I´m doing some curl request on my web application (also on bash) and recogonized the following behaviour:
Sometimes i´m doing a
curl --header "ApiKey: an1ceke3y" https://test.host.com/api/endpoint
i get the following:
curl: (60) SSL certificate problem: unable to get local issuer certificate
But sometimes, even a second after the fail request i made an successful request.
I made a little test with 6 requests:
1) Success
2) Error
3) Success
4) Success
5) Success
6) Error
Shouldn´t the
unable to get local issuer certificate
Happens all the time?
Is there a way i could better debug the issue?
Additional informations:
API Endpoint is behind a microsoft azure load balancer
Success Request ( with -v )
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
Error Request ( with -v )
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
Thanks!
Related
In the documentation the default value for server.ssl.protocol is TLS, but it does not specify which version will be used.
I read that TLS 1.3 is available since java 11 but is it used by default in Sprint boot when available?
Is there any configuration that can tell me which version is used in my project?
Or any documentation depending on the Spring boot version that could tell the TLS version used by the framework?
I am using Spring Boot 2.7.3 and JDK 17 and by default, it supports TLSv1.3
You can check that by running the below command. My application is running locally on port 8080 so I passed 127.0.01:8080 after -connect
openssl s_client -connect 127.0.01:8080
Output
CONNECTED(00000003)
140704377439424:error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version:/AppleInternal/Library/BuildRoots/810eba08-405a-11ed-86e9-6af958a02716/Library/Caches/com.apple.xbs/Sources/libressl/libressl-3.3/ssl/tls13_lib.c:151:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 294 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Start Time: 1668006818
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
You can change the TLS version by this property.
server.ssl.enabled-protocols=TLSv1.2
Want to read more about this? refer below links
https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#howto.webserver.configure-ssl
https://docs.spring.io/spring-boot/docs/current/reference/htmlsingle/#application-properties.server.server.ssl.enabled-protocols
My spring boot application could not work with old SSL certificate after upgrading to spring boot 2.6 and Java 17.
After debuging, seems there was problem with TLS version or ciphers suite. I don't have experience with this. But, I tried generate the new self signed SSL certificate, and it works fine.
Debugging with javax.net.debug, and got unclear message. It's different btw using Firefox and Chrome. Here is debug log with Firefox:
2022-09-20 15:26:33.448 [WARN] o.a.t.u.n.TLSClientHelloExtractor - The ClientHello was not presented in a single TLS record so no SNI information could be extracted
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.3
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA for TLSv1.3
javax.net.ssl|DEBUG|67|https-jsse-nio-5151-exec-10|2022-09-20 15:26:33.449 BST|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA for TLSv1.3
2022-09-21 09:46:48.214 [WARN] o.a.t.u.n.TLSClientHelloExtractor - The ClientHello was not presented in a single TLS record so no SNI information could be extracted
javax.net.ssl|ERROR|F6|https-jsse-nio-5151-exec-1|2022-09-21 09:46:48.215 BST|TransportContext.java:363|Fatal (INTERNAL_ERROR): problem unwrapping net record (
"throwable" : {
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at java.base/sun.security.ssl.SSLEngineInputRecord.bytesInCompletePacket(SSLEngineInputRecord.java:145)
at java.base/sun.security.ssl.SSLEngineInputRecord.bytesInCompletePacket(SSLEngineInputRecord.java:64)
at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:612)
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:506)
at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:482)
at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:679)
at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:483)
at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:215)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1764)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:833)}
)
Does anyone have experience with this?
I have met a VERY peculiar problem on my MAC recently.
All SSL-connections fail. Well, browsers work fine, but for instance, curl and wget (and a bunch of other apps) fail.
curl -vk https://s3.osl1.safedc.net
* Trying 193.156.25.230...
* TCP_NODELAY set
* Connected to s3.osl1.safedc.net (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to s3.osl1.safedc.net:443
* Closing connection 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to s3.osl1.safedc.net:443
I have even installed Openssl, but it fails the same way :
curl -vk https://s3.osl1.safedc.net
* Trying 193.156.25.230:443...
* Connected to s3.osl1.safedc.net (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /usr/local/etc/openssl#1.1/cert.pem
CApath: /usr/local/etc/openssl#1.1/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to s3.osl1.safedc.net:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to s3.osl1.safedc.net:443
The strangest, is that when I reinstall MacOS, it is fixed, until the next day ???!!!!
Can anybody think of what can be the problem here? I am out of options and pretty desperate.
I have a Hudson CI job setup for deployment to Apache Tomcat. If Tomcat server is restricted to accept only TLSv1.2 protocol, I get a protocol mismatch type of error.
If I put JVM into debug for SSL on my Hudson job I can see that TLSv1 is still being attempted:
main, WRITE: TLSv1 Handshake, length = 163
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT: fatal, protocol_version
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLException: Received fatal alert: protocol_version
main, called close()
main, called closeInternal(true)
I have tried to use https.protocols=TLSv1.2 with my mvn parameters but still TLSv1 is given during client hello. At this point I am not sure where else I could look to force TLSv1.2.
I have just been setting up my first app that requires ssl.
It's RoR app, hosted on Heroku.
I have added the SSL Endpoint add-on to my app.
I purchased a SSL certificate from DNSimple.
Then followed these instructions - https://devcenter.heroku.com/articles/ssl-certificate
to concatenate the necessary files. Then uploaded them to my server.
So far so good.
Following these instructions - https://devcenter.heroku.com/articles/ssl-endpoint#testing-your-certificate
for testing my certificat seems fine.
I have updated my DNS records with a CNAME that points to my Heroku generated Endpoint.
heroku certs
gives:
Endpoint Common Name(s) Expires Trusted
---------------------------- -------------------------------------- -------------------- -------
<generated_id>.herokussl.com www.mydomain.com, mydomain.com 2014-04-29 23:25 UTC True
But when I try:
curl -v https://www.mydomain.com
I get:
* About to connect() to www.mydomain.com port 443 (#0)
* Trying 107.20.162.205... connected
* Connected to www.mydomain.com (107.20.162.205) port 443 (#0)
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES256-SHA
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=Heroku, Inc.; CN=*.herokuapp.com
* start date: 2011-04-11 00:00:00 GMT
* expire date: 2014-04-15 12:00:00 GMT
* subjectAltName does not match www.mydomain.com
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
* SSL peer certificate or SSH remote key was not OK
curl: (51) SSL peer certificate or SSH remote key was not OK
Any help appreciated.
There was nothing wrong with the setup/config - There was a delay of about 24hrs, then everything worked as expected.