allocate(appBufferMax);
    // send data from client to server
    ByteBuffer cTOs = ByteBuffer.allocateDirect(netBufferMax);
    // send data from server to client
    ByteBuffer sTOc = ByteBuffer.allocateDirect(netBufferMax);
    boolean dataDone = false;
    try {
        /**
       * Server and client engines call wrap()/unwrap() to perform handshaking,
       * until both engines are closed.
       */
        while (!isEngineClosed(clientSSLEngine) || !isEngineClosed(serverSSLEngine)) {
            LOG.info("client wrap " + wrap(clientSSLEngine, clientOut, cTOs));
            LOG.info("server wrap " + wrap(serverSSLEngine, serverOut, sTOc));
            cTOs.flip();
            sTOc.flip();
            LOG.info("client unwrap " + unwrap(clientSSLEngine, sTOc, clientIn));
            LOG.info("server unwrap " + unwrap(serverSSLEngine, cTOs, serverIn));
            cTOs.compact();
            sTOc.compact();
            if (!dataDone && (clientOut.limit() == serverIn.position()) && (serverOut.limit() == clientIn.position())) {
                checkTransfer(serverOut, clientIn);
                checkTransfer(clientOut, serverIn);
                LOG.info("closing client");
                clientSSLEngine.closeOutbound();
                dataDone = true;
            }
        }
        Assert.fail("The exception was not thrown");
    } catch (SSLHandshakeException e) {
        GenericTestUtils.assertExceptionContains("no cipher suites in common", e);
    }
}

Example 5 with SSLHandshakeException

use of javax.net.ssl.SSLHandshakeException in project Openfire by igniterealtime.

the class LocalOutgoingServerSession method createOutgoingSession.

/**
     * Establishes a new outgoing session to a remote domain. If the remote domain supports TLS and SASL then the new
     * outgoing connection will be secured with TLS and authenticated  using SASL. However, if TLS or SASL is not
     * supported by the remote domain or if an error occurred while securing or authenticating the connection using SASL
     * then server dialback will be used.
     *
     * @param localDomain the local domain to authenticate with the remote domain.
     * @param remoteDomain the remote domain.
     * @param port default port to use to establish the connection.
     * @return new outgoing session to a remote domain, or null.
     */
private static LocalOutgoingServerSession createOutgoingSession(String localDomain, String remoteDomain, int port) {
    final Logger log = LoggerFactory.getLogger(Log.getName() + "[Create outgoing session for: " + localDomain + " to " + remoteDomain + "]");
    log.debug("Creating new session...");
    // Connect to remote server using XMPP 1.0 (TLS + SASL EXTERNAL or TLS + server dialback or server dialback)
    log.debug("Creating plain socket connection to a host that belongs to the remote XMPP domain.");
    final Socket socket = SocketUtil.createSocketToXmppDomain(remoteDomain, port);
    if (socket == null) {
        log.info("Unable to create new session: Cannot create a plain socket connection with any applicable remote host.");
        return null;
    }
    SocketConnection connection = null;
    try {
        connection = new SocketConnection(XMPPServer.getInstance().getPacketDeliverer(), socket, false);
        log.debug("Send the stream header and wait for response...");
        StringBuilder openingStream = new StringBuilder();
        openingStream.append("<stream:stream");
        openingStream.append(" xmlns:db=\"jabber:server:dialback\"");
        openingStream.append(" xmlns:stream=\"http://etherx.jabber.org/streams\"");
        openingStream.append(" xmlns=\"jabber:server\"");
        // OF-673
        openingStream.append(" from=\"").append(localDomain).append("\"");
        openingStream.append(" to=\"").append(remoteDomain).append("\"");
        openingStream.append(" version=\"1.0\">");
        connection.deliverRawText(openingStream.toString());
        // Set a read timeout (of 5 seconds) so we don't keep waiting forever
        int soTimeout = socket.getSoTimeout();
        socket.setSoTimeout(5000);
        XMPPPacketReader reader = new XMPPPacketReader();
        reader.getXPPParser().setInput(new InputStreamReader(socket.getInputStream(), StandardCharsets.UTF_8));
        // Get the answer from the Receiving Server
        XmlPullParser xpp = reader.getXPPParser();
        for (int eventType = xpp.getEventType(); eventType != XmlPullParser.START_TAG; ) {
            eventType = xpp.next();
        }
        String serverVersion = xpp.getAttributeValue("", "version");
        String id = xpp.getAttributeValue("", "id");
        log.debug("Got a response (stream ID: {}, version: {}). Check if the remote server is XMPP 1.0 compliant...", id, serverVersion);
        if (serverVersion != null && decodeVersion(serverVersion)[0] >= 1) {
            log.debug("The remote server is XMPP 1.0 compliant (or at least reports to be).");
            // Restore default timeout
            socket.setSoTimeout(soTimeout);
            log.debug("Processing stream features of the remote domain...");
            Element features = reader.parseDocument().getRootElement();
            if (features != null) {
                log.debug("Check if both us as well as the remote server have enabled STARTTLS and/or dialback ...");
                final boolean useTLS = JiveGlobals.getBooleanProperty(ConnectionSettings.Server.TLS_ENABLED, true);
                if (useTLS && features.element("starttls") != null) {
                    log.debug("Both us and the remote server support the STARTTLS feature. Secure and authenticate the connection with TLS & SASL...");
                    LocalOutgoingServerSession answer = secureAndAuthenticate(remoteDomain, connection, reader, openingStream, localDomain);
                    if (answer != null) {
                        log.debug("Successfully secured/authenticated the connection with TLS/SASL)!");
                        // Everything went fine so return the secured and
                        // authenticated connection
                        log.debug("Successfully created new session!");
                        return answer;
                    }
                    log.debug("Unable to secure and authenticate the connection with TLS & SASL.");
                } else if (connection.getTlsPolicy() == Connection.TLSPolicy.required) {
                    log.debug("I have no StartTLS yet I must TLS");
                    connection.close();
                    return null;
                } else // Check if we are going to try server dialback (XMPP 1.0)
                if (ServerDialback.isEnabled() && features.element("dialback") != null) {
                    log.debug("Both us and the remote server support the 'dialback' feature. Authenticate the connection with dialback...");
                    ServerDialback method = new ServerDialback(connection, localDomain);
                    OutgoingServerSocketReader newSocketReader = new OutgoingServerSocketReader(reader);
                    if (method.authenticateDomain(newSocketReader, localDomain, remoteDomain, id)) {
                        log.debug("Successfully authenticated the connection with dialback!");
                        StreamID streamID = new BasicStreamIDFactory().createStreamID(id);
                        LocalOutgoingServerSession session = new LocalOutgoingServerSession(localDomain, connection, newSocketReader, streamID);
                        connection.init(session);
                        // Set the hostname as the address of the session
                        session.setAddress(new JID(null, remoteDomain, null));
                        log.debug("Successfully created new session!");
                        return session;
                    } else {
                        log.debug("Unable to authenticate the connection with dialback.");
                    }
                }
            } else {
                log.debug("Error! No data from the remote server (expected a 'feature' element).");
            }
        } else {
            log.debug("The remote server is not XMPP 1.0 compliant.");
        }
        log.debug("Something went wrong so close the connection and try server dialback over a plain connection");
        if (connection.getTlsPolicy() == Connection.TLSPolicy.required) {
            log.debug("I have no StartTLS yet I must TLS");
            connection.close();
            return null;
        }
        connection.close();
    } catch (SSLHandshakeException e) {
        // This is a failure as described in RFC3620, section 5.4.3.2 "STARTTLS Failure".
        log.info("STARTTLS negotiation failed. Closing connection (without sending any data such as <failure/> or </stream>).", e);
        // It is probably (see OF-794) best if we, as the initiating entity, therefor don't send any data either.
        if (connection != null) {
            connection.forceClose();
        }
    } catch (Exception e) {
        // This might be RFC3620, section 5.4.2.2 "Failure Case" or even an unrelated problem. Handle 'normally'.
        log.warn("An exception occurred while creating an encrypted session. Closing connection.", e);
        if (connection != null) {
            connection.close();
        }
    }
    if (ServerDialback.isEnabled()) {
        log.debug("Unable to create a new session. Going to try connecting using server dialback as a fallback.");
        // Use server dialback (pre XMPP 1.0) over a plain connection
        final LocalOutgoingServerSession outgoingSession = new ServerDialback().createOutgoingSession(localDomain, remoteDomain, port);
        if (outgoingSession != null) {
            // TODO this success handler behaves differently from a similar success handler above. Shouldn't those be the same?
            log.debug("Successfully created new session (using dialback as a fallback)!");
            return outgoingSession;
        } else {
            log.warn("Unable to create a new session: Dialback (as a fallback) failed.");
            return null;
        }
    } else {
        log.warn("Unable to create a new session: exhausted all options (not trying dialback as a fallback, as server dialback is disabled by configuration.");
        return null;
    }
}