[keycloak-user] keycloak javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

jazz jazz at sqmail.me
Wed Apr 13 16:03:20 EDT 2016


Hi,

I have wildfly 10 installed using nginx as https proxy server [1,
standalone-full.xml]. Works great when using weak ciphers in nginx. In
that case keycloak can connect back to the app after authentication
(redirect SSL). When using strong ciphers in nginx [2] is fails the ssl
handshake [4]. JCE seems enabled since the deployed app reports 2016-
04-13 21:41:33,304 INFO  [stdout] (ServerService Thread Pool -- 83) max
allowed keylength = 2147483647

My question is: does keycloak use a limited set of ciphers? SNI works
fine according to the log. I was digging in the code, but could not
find something obvious [5]

Best regards, Jazz




[1] wildfly standalone-full.xml

<subsystem xmlns="urn:jboss:domain:undertow:3.0">            <buffer-cache name="default"/>            <server name="default-server">                <http-listener name="default" proxy-address-forwarding="true" socket-binding="http" redirect-socket="proxy-https"/>	[... snip ...]        <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
        <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
        <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/>
        <socket-binding name="http" port="${jboss.http.port:8080}"/>
        <socket-binding name="https" port="${jboss.https.port:8444}"/>
        <socket-binding name="proxy-https" port="443"/>
[2] nginx ssl.conf
 ssl_protocols 		TLSv1 TLSv1.1 TLSv1.2;
 ssl_prefer_server_ciphers on;
    ssl_session_timeout 5m;
    ssl_ciphers 		ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-
RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-
SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-
ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
    

[3] wildfly ssl debug enabled in /etc/systemd/system/wildfly.service 

[4]

2016-04-13 21:41:46,495 INFO  [stdout] (default task-7) default task-7, 
setSoTimeout(0) called
2016-04-13 21:41:46,498 INFO  [stdout] (default task-7) Allow unsafe
renegotiation: false
2016-04-13 21:41:46,500 INFO  [stdout] (default task-7) Allow legacy
hello messages: true
2016-04-13 21:41:46,502 INFO  [stdout] (default task-7) Is initial
handshake: true
2016-04-13 21:41:46,503 INFO  [stdout] (default task-7) Is secure
renegotiation: false
2016-04-13 21:41:46,505 INFO  [stdout] (default task-7) Ignoring
unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
2016-04-13 21:41:46,506 INFO  [stdout] (default task-7) Ignoring
unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
2016-04-13 21:41:46,508 INFO  [stdout] (default task-7) Ignoring
unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
2016-04-13 21:41:46,509 INFO  [stdout] (default task-7) Ignoring
unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
2016-04-13 21:41:46,511 INFO  [stdout] (default task-7) Ignoring
unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
TLSv1.1
2016-04-13 21:41:46,512 INFO  [stdout] (default task-7) Ignoring
unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
TLSv1.1
2016-04-13 21:41:46,514 INFO  [stdout] (default task-7) %% No cached
client session
2016-04-13 21:41:46,518 INFO  [stdout] (default task-7) ***
ClientHello, TLSv1.2
2016-04-13 21:41:46,522 INFO  [stdout] (default task-7)
RandomCookie:  GMT: 1460510714 bytes = { 151, 73, 204, 252, 103, 130,
99, 194, 229, 121, 137, 218, 8, 134, 230, 194, 64, 147, 182, 180, 12,
171, 41, 74, 46, 186, 180, 88 }
2016-04-13 21:41:46,523 INFO  [stdout] (default task-7) Session ID:  {}
2016-04-13 21:41:46,525 INFO  [stdout] (default task-7) Cipher Suites:
[TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
2016-04-13 21:41:46,526 INFO  [stdout] (default task-7) Compression
Methods:  { 0 }
2016-04-13 21:41:46,527 INFO  [stdout] (default task-7) Extension
signature_algorithms, signature_algorithms: SHA512withECDSA,
SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA,
SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA,
SHA1withRSA, SHA1withDSA
2016-04-13 21:41:46,529 INFO  [stdout] (default task-7) Extension
server_name, server_name: [type=host_name (0),
value=keycloak.example.com]
2016-04-13 21:41:46,530 INFO  [stdout] (default task-7) ***
2016-04-13 21:41:46,531 INFO  [stdout] (default task-7) default task-7, 
WRITE: TLSv1.2 Handshake, length = 138
2016-04-13 21:41:46,533 INFO  [stdout] (default task-7) default task-7, 
READ: TLSv1.2 Alert, length = 2
2016-04-13 21:41:46,534 INFO  [stdout] (default task-7) default task-7, 
RECV TLSv1.2 ALERT:  fatal, handshake_failure
2016-04-13 21:41:46,535 INFO  [stdout] (default task-7) default task-7, 
called closeSocket()
2016-04-13 21:41:46,536 INFO  [stdout] (default task-7) default task-7, 
handling exception: javax.net.ssl.SSLHandshakeException: Received fatal
alert: handshake_failure
2016-04-13 21:41:46,537 INFO  [stdout] (default task-7) default task-7, 
called close()
2016-04-13 21:41:46,538 INFO  [stdout] (default task-7) default task-7, 
called closeInternal(true)
2016-04-13 21:41:46,539 ERROR
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-7)
failed to turn code into token: javax.net.ssl.SSLHandshakeException:
Received fatal alert: handshake_failure
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
	at
sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
	at
sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
	at
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.ja
va:1375)
	at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
	at
sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
	at
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactor
y.java:543)
	at
org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFac
tory.java:109)
	at
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactor
y.java:409)
	at
org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnectio
n(DefaultClientConnectionOperator.java:177)
	at
org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java
:144)
	at
org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooled
ConnAdapter.java:131)
	at
org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRe
questDirector.java:611)
	at
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultReque
stDirector.java:446)
	at
org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpCl
ient.java:882)
	at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpCl
ient.java:82)
	at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpCl
ient.java:107)
	at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpCl
ient.java:55)
	at
org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerReque
st.java:107)
	at
org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthReques
tAuthenticator.java:314)
	at
org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthReque
stAuthenticator.java:260)
	at
org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenti
cator.java:112)
	at
org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloa
kAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
	at
org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(Ser
vletKeycloakAuthMech.java:92)
	at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(
SecurityContextImpl.java:233)
	at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(
SecurityContextImpl.java:250)
	at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(
SecurityContextImpl.java:219)
	at
io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(Sec
urityContextImpl.java:121)
	at
io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityCo
ntextImpl.java:96)
	at
io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityCont
extImpl.java:89)
	at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.
handleRequest(ServletAuthenticationCallHandler.java:55)
	at
io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCa
cheHandler.java:33)
	at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHan
dler.java:43)
	at
io.undertow.security.handlers.AuthenticationConstraintHandler.handleReq
uest(AuthenticationConstraintHandler.java:51)
	at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequ
est(AbstractConfidentialityHandler.java:46)
	at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintH
andler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
	at
io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.
handleRequest(ServletSecurityConstraintHandler.java:56)
	at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleReq
uest(AuthenticationMechanismsHandler.java:60)
	at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler
.handleRequest(CachedAuthenticatedSessionHandler.java:77)
	at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest
(NotificationReceiverHandler.java:50)
	at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler
.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
	at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHan
dler.java:43)
	at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handl
eRequest(JACCContextIdHandler.java:61)
	at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHan
dler.java:43)
	at
org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleReque
st(ServletPreAuthActionsHandler.java:69)
	at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHan
dler.java:43)
	at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(S
ervletInitialHandler.java:284)
	at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(Serv
letInitialHandler.java:263)
	at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletIn
itialHandler.java:81)
	at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(Serv
letInitialHandler.java:174)
	at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
	at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793
)
	at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.ja
va:1142)
	at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.j
ava:617)
	at java.lang.Thread.run(Thread.java:745)

[5] https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adap
ter-core/src/main/java/org/keycloak/adapters/SniSSLSocketFactory.java
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160413/4faed0df/attachment-0001.html 


More information about the keycloak-user mailing list