Certificate not being sent sporadically

Question

In my application I have 2 components talking to each other with REST (client-server based).
The application can be configured to use HTTP or HTTPS (self signed certificate).

From time to time when I start my application on HTTPS mode, my client can't talk to the server. I'm getting the following exception:

    09-16-2013 12:28:52 [dispatcher] [http-nio-8143-exec-8] [INFO] - Exception while dispatching request
java.util.concurrent.ExecutionException: com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
    ...
Caused by: com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
    ...
Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
    ...
Caused by: java.io.EOFException: SSL peer shut down incorrectly
    ...

When I stopped and started the application everything worked as expected.
I tried searching for solutions, but couldn't find anything that is similar to my problem by something that happened from time to time and fixed by restart, all the problems were consistent.

Java version: Oracle Corporation, 'Java HotSpot(TM) 64-Bit Server VM', 1.7.0_17-b02 OS: Red Hat Any idea?

UPDATE
Turns out this can also happen after some time the application works. Meaning, everything works fine, SSL communication is ok, and suddenly this error occur and won't resolve until I restart the client side.

I was able to reproduce the problem with -Djavax.net.debug=all, obviously certificate is not being sent from the client, the question is why. As sometimes everything works smoothly, what can cause things to go wrong from time to time?

Client side:

pool-4-thread-2, WRITE: TLSv1 Handshake, length = 48
pool-4-thread-2, waiting for close_notify or alert: state 1
pool-4-thread-2, received EOFException: error
pool-4-thread-2, Exception while waiting for close javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
pool-4-thread-2, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
%% Invalidated:  [Session-7, TLS_RSA_WITH_AES_128_CBC_SHA]
pool-4-thread-2, SEND TLSv1 ALERT:  fatal, description = handshake_failure
Padded plaintext before ENCRYPTION:  len = 32
0000: 02 28 7A 8E 21 1F 09 1A   5F 00 5C 42 6B 12 33 D8  .(z.!..._.\Bk.3.
0010: 73 F0 58 DD 0D D9 09 09   09 09 09 09 09 09 09 09  s.X.............
pool-4-thread-2, WRITE: TLSv1 Alert, length = 32
pool-4-thread-2, Exception sending alert: java.net.SocketException: Broken pipe
pool-4-thread-2, called closeSocket()
Keep-Alive-Timer, called close()
Keep-Alive-Timer, called closeInternal(true)
Keep-Alive-Timer, SEND TLSv1 ALERT:  warning, description = close_notify
Padded plaintext before ENCRYPTION:  len = 32
0000: 01 00 FD 8B FE 50 2A 16   8A FC 10 F7 E0 05 7E D1  .....P*.........
0010: 0A 78 A0 03 84 26 09 09   09 09 09 09 09 09 09 09  .x...&..........
Keep-Alive-Timer, WRITE: TLSv1 Alert, length = 32
[Raw write]: length = 37
0000: 15 03 01 00 20 24 CC 05   7B DA AA 98 D7 BC 49 07  .... $........I.
0010: 59 94 A4 42 A1 D9 22 42   34 C2 75 1B 9E 36 F0 23  Y..B.."B4.u..6.#
0020: 58 9D 80 8D 38                                     X...8
Keep-Alive-Timer, called closeSocket(selfInitiated)

Server side:

http-nio-8243-exec-2, READ: TLSv1 Handshake, length = 269
*** Certificate chain
***
http-nio-8243-exec-2, fatal error: 42: null cert chain
javax.net.ssl.SSLHandshakeException: null cert chain
%% Invalidated:  [Session-5, TLS_RSA_WITH_AES_128_CBC_SHA]
http-nio-8243-exec-2, SEND TLSv1 ALERT:  fatal, description = bad_certificate
http-nio-8243-exec-2, WRITE: TLSv1 Alert, length = 2
http-nio-8243-exec-2, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: null cert chain
http-nio-8243-exec-2, called closeOutbound()
http-nio-8243-exec-2, closeOutboundInternal()
http-nio-8243-ClientPoller-1, called closeOutbound()
http-nio-8243-ClientPoller-1, closeOutboundInternal()
http-nio-8243-ClientPoller-1, SEND TLSv1 ALERT:  warning, description = close_notify

user207421 · Answer 1 · 2016-11-02T10:51:20.607

3

javax.net.ssl.SSLHandshakeException: null cert chain

It looks like the server is requiring a client certificate and you aren't sending one, or sending something invalid. You would have an inbound CertificateRequest further up in the client SSL log that isn't followed by an outbound Certificate message, or is followed by an empty one.

edited Nov 02 '16 at 10:51

answered Sep 18 '13 at 07:28

user207421

305,947
44
307
483

The thing is the running the code most of the time works (send the certificate), but sometimes not. I'm not sure what can be the cause of sometimes not loading\sending the keystore. – danieln Sep 18 '13 at 07:30
As you can see, it's pointless to post things that need formatting as comments where they cannot be formatted, but I see no Certificate message there, which proves my point. – user207421 Sep 18 '13 at 09:48
I posted the same comment in the question body, where you can see it formatted. As you said, it's clear that the client don't send certificate. My question is what can cause him to send certificate sometimes and sometimes not. Meaning, sometimes when starting the client it send certificate, sometimes not, then restart solves the problem. – danieln Sep 18 '13 at 10:04
Downvoting, this answer obviously contradicts the fact that connection happens sometimes. – Laurent Caillette Nov 02 '16 at 10:12
1

@LaurentCaillette Incomprehensible. The OP agrees with this answer. He has added 'obviously, certificate is not being sent from the client'. He has awarded it 50 bonus points. He has changed the title of his question accordingly. He has posted a JSSE debug trace that proves it beyond a shadow of a doubt. He has now provided the piece of code that causes the certificate not to be sent. – user207421 Nov 02 '16 at 20:41
Right, it seems that @danieln did find the answer useful. After the edits you mention, the question is now related to the answer so I can remove my downvote. – Laurent Caillette Dec 04 '16 at 09:19
@LaurentCaillette Your comments are ***totally and utterly incomprehensible.*** Your initial comment, and presumably your downvote, were issued **three years** after the edits concerned. – user207421 Apr 13 '17 at 10:25

score 1 · Accepted Answer · answered Sep 28 '13 at 05:16

1

Apparently someone added code to that overwrites the certificate:

        HttpsURLConnection.setDefaultSSLSocketFactory(ctx.getSocketFactory());

I deleted this line and everything is working now.

answered Sep 28 '13 at 05:16

danieln

4,795
10
42
64

This code doesn't 'overwrite the certificate'. It changes the SSLContext to one that doesn't have access to it. – user207421 Nov 02 '16 at 20:45

Certificate not being sent sporadically

2 Answers2