Archived
This forum has been archived. Please start a new discussion on GitHub.
IceSSL handshake error
Hello,
I am trying to use IceISS to verify the identities of the communicating parties - iceregister and server (without IceNode).
I followed this guide to generate keystores.
As a result I have:
- truststore.jks with the root CA's certificate;
- registry_keystore.jks with signed certificate and private key generated for register;
- server_keystore.jks with signed certificate and private key generated for server.
Register configuration:
Server configuration:
As a result I get the error on server start:
Ice.SecurityException
reason = "IceSSL: handshake error"
at IceSSL.TransceiverI.handshakeNonBlocking(TransceiverI.java:454)
at IceSSL.TransceiverI.initialize(TransceiverI.java:43)
at Ice.ConnectionI.initialize(ConnectionI.java:1536)
at Ice.ConnectionI.socketReady(ConnectionI.java:1116)
at Ice.ConnectionI$SocketReadyCallback.socketReady(ConnectionI.java:2299)
at IceInternal.SelectorThread.run(SelectorThread.java:203)
at IceInternal.SelectorThread$HelperThread.run(SelectorThread.java:273)
Caused by: javax.net.ssl.SSLException: Received fatal alert: handshake_failure
The same error when I try to connect from IceGredAdmin to the registry using SSL.
Could you please advice what can be wrong.
Thank you
I am trying to use IceISS to verify the identities of the communicating parties - iceregister and server (without IceNode).
I followed this guide to generate keystores.
# Create CA python iceca init --no-password keytool -import -trustcacerts -file ca_cert.pem -keystore truststore.jks # Create server keystore python iceca request --no-password --overwrite server "Server" python iceca sign --in server_req.pem --out server_cert.pem python iceca import --java servercert server_cert.pem server_key.pem server_keystore.jks # Create register keystore python iceca request --no-password --overwrite registry "IceGrid Registry" python iceca sign --in registry_req.pem --out registry_cert.pem python iceca import --java registrycert registry_cert.pem registry_key.pem registry_keystore.jks
As a result I have:
- truststore.jks with the root CA's certificate;
- registry_keystore.jks with signed certificate and private key generated for register;
- server_keystore.jks with signed certificate and private key generated for server.
Register configuration:
IceGrid.InstanceName=IceGridLocal IceGrid.Registry.Client.Endpoints=tcp -p 4061:ssl -p 4062 IceGrid.Registry.Server.Endpoints=ssl IceGrid.Registry.Internal.Endpoints=tcp IceGrid.Registry.Data=db/registry IceGrid.Registry.DynamicRegistration=1 IceGrid.Registry.AdminPermissionsVerifier=IceGridLocal/NullPermissionsVerifier Ice.Plugin.IceSSL=IceSSL:createIceSSL IceSSL.DefaultDir=cert IceSSL.Keystore=registry_keystore.jks IceSSL.Truststore=truststore.jks IceSSL.TruststorePassword=password IceSSL.KeystorePassword=password IceSSL.Password=password IceSSL.Alias=registrycert IceSSL.Trace.Security=1
Server configuration:
Ice.Default.Locator=IceGridLocal/Locator:ssl -h localhost -p 4062 Ice.Admin.Endpoints=tcp -h 127.0.0.1 Ice.Plugin.IceSSL=IceSSL.PluginFactory IceSSL.DefaultDir=cert IceSSL.Keystore=server_keystore.jks IceSSL.Truststore=truststore.jks IceSSL.TruststorePassword=password IceSSL.KeystorePassword=password IceSSL.Password=password
As a result I get the error on server start:
Ice.SecurityException
reason = "IceSSL: handshake error"
at IceSSL.TransceiverI.handshakeNonBlocking(TransceiverI.java:454)
at IceSSL.TransceiverI.initialize(TransceiverI.java:43)
at Ice.ConnectionI.initialize(ConnectionI.java:1536)
at Ice.ConnectionI.socketReady(ConnectionI.java:1116)
at Ice.ConnectionI$SocketReadyCallback.socketReady(ConnectionI.java:2299)
at IceInternal.SelectorThread.run(SelectorThread.java:203)
at IceInternal.SelectorThread$HelperThread.run(SelectorThread.java:273)
Caused by: javax.net.ssl.SSLException: Received fatal alert: handshake_failure
The same error when I try to connect from IceGredAdmin to the registry using SSL.
Could you please advice what can be wrong.
Thank you
0
Comments
-
Hi,
The IceGrid registry uses the C++ implementation of IceSSL which doesn't support JKS files. JKS files are only supported by the Java implementation of IceSSL. You need to configure the IceSSL.CertAuthFile, IceSSL.CertFile and IceSSL.KeyFile properties for the IceGrid registry. See the IceSSL property reference for which properties are supported by the various IceSSL implementations.
We provide a demo that demonstrates how to configure the various IceGrid components to use IceSSL, I recommend to check out this demo. You can find it in the demo/IceGrid/secure directory of your Ice 3.5.1 demo distribution.
You can also check out the 3.6.0 version of the IceGrid secure demo. The makecerts.py script from the demo has been improved to create the certificates using the new PyPi package.
Cheers,
Benoit.0 -
Hi Benoit,
Thanks for your reply.
I've changed register config like this:Ice.Plugin.IceSSL=IceSSL:createIceSSL IceSSL.DefaultDir=cert IceSSL.CertAuthFile=ca_cert.pem IceSSL.CertFile=registry_cert.pem IceSSL.KeyFile=registry_key.pem IceSSL.Alias=registrycert
It works now.
I've got another question connected to this.
Basically I want to protect my register and don't allow any servers register their adaptors without permission. But at the same time clients and server should use a regular TCP endpoint to communicate.
I defined both tcp and ssl endpoint like this:IceGrid.Registry.Client.Endpoints=tcp -p 4061 : ssl -p 4062
tcp for clients, ssl for server.
But any server still can use tcp endpoint for adaptors registration as it's defined in register config.
Can I forbid it?
Probably setting this property can help:IceGrid.Registry.Server.Endpoints=ssl
Thank you0 -
Hi,
Servers don't register their endpoints through the IceGrid registry client endpoints but with the IceGrid registry server endpoints (defined with IceGrid.Registry.Server.Endpoints). So you can continue using tcp for the client endpoints but indeed need to use ssl for the registry server endpoints.
See Securing IceGrid for more information on the registry endpoints and how to secure them.
Cheers,
Benoit.0