0

I have a webapp where I use HttpClient to send get/Post requests to some webpages and validate the response. The application was working fine for a long time when it was deployed on Tomcat 8.5 but now due to company guidelines, I need to use Websphere. So when I deployed this application on WAS 9, my http requests started to fail with SSL exceptions.

While debugging this issue, I noticed that the place where I build http client, Tomcat version of my webapp provides Sun Jsse implementation of JSSEProvider but The app which is deployed on WAS, gets IBM Jsse2 provider. I was wondering if this would be the reason for SSL exceptions and is there any way I can switch to Sun Jsse? Here is the place where SSlContext is set - 

HttpClient client = null;
        try {

            HttpClientBuilder builder = HttpClientBuilder
                    .create()
                    .setRedirectStrategy(new LaxRedirectStrategy());

            // setup a Trust Strategy that allows all certificates.
//Here I get sslContext as IBM Jsse2 vs Sun Jsse
            SSLContext sslContext = new SSLContextBuilder().loadTrustMaterial(null, new TrustStrategy() {
                public boolean isTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {
                    return true;
                }
            }).build();

            builder.setSSLContext(sslContext);

            // don't check Hostnames, either.
            HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE;

Here is the console log - 

[8/30/19 5:51:06:758 CDT] 000000a5 SystemErr     R javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
[8/30/19 5:51:06:759 CDT] 000000a5 SystemErr     R  at com.ibm.jsse2.av.a(av.java:782)
[8/30/19 5:51:06:760 CDT] 000000a5 SystemErr     R  at com.ibm.jsse2.av.i(av.java:574)
[8/30/19 5:51:06:760 CDT] 000000a5 SystemErr     R  at com.ibm.jsse2.av.a(av.java:280)
[8/30/19 5:51:06:761 CDT] 000000a5 SystemErr     R  at com.ibm.jsse2.av.startHandshake(av.java:431)
[8/30/19 5:51:06:762 CDT] 000000a5 SystemErr     R  at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
[8/30/19 5:51:06:762 CDT] 000000a5 SystemErr     R  at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
[8/30/19 5:51:06:762 CDT] 000000a5 SystemErr     R  at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
[8/30/19 5:51:06:763 CDT] 000000a5 SystemErr     R  at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
[8/30/19 5:51:06:763 CDT] 000000a5 SystemErr     R  at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:394)
[8/30/19 5:51:06:765 CDT] 000000a5 SystemErr     R  at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
[8/30/19 5:51:06:765 CDT] 000000a5 SystemErr     R  at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
[8/30/19 5:51:06:766 CDT] 000000a5 SystemErr     R  at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
[8/30/19 5:51:06:766 CDT] 000000a5 SystemErr     R  at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
[8/30/19 5:51:06:766 CDT] 000000a5 SystemErr     R  at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
[8/30/19 5:51:06:767 CDT] 000000a5 SystemErr     R  at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
[8/30/19 5:51:06:767 CDT] 000000a5 SystemErr     R  at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
[8/30/19 5:51:06:767 CDT] 000000a5 SystemErr     R  at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
[8/30/19 5:51:06:768 CDT] 000000a5 SystemErr     R  at validation.BrowserValidation.getPage(BrowserValidation.java:370)
[8/30/19 5:51:06:768 CDT] 000000a5 SystemErr     R  at validation.BrowserValidation.startValidation(BrowserValidation.java:83)
[8/30/19 5:51:06:768 CDT] 000000a5 SystemErr     R  at validation.ValidationMaster.routeValidation(ValidationMaster.java:119)
[8/30/19 5:51:06:769 CDT] 000000a5 SystemErr     R  at validation.ServerValidation.onMessage(ServerValidation.java:60)
[8/30/19 5:51:06:769 CDT] 000000a5 SystemErr     R  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[8/30/19 5:51:06:769 CDT] 000000a5 SystemErr     R  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
[8/30/19 5:51:06:770 CDT] 000000a5 SystemErr     R  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
[8/30/19 5:51:06:770 CDT] 000000a5 SystemErr     R  at java.lang.reflect.Method.invoke(Method.java:508)
[8/30/19 5:51:06:771 CDT] 000000a5 SystemErr     R  at com.ibm.ws.wsoc.LinkRead.callOnMessage(LinkRead.java:1150)
[8/30/19 5:51:06:771 CDT] 000000a5 SystemErr     R  at com.ibm.ws.wsoc.LinkRead.processOnMessageTextAnnotation(LinkRead.java:1003)
[8/30/19 5:51:06:772 CDT] 000000a5 SystemErr     R  at com.ibm.ws.wsoc.LinkRead.processRead(LinkRead.java:319)
[8/30/19 5:51:06:772 CDT] 000000a5 SystemErr     R  at com.ibm.ws.wsoc.WsocConnLink.processRead(WsocConnLink.java:978)
[8/30/19 5:51:06:773 CDT] 000000a5 SystemErr     R  at com.ibm.ws.wsoc.WsocReadCallback.complete(WsocReadCallback.java:29)
[8/30/19 5:51:06:773 CDT] 000000a5 SystemErr     R  at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:175)
[8/30/19 5:51:06:774 CDT] 000000a5 SystemErr     R  at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
[8/30/19 5:51:06:774 CDT] 000000a5 SystemErr     R  at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
[8/30/19 5:51:06:774 CDT] 000000a5 SystemErr     R  at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138)
[8/30/19 5:51:06:775 CDT] 000000a5 SystemErr     R  at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204)
[8/30/19 5:51:06:776 CDT] 000000a5 SystemErr     R  at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775)
[8/30/19 5:51:06:776 CDT] 000000a5 SystemErr     R  at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905)
[8/30/19 5:51:06:777 CDT] 000000a5 SystemErr     R  at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1909)
[8/30/19 5:51:06:778 CDT] 000000a5 SystemErr     R Caused by: java.io.EOFException: SSL peer shut down incorrectly
[8/30/19 5:51:06:779 CDT] 000000a5 SystemErr     R  at com.ibm.jsse2.b.a(b.java:231)
[8/30/19 5:51:06:780 CDT] 000000a5 SystemErr     R  at com.ibm.jsse2.av.a(av.java:579)
[8/30/19 5:51:06:780 CDT] 000000a5 SystemErr     R  ... 37 more

Can it be any other issue?

Update: I checked the server logs and here is what it says -

[9/3/19 5:04:45:670 CDT] 0000019a SSLHandshakeE E   SSLC0008E: Unable to initialize SSL connection.  Unauthorized access was denied or security settings have expired.  Exception is javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1 not enabled or not supported
        at com.ibm.jsse2.D.z(D.java:531)
        at com.ibm.jsse2.aq.b(aq.java:271)
        at com.ibm.jsse2.aq.c(aq.java:236)
        at com.ibm.jsse2.aq.wrap(aq.java:599)
        at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:21)
        at com.ibm.ws.ssl.channel.impl.SSLUtils.handleHandshake(SSLUtils.java:811)
        at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.readyInbound(SSLConnectionLink.java:617)
        at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.ready(SSLConnectionLink.java:346)
        at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:214)
        at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:113)
        at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:175)
        at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
        at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
        at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138)
        at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204)
        at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775)
        at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905)
        at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1892)
Caused by: javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1 not enabled or not supported
        at com.ibm.jsse2.k.a(k.java:24)
        at com.ibm.jsse2.aq.a(aq.java:604)
        at com.ibm.jsse2.D.a(D.java:564)
        at com.ibm.jsse2.D.a(D.java:522)
        at com.ibm.jsse2.F.a(F.java:673)
        at com.ibm.jsse2.F.a(F.java:782)
        at com.ibm.jsse2.D.r(D.java:176)
        at com.ibm.jsse2.D$b.a(D$b.java:3)
        at com.ibm.jsse2.D$b.run(D$b.java:4)
        at java.security.AccessController.doPrivileged(AccessController.java:730)
        at com.ibm.jsse2.D$c.run(D$c.java:2)
        at com.ibm.ws.ssl.channel.impl.SSLUtils.handleHandshake(SSLUtils.java:898)
        ... 12 more
Ashutosh Khare
  • 1
  • 2
  • have you debugged the remote side? The exception says the other side abruptly closed the connection. – covener Aug 30 '19 at 11:28
  • The other side is valid production server and same app which is deployed on Tomcat gets proper response without any issue. – Ashutosh Khare Aug 30 '19 at 17:32
  • So "no". Seems like a good next step. – covener Aug 30 '19 at 17:37
  • I can certainly look at that but I was wondering if the same application on Tomcat is able to get correct response from remote site, shouldn't I look at what's wrong with the version of my app which is deployed on websphere? – Ashutosh Khare Aug 30 '19 at 17:42
  • yes, and the errors from the server will inform that investigation. – covener Aug 30 '19 at 17:54
  • I have updated the question with the server log. – Ashutosh Khare Sep 03 '19 at 10:17
  • I read somewhere that I can update default ssl settings in Security -- SSL Certificate and Key Management -- SSL Configurations -- Protocol = 1.2 I did that and still getting the error. And now I cannot even change above setting as I don't see any default configuration for my node there. – Ashutosh Khare Sep 03 '19 at 11:27
  • @covener Would you be able to help on this? – Ashutosh Khare Sep 04 '19 at 13:21

1 Answers1

0

Use the HttpClientBuilder.useSystemProperties().build() method instead to create an instance of HTTPClient. IBM implements its own SSLSocketFacxtory which eventually get invoked on WAS with IBM JDK. More details on IBM site

ashishhsihsa
  • 103
  • 1
  • 1
  • 6