I have a problem with SSL in Jboss 6.1.0. I use CLIEN-CERT to restrict certain security constraint with client certificate. I configured all needed places(web.xml, jboss-web.xml, jboss-loggin, server.xml, jboss-service
). When I start server with JDK6 everything works fine, but when i start server with JDK7 and try to access the security constraint i get the error Exception getting SSL attributes: java.net.SocketException: SSL Cert handshake timeout
. Here is stacktrace:
2014-10-16 17:39:10,184 WARN [org.apache.coyote.http11.Http11Processor] (http-0.0.0.0-8443-2) Exception getting SSL attributes: java.net.SocketException: SSL Cert handshake timeout
at org.apache.tomcat.util.net.jsse.JSSESupport.handShake(JSSESupport.java:178) [:6.1.0.Final]
at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:138) [:6.1.0.Final]
at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1144) [:6.1.0.Final]
at org.apache.coyote.Request.action(Request.java:352) [:6.1.0.Final]
at org.apache.catalina.connector.Request.getCertificateChain(Request.java:1112) [:6.1.0.Final]
at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:132) [:6.1.0.Final]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:559) [:6.1.0.Final]
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:88) [:6.1.0.Final]
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:100) [:6.1.0.Final]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:159) [:6.1.0.Final]
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158) [:6.1.0.Final]
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:567) [:6.1.0.Final]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [:6.1.0.Final]
at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:631) [:6.1.0.Final]
at org.jboss.web.rewrite.RewriteValve.invoke(RewriteValve.java:273) [:6.1.0.Final]
at org.jboss.web.tomcat.service.request.ActiveRequestResponseCacheValve.invoke(ActiveRequestResponseCacheValve.java:53) [:6.1.0.Final]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:362) [:6.1.0.Final]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [:6.1.0.Final]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:654) [:6.1.0.Final]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:951) [:6.1.0.Final]
at java.lang.Thread.run(Thread.java:745) [:1.7.0_71]
When i switch clientAuth="true"
or "want"
it's work, but with "false"
and accessing security constraint with CLIENT-CERT doesn't work with JDK7.
I tried to debug JSSESupport.java
and saw that there is for cycle in handshake method and with JDK6 when enter for first time in that cycle and read bytes from InputStream browser window is opened and request my client certificate, but with JDK7 this doesn't happend, the error is thrown at the end of the method because client didn't send his certificate. Actually this browser window is opened later and when i submit my certificate nothing happens, because handshake is completed with false
result. I tried with Firefox, IE, Chrome and result is the same. If someone can help me or give me a advice, it would be greatfull.
So, I debug more and find that with Java 7 in JSSESupport.java:178 when It tries to read AppInputStream from the SSLSocket nothing is happened. It tries to read 60 times and finally if client not confirm his choice for certificate this "Handhake timeout" error is thrown, and after that tomcat check for certificate and if it's not presented i have log "No certificates included with this request" and response send me error with code 401 SC_UNAUTHORIZED and process stop and my filters aren't invoked. In difference with Java 6, at the first time when it tries to read from AppInputStream, i'm asked for choice my client certificate. I think that the problem may have connection with changes in Java 7 in security area and implementation of SSL(TLS), or some synchronization problem with reading from this AppInputStream, because this request for certificate comes later, after the error is thrown, but error code is already set in response.