Home Help Center

IceSSL handshake error

SergeySergey Member Siarhei SasinouskiOrganization: Epam SystemsProject: Trading system
Hello,

I am trying to use IceISS to verify the identities of the communicating parties - iceregister and server (without IceNode).
I followed this guide to generate keystores.
# Create CA
python iceca init --no-password
keytool -import -trustcacerts -file ca_cert.pem -keystore truststore.jks

# Create server keystore
python iceca request --no-password --overwrite server "Server"
python iceca sign --in server_req.pem --out server_cert.pem
python iceca import --java servercert server_cert.pem server_key.pem server_keystore.jks

# Create register keystore
python iceca request --no-password --overwrite registry "IceGrid Registry"
python iceca sign --in registry_req.pem --out registry_cert.pem
python iceca import --java registrycert registry_cert.pem registry_key.pem registry_keystore.jks

As a result I have:
- truststore.jks with the root CA's certificate;
- registry_keystore.jks with signed certificate and private key generated for register;
- server_keystore.jks with signed certificate and private key generated for server.

Register configuration:
IceGrid.InstanceName=IceGridLocal
IceGrid.Registry.Client.Endpoints=tcp -p 4061:ssl -p 4062
IceGrid.Registry.Server.Endpoints=ssl
IceGrid.Registry.Internal.Endpoints=tcp
IceGrid.Registry.Data=db/registry
IceGrid.Registry.DynamicRegistration=1
IceGrid.Registry.AdminPermissionsVerifier=IceGridLocal/NullPermissionsVerifier
Ice.Plugin.IceSSL=IceSSL:createIceSSL
IceSSL.DefaultDir=cert
IceSSL.Keystore=registry_keystore.jks
IceSSL.Truststore=truststore.jks
IceSSL.TruststorePassword=password
IceSSL.KeystorePassword=password
IceSSL.Password=password
IceSSL.Alias=registrycert
IceSSL.Trace.Security=1

Server configuration:
Ice.Default.Locator=IceGridLocal/Locator:ssl -h localhost -p 4062
Ice.Admin.Endpoints=tcp -h 127.0.0.1

Ice.Plugin.IceSSL=IceSSL.PluginFactory
IceSSL.DefaultDir=cert
IceSSL.Keystore=server_keystore.jks
IceSSL.Truststore=truststore.jks
IceSSL.TruststorePassword=password
IceSSL.KeystorePassword=password
IceSSL.Password=password

As a result I get the error on server start:
Ice.SecurityException
reason = "IceSSL: handshake error"
at IceSSL.TransceiverI.handshakeNonBlocking(TransceiverI.java:454)
at IceSSL.TransceiverI.initialize(TransceiverI.java:43)
at Ice.ConnectionI.initialize(ConnectionI.java:1536)
at Ice.ConnectionI.socketReady(ConnectionI.java:1116)
at Ice.ConnectionI$SocketReadyCallback.socketReady(ConnectionI.java:2299)
at IceInternal.SelectorThread.run(SelectorThread.java:203)
at IceInternal.SelectorThread$HelperThread.run(SelectorThread.java:273)
Caused by: javax.net.ssl.SSLException: Received fatal alert: handshake_failure

The same error when I try to connect from IceGredAdmin to the registry using SSL.

Could you please advice what can be wrong.

Thank you

Comments

  • benoitbenoit Rennes, FranceAdministrators, ZeroC Staff Benoit FoucherOrganization: ZeroC, Inc.Project: Ice ZeroC Staff
    Hi,

    The IceGrid registry uses the C++ implementation of IceSSL which doesn't support JKS files. JKS files are only supported by the Java implementation of IceSSL. You need to configure the IceSSL.CertAuthFile, IceSSL.CertFile and IceSSL.KeyFile properties for the IceGrid registry. See the IceSSL property reference for which properties are supported by the various IceSSL implementations.

    We provide a demo that demonstrates how to configure the various IceGrid components to use IceSSL, I recommend to check out this demo. You can find it in the demo/IceGrid/secure directory of your Ice 3.5.1 demo distribution.

    You can also check out the 3.6.0 version of the IceGrid secure demo. The makecerts.py script from the demo has been improved to create the certificates using the new PyPi package.

    Cheers,
    Benoit.
  • SergeySergey Member Siarhei SasinouskiOrganization: Epam SystemsProject: Trading system
    Hi Benoit,

    Thanks for your reply.

    I've changed register config like this:
    Ice.Plugin.IceSSL=IceSSL:createIceSSL
    IceSSL.DefaultDir=cert
    IceSSL.CertAuthFile=ca_cert.pem
    IceSSL.CertFile=registry_cert.pem
    IceSSL.KeyFile=registry_key.pem
    IceSSL.Alias=registrycert
    

    It works now.


    I've got another question connected to this.
    Basically I want to protect my register and don't allow any servers register their adaptors without permission. But at the same time clients and server should use a regular TCP endpoint to communicate.

    I defined both tcp and ssl endpoint like this:
    IceGrid.Registry.Client.Endpoints=tcp -p 4061 : ssl -p 4062
    
    tcp for clients, ssl for server.

    But any server still can use tcp endpoint for adaptors registration as it's defined in register config.

    Can I forbid it?

    Probably setting this property can help:
    IceGrid.Registry.Server.Endpoints=ssl
    

    Thank you
  • benoitbenoit Rennes, FranceAdministrators, ZeroC Staff Benoit FoucherOrganization: ZeroC, Inc.Project: Ice ZeroC Staff
    Hi,

    Servers don't register their endpoints through the IceGrid registry client endpoints but with the IceGrid registry server endpoints (defined with IceGrid.Registry.Server.Endpoints). So you can continue using tcp for the client endpoints but indeed need to use ssl for the registry server endpoints.

    See Securing IceGrid for more information on the registry endpoints and how to secure them.

    Cheers,
    Benoit.
Sign In or Register to comment.