[keycloak-user] keycloak javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Niels Bertram
nielsbne at gmail.com
Tue Jun 7 05:25:32 EDT 2016
Hi Jazz,
did you ever got closure on this issue? The reason I asked, I ran into a
SNI problem with the keycloak adapter client side a while ago and this was
caused by the version of http commons used by keycloak 1.7.0 was dated and
did not support SNI. I can see in your logs that the stack trace
contains org.apache.http
in the exception path. Also sometimes adding -Djavax.net.debug=all JVM arg
gives better information on what actually failed during handshake
negotiation.
Cheers,
Niels
On Thu, Apr 14, 2016 at 3:19 PM, <jazz at sqmail.me> wrote:
> Hi Marko,
>
> Thanks for the feedback. I verified that strong encryption is
> available in the JVM:
>
> 2016-04-13 21:41:33,304 INFO [stdout] (ServerService Thread Pool --
> 83) max allowed keylength = 2147483647
>
> This seems to be the case. Any other ideas?
>
> Thanks in advance, Jazz
>
>
> Marko Strukelj – Wed., 13. April 2016 23:15
> > If you are using Oracle JDK you may need to install strong encryption.
> >
> >
> http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
> >
> > On Apr 13, 2016 10:03 PM, "jazz" <jazz at sqmail.me> wrote:
> > Hi,
> >
> >
> > I have wildfly 10 installed using nginx as https proxy server [1,
> > standalone-full.xml]. Works great when using weak ciphers in nginx.
> > In that case keycloak can connect back to the app after
> > authentication (redirect SSL). When using strong ciphers in nginx
> > [2] is fails the ssl handshake [4]. JCE seems enabled since the
> > deployed app reports 2016-04-13 21:41:33,304 INFO [stdout]
> > (ServerService Thread Pool -- 83) max allowed keylength = 2147483647
> >
> >
> > My question is: does keycloak use a limited set of ciphers? SNI
> > works fine according to the log. I was digging in the code, but
> > could not find something obvious [5]
> >
> >
> > Best regards, Jazz
> >
> >
> >
> >
> >
> >
> >
> >
> > [1] wildfly standalone-full.xml
> >
> >
> > <subsystem
> > xmlns="urn:jboss:domain:undertow:3.0"> <buffer-cache
> > name="default"/> <server
> > name="default-server"> <http-listener name="default"
> > proxy-address-forwarding="true" socket-binding="http"
> > redirect-socket="proxy-https"/>
> > [... snip ...] <socket-binding-group name="standard-sockets"
> > default-interface="public"
> >
> port-offset="${jboss.socket.binding.port-offset:0}"> <socket-binding
> > name="management-http" interface="management"
> > port="${jboss.management.http.port:9990}"/> <socket-binding
> > name="management-https" interface="management"
> > port="${jboss.management.https.port:9993}"/> <socket-binding
> > name="http" port="${jboss.http.port:8080}"/> <socket-binding
> > name="https"
> > port="${jboss.https.port:8444}"/> <socket-binding
> > name="proxy-https" port="443"/>
> > [2] nginx ssl.conf
> > ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
> > ssl_prefer_server_ciphers on;
> > ssl_session_timeout 5m;
> > ssl_ciphers
> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
> >
> >
> >
> > [3] wildfly ssl debug enabled in /etc/systemd/system/wildfly.service
> >
> >
> > [4]
> >
> >
> > 2016-04-13 21:41:46,495 INFO [stdout] (default task-7) default
> > task-7, setSoTimeout(0) called
> > 2016-04-13 21:41:46,498 INFO [stdout] (default task-7) Allow unsafe
> > renegotiation: false
> > 2016-04-13 21:41:46,500 INFO [stdout] (default task-7) Allow legacy
> > hello messages: true
> > 2016-04-13 21:41:46,502 INFO [stdout] (default task-7) Is initial
> > handshake: true
> > 2016-04-13 21:41:46,503 INFO [stdout] (default task-7) Is secure
> > renegotiation: false
> > 2016-04-13 21:41:46,505 INFO [stdout] (default task-7) Ignoring
> > unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
> > 2016-04-13 21:41:46,506 INFO [stdout] (default task-7) Ignoring
> > unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
> > TLSv1
> > 2016-04-13 21:41:46,508 INFO [stdout] (default task-7) Ignoring
> > unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
> > TLSv1
> > 2016-04-13 21:41:46,509 INFO [stdout] (default task-7) Ignoring
> > unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
> > 2016-04-13 21:41:46,511 INFO [stdout] (default task-7) Ignoring
> > unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for
> > TLSv1.1
> > 2016-04-13 21:41:46,512 INFO [stdout] (default task-7) Ignoring
> > unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for
> > TLSv1.1
> > 2016-04-13 21:41:46,514 INFO [stdout] (default task-7) %% No cached
> > client session
> > 2016-04-13 21:41:46,518 INFO [stdout] (default task-7) ***
> > ClientHello, TLSv1.2
> > 2016-04-13 21:41:46,522 INFO [stdout] (default task-7)
> > RandomCookie: GMT: 1460510714 bytes = { 151, 73, 204, 252, 103,
> > 130, 99, 194, 229, 121, 137, 218, 8, 134, 230, 194, 64, 147, 182,
> > 180, 12, 171, 41, 74, 46, 186, 180, 88 }
> > 2016-04-13 21:41:46,523 INFO [stdout] (default task-7) Session ID: {}
> > 2016-04-13 21:41:46,525 INFO [stdout] (default task-7) Cipher
> > Suites: [TLS_RSA_WITH_AES_256_CBC_SHA256,
> > TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
> > TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,
> > TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
> > TLS_RSA_WITH_AES_128_CBC_SHA256,
> > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
> > TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA,
> > TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
> > TLS_RSA_WITH_AES_256_GCM_SHA384,
> > TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
> > TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,
> > TLS_RSA_WITH_AES_128_GCM_SHA256,
> > TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
> > TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
> > SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
> > SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
> > 2016-04-13 21:41:46,526 INFO [stdout] (default task-7) Compression
> > Methods: { 0 }
> > 2016-04-13 21:41:46,527 INFO [stdout] (default task-7) Extension
> > signature_algorithms, signature_algorithms: SHA512withECDSA,
> > SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA,
> > SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA,
> > SHA1withRSA, SHA1withDSA
> > 2016-04-13 21:41:46,529 INFO [stdout] (default task-7) Extension
> > server_name, server_name: [type=host_name (0),
> > value=keycloak.example.com]
> > 2016-04-13 21:41:46,530 INFO [stdout] (default task-7) ***
> > 2016-04-13 21:41:46,531 INFO [stdout] (default task-7) default
> > task-7, WRITE: TLSv1.2 Handshake, length = 138
> > 2016-04-13 21:41:46,533 INFO [stdout] (default task-7) default
> > task-7, READ: TLSv1.2 Alert, length = 2
> > 2016-04-13 21:41:46,534 INFO [stdout] (default task-7) default
> > task-7, RECV TLSv1.2 ALERT: fatal, handshake_failure
> > 2016-04-13 21:41:46,535 INFO [stdout] (default task-7) default
> > task-7, called closeSocket()
> > 2016-04-13 21:41:46,536 INFO [stdout] (default task-7) default
> > task-7, handling exception: javax.net.ssl.SSLHandshakeException:
> > Received fatal alert: handshake_failure
> > 2016-04-13 21:41:46,537 INFO [stdout] (default task-7) default
> > task-7, called close()
> > 2016-04-13 21:41:46,538 INFO [stdout] (default task-7) default
> > task-7, called closeInternal(true)
> > 2016-04-13 21:41:46,539 ERROR
> > [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-7)
> > failed to turn code into token: javax.net.ssl.SSLHandshakeException:
> > Received fatal alert: handshake_failure
> > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> > at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
> > at
> sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2023)
> > at
> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1125)
> > at
> >
> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
> > at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
> > at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
> > at
> >
> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:543)
> > at
> >
> org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:109)
> > at
> >
> org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:409)
> > at
> >
> org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
> > at
> >
> org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)
> > at
> >
> org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131)
> > at
> >
> org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
> > at
> >
> org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
> > at
> >
> org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:882)
> > at
> >
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
> > at
> >
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
> > at
> >
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
> > at
> >
> org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107)
> > at
> >
> org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:314)
> > at
> >
> org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:260)
> > at
> >
> org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:112)
> > at
> >
> org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
> > at
> >
> org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:92)
> > at
> >
> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)
> > at
> >
> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)
> > at
> >
> io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)
> > at
> >
> io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)
> > at
> >
> io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)
> > at
> >
> io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)
> > at
> >
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
> > at
> >
> io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
> > at
> >
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > at
> >
> io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
> > at
> >
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> > at
> >
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> > at
> >
> io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
> > at
> >
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> > at
> >
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> > at
> >
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> > at
> >
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> > at
> >
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > at
> >
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> > at
> >
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > at
> >
> org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69)
> > at
> >
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> > at
> >
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
> > at
> >
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
> > at
> >
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> > at
> >
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
> > at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
> > at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
> > at
> >
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> > at
> >
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> > at java.lang.Thread.run(Thread.java:745)
> >
> >
> > [5]
> >
> https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/SniSSLSocketFactory.java
> >
> >
> >
> >
> >
> >
> >
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160607/c4d3c07f/attachment-0001.html
More information about the keycloak-user
mailing list