Develop Reference

Springboot 1.5 to springboot 2.0.9 migration failed for rabbitmq ssl

We have spring-boot 1.5 & spring-boot-starter-amqp:1.5.22 application in aws cloud and working fine with rabbitmq ssl enabled. After spring-boot 2.0.9 migration, rabbitmq ssl failed with following error.
ERROR o.s.a.r.l.SimpleMessageListenerContainer - Failed to check/redeclare auto-delete queue(s).
org.springframework.amqp.AmqpIOException: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
at org.springframework.amqp.rabbit.support.RabbitExceptionTranslator.convertRabbitAccessException(RabbitExceptionTranslator.java:71)
at org.springframework.amqp.rabbit.connection.AbstractConnectionFactory.createBareConnection(AbstractConnectionFactory.java:407)
at org.springframework.amqp.rabbit.connection.CachingConnectionFactory.createConnection(CachingConnectionFactory.java:588)
at org.springframework.amqp.rabbit.core.RabbitTemplate.doExecute(RabbitTemplate.java:1445)
at org.springframework.amqp.rabbit.core.RabbitTemplate.execute(RabbitTemplate.java:1426)
at org.springframework.amqp.rabbit.core.RabbitTemplate.execute(RabbitTemplate.java:1402)
at org.springframework.amqp.rabbit.core.RabbitAdmin.getQueueProperties(RabbitAdmin.java:368)
at org.springframework.amqp.rabbit.listener.SimpleMessageListenerContainer.redeclareElementsIfNecessary(SimpleMessageListenerContainer.java:1241)
at org.springframework.amqp.rabbit.listener.SimpleMessageListenerContainer$AsyncMessageProcessingConsumer.run(SimpleMessageListenerContainer.java:1502)
Migration from Springboot 1.5 with rabbitmq to 2.0.9
Expected to connect rabbitmq with ssl enabled property.

Springboot2 we can skip the ssl certificate validation using setSkipServerCertificateValidation flag to true in rabbitmqconnectionfactory.

What is the default TLS version in Spring boot?

In the documentation the default value for server.ssl.protocol is TLS, but it does not specify which version will be used.
I read that TLS 1.3 is available since java 11 but is it used by default in Sprint boot when available?
Is there any configuration that can tell me which version is used in my project?
Or any documentation depending on the Spring boot version that could tell the TLS version used by the framework?

I am using Spring Boot 2.7.3 and JDK 17 and by default, it supports TLSv1.3
You can check that by running the below command. My application is running locally on port 8080 so I passed 127.0.01:8080 after -connect
openssl s_client -connect 127.0.01:8080
Output
CONNECTED(00000003)
140704377439424:error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version:/AppleInternal/Library/BuildRoots/810eba08-405a-11ed-86e9-6af958a02716/Library/Caches/com.apple.xbs/Sources/libressl/libressl-3.3/ssl/tls13_lib.c:151:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 294 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Start Time: 1668006818
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
You can change the TLS version by this property.
server.ssl.enabled-protocols=TLSv1.2
Want to read more about this? refer below links
https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#howto.webserver.configure-ssl
https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#application-properties.server.server.ssl.enabled-protocols

Problem with SSL handshake after upgrade spring boot and java 17

My spring boot application could not work with old SSL certificate after upgrading to spring boot 2.6 and Java 17.
After debuging, seems there was problem with TLS version or ciphers suite. I don't have experience with this. But, I tried generate the new self signed SSL certificate, and it works fine.
Debugging with javax.net.debug, and got unclear message. It's different btw using Firefox and Chrome. Here is debug log with Firefox:
2022-09-20 15:26:33.448 [WARN] o.a.t.u.n.TLSClientHelloExtractor - The ClientHello was not presented in a single TLS record so no SNI information could be extracted
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA for TLSv1.3
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA for TLSv1.3
2022-09-21 09:46:48.214 [WARN] o.a.t.u.n.TLSClientHelloExtractor - The ClientHello was not presented in a single TLS record so no SNI information could be extracted
javax.net.ssl|ERROR|F6|https-jsse-nio-5151-exec-1|2022-09-21 09:46:48.215 BST|TransportContext.java:363|Fatal (INTERNAL_ERROR): problem unwrapping net record (
"throwable" : {
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at java.base/sun.security.ssl.SSLEngineInputRecord.bytesInCompletePacket(SSLEngineInputRecord.java:145)
at java.base/sun.security.ssl.SSLEngineInputRecord.bytesInCompletePacket(SSLEngineInputRecord.java:64)
at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:612)
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:506)
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:482)
at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:679)
at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:483)
at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:215)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1764)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:833)}
)
Does anyone have experience with this?

Caused by: java.io.IOException: Invalid keystore format

I have a JBoss 7.4.0 installation running in domain mode on a RHEL 7 platform. The JDK version is java version "15.0.2" 2021-01-19
Java(TM) SE Runtime Environment (build 15.0.2+7-27)
I am using the Jboss documentation How to Configure Server Security, specifically section 2.5: Configuring SSL/TLS for the legacy core management authentication mechanism. I am setting up Two-Way SSL/TLS.
I create a keystore, generate key pairs, export and import certificates. The storetype is JCEKS. (I have also tried using PCKS12 and JKS, same issue)
When I try to start the JBoss server I see the following error:
06:47:41,216 INFO [org.jboss.modules] (main) JBoss Modules version 1.11.0.Final-redhat-00001
06:47:41,498 INFO [org.jboss.threads] (main) JBoss Threads version 2.4.0.Final-redhat-00001
06:47:41,514 INFO [org.jboss.as.process.Host Controller.status] (main) WFLYPC0018: Starting process 'Host Controller'
[Host Controller] 06:47:41,982 INFO [org.jboss.modules] (main) JBoss Modules version 1.11.0.Final-redhat-00001
...
[Host Controller] 06:47:43,848 WARN [org.jboss.as.domain.management.security] (MSC service thread 1-1) WFLYDM0111: Keystore /u01/redhat/jboss/domain_74/domain/configuration/application.keystore not found, it will be auto generated on first use with a self signed certificate for host localhost
[Host Controller] 06:47:43,851 INFO [org.jboss.remoting] (MSC service thread 1-3) JBoss Remoting version 5.0.20.SP1-redhat-00001
[Host Controller] 06:47:43,852 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service org.wildfly.core.management.security.realm.CertificateRealm.key-manager: org.jboss.msc.service.StartException in service org.wildfly.core.management.security.realm.CertificateRealm.key-manager: Failed to start service
[Host Controller] at org.jboss.msc#1.4.12.Final-redhat-00001//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1731)
...
[Host Controller] Caused by: java.lang.IllegalStateException: org.jboss.msc.service.StartException in anonymous service: WFLYDM0018: Unable to start service
...
[Host Controller] Caused by: java.io.IOException: Invalid keystore format
So my understanding is the issue is with the keystore format, yet if I use another keystore format I get the same issue.
And, when I run the following command I get success:
./keytool -list -keystore $EAP_HOME/vault/h1vault.jceks
Enter keystore password:
Keystore type: JCEKS
Keystore provider: SunJCE
Your keystore contains 3 entries
h1server_alias, Sep 20, 2022, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 58:58:36:82:EE:B5:88:BB:AF:59:F6:17:F2:9B:D3:29:D6:CC:DD:02:04:E5:3B:50:8A:70:AB:5C:85:59:DD:25
h1vault, Sep 20, 2022, SecretKeyEntry,
host2_alias, Sep 20, 2022, trustedCertEntry,
Certificate fingerprint (SHA-256): 62:07:76:CB:B7:B8:9C:89:6D:36:82:8B:5B:8A:E9:7E:8E:6A:23:8E:51:56:03:B9:F9:98:D3:DA:D4:53:B5:57
I would expect this command to fail if the keystore format was incorrect.
I have read all sorts of threads and so on about this but cannot find an answer.
Appreciate if anyone can suggest possible solutions.
Thanks

FileNet Configuration Manager fails to connect to WebSphere Application Server

I have an issue with FileNet configuration manager connecting to WAS when configuring CPE. Details are below
OS : Windows 10 Enterprise (This is where CPE 5.5 is installed)
WAS : 8.5.5.13
WAS Java : 1.8_64_bundled
FN Config Details
I'm able to login to WAS console and the SOAP port is also correct.
Things that I tried,
adding -Dhttps.protocols="TLSv1,TLSv1.1,TLSv1.2" in configmgr.ini of FileNet configuration manager
Verified SSL configuration on WAS
But noting seems to work. I see below error message on the FileNet configuration manager logs
!ENTRY com.ibm.ecm.configmgr.engine 4 0 2018-06-27 15:45:09.289
!MESSAGE An invalid profile path was specified. C:\IBM\FileNet\ContentEngine\tools\configure\profiles\dotnetclient does not contain any configuration information.
!SESSION 2018-06-27 16:05:40.995 -----------------------------------------------
eclipse.buildId=unknown
java.fullversion=JRE 1.7.0 IBM J9 2.6 Windows 8 x86-32 20170718_357001 (JIT disabled, AOT disabled)
J9VM - R26_Java726_SR10_20170718_1208_B357001
GC - R26_Java726_SR10_20170718_1208_B357001
J9CL - 20170718_357001
BootLoader constants: OS=win32, ARCH=x86, WS=win32, NL=en_US
Framework arguments: gui
Command-line arguments: -os win32 -ws win32 -arch x86 gui
!ENTRY com.ibm.ecm.configmgr.app.ce 4 0 2018-06-27 16:13:56.518
!MESSAGE Connection error: The connection to the application server cannot be established. Ensure the application server is running and that the SOAP connector port and host name are correct.
!STACK 0
com.ibm.ecm.configmgr.engine.ConfigurationManagerException: Connection error: The connection to the application server cannot be established. Ensure the application server is running and that the SOAP connector port and host name are correct.
at com.ibm.ecm.configmgr.engine.jmx.JMXInvoker.invokeConnectMethodAndMethods(JMXInvoker.java:243)
at com.ibm.ecm.configmgr.engine.jmx.JMXInvoker.invokeConnectMethodAndMethod(JMXInvoker.java:142)
at com.ibm.ecm.configmgr.engine.jmx.WebSphereJMXInvoker.connect(WebSphereJMXInvoker.java:86)
at com.ibm.ecm.configmgr.app.ce.applicationserver.WebsphereApplicationServer$TestActivity.testWork(WebsphereApplicationServer.java:371)
at com.ibm.ecm.configmgr.engine.profile.EnvironmentTestActivity.test(EnvironmentTestActivity.java:64)
at com.ibm.ecm.configmgr.ui.wizards.NewProfileWizardPageGetProfileEnvironmentProps$7.widgetSelected(NewProfileWizardPageGetProfileEnvironmentProps.java:604)
at org.eclipse.swt.widgets.TypedListener.handleEvent(TypedListener.java:240)
at org.eclipse.swt.widgets.EventTable.sendEvent(EventTable.java:84)
at org.eclipse.swt.widgets.Widget.sendEvent(Widget.java:1053)
at org.eclipse.swt.widgets.Display.runDeferredEvents(Display.java:4165)
at org.eclipse.swt.widgets.Display.readAndDispatch(Display.java:3754)
at org.eclipse.jface.window.Window.runEventLoop(Window.java:825)
at org.eclipse.jface.window.Window.open(Window.java:801)
at com.ibm.ecm.configmgr.app.ce.handlers.ProfileNewHandler.execute(ProfileNewHandler.java:67)
at org.eclipse.ui.internal.handlers.HandlerProxy.execute(HandlerProxy.java:293)
at org.eclipse.core.commands.Command.executeWithChecks(Command.java:476)
at org.eclipse.core.commands.ParameterizedCommand.executeWithChecks(ParameterizedCommand.java:508)
at org.eclipse.ui.internal.handlers.HandlerService.executeCommand(HandlerService.java:169)
at org.eclipse.ui.internal.handlers.SlaveHandlerService.executeCommand(SlaveHandlerService.java:241)
at org.eclipse.ui.menus.CommandContributionItem.handleWidgetSelection(CommandContributionItem.java:829)
at org.eclipse.ui.menus.CommandContributionItem.access$19(CommandContributionItem.java:815)
at org.eclipse.ui.menus.CommandContributionItem$5.handleEvent(CommandContributionItem.java:805)
at org.eclipse.swt.widgets.EventTable.sendEvent(EventTable.java:84)
at org.eclipse.swt.widgets.Widget.sendEvent(Widget.java:1053)
at org.eclipse.swt.widgets.Display.runDeferredEvents(Display.java:4165)
at org.eclipse.swt.widgets.Display.readAndDispatch(Display.java:3754)
at org.eclipse.ui.internal.Workbench.runEventLoop(Workbench.java:2701)
at org.eclipse.ui.internal.Workbench.runUI(Workbench.java:2665)
at org.eclipse.ui.internal.Workbench.access$4(Workbench.java:2499)
at org.eclipse.ui.internal.Workbench$7.run(Workbench.java:679)
at org.eclipse.core.databinding.observable.Realm.runWithDefault(Realm.java:332)
at org.eclipse.ui.internal.Workbench.createAndRunWorkbench(Workbench.java:668)
at org.eclipse.ui.PlatformUI.createAndRunWorkbench(PlatformUI.java:149)
at com.ibm.ecm.configmgr.app.ce.rcp.Application.start(Application.java:86)
at org.eclipse.equinox.internal.app.EclipseAppHandle.run(EclipseAppHandle.java:196)
at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.runApplication(EclipseAppLauncher.java:110)
at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.start(EclipseAppLauncher.java:79)
at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:344)
at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:179)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:95)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:56)
at java.lang.reflect.Method.invoke(Method.java:620)
at org.eclipse.equinox.launcher.Main.invokeFramework(Main.java:622)
at org.eclipse.equinox.launcher.Main.basicRun(Main.java:577)
at org.eclipse.equinox.launcher.Main.run(Main.java:1410)
Caused by: java.lang.Exception: The connection to the application server cannot be established. Ensure the application server is running and that the SOAP connector port and host name are correct.
at com.ibm.ecm.configmgr.utils.websphere.WebSphereJMXUtil.connect(WebSphereJMXUtil.java:227)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:95)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:56)
at java.lang.reflect.Method.invoke(Method.java:620)
at com.ibm.ecm.configmgr.engine.jmx.JMXInvoker.invokeConnectMethodAndMethods(JMXInvoker.java:191)
... 45 more
*************************telenet response**************************
When did telenet and after a few seconds, I see the below error
HTTP/1.1 408 Request Timeout Content-Type: text/html Content-Length: 117 Connection: close <HTML><TITLE>408 - Request Timeout</TITLE><BODY><h1>408 Connection timed out while reading request</h1></BODY></HTML> Connection to host lost. C:\Windows\system32>
*****************************workaround*****************************
Ok once the profile is created and ran first steps, I disabled global security and restarted websphere. Configuration manager is able to connect to WAS now (looks like issue with security. I verified Quality of protection (QoP) settings
with ssl.client.properties and it was selected as TLSv2. Then I changed it to TSLv1.2 and modified ssl.client.properties also. Still it did not work) I will updated this topic later.

Check default path Webshere.
C:\Program Files\IBM\WebSphere\AppServer
C:\Program Files\IBM\WebSphere\AppServer\profiles\your_profile
VS
C:\Program Files (x86)\IBM\WebSphere\AppServer
C:\Program Files (x86)\IBM\WebSphere\AppServer\profiles\your_profile

The Configuration Manager right now seems to support only older protocols. If you specify TLSv1 in WebSphere console, as opposed to TLSv1.2 for example, Test Connection will work. That will create you another problem though. Newer browsers don't support older protocols and you will not be able to open your WebSphere console in say, Firefox. On Windows, you can use your old but still included IE configured to use these older protocols - Tools -> Internet Options -> Advanced -> Security -> Use * . You'll get your console back that way.