Archived

This forum has been archived. Please start a new discussion on GitHub.

Help! IceSSL: server did not supply a certificate

fenfenshijie
fenfenshijie
in Help Center
I generate a keystore by
[keytool -genkey -alias feidaokey -keyalg RSA -keysize 1024 -keypass feidaoroot -validity 3650 -keystore e:\gen\ssl\feidaoroot\feidaoroot.keystore -storepass feidaoroot]
and set the properties

Ice.Plugin.IceSSL=IceSSL.PluginFactory
IceSSL.DefaultDir=E:\Gen\SSL\feidaoroot
IceSSL.Truststore=feidaoroot.keystore
IceSSL.Keystore=feidaoroot.keystore
IceSSL.Password=feidaoroot
IceSSL.Trace.Security=1


when client:

MessageEndpointPrx mse = MessageEndpointPrxHelper
.checkedCast(communicator().stringToProxy("onmessage:ssl -h 192.168.2.103 -p 10012 -t 60000"));

!! 15-8-3 15:52:40:322 Client: error: main: Ice.SecurityException
reason = "IceSSL: server did not supply a certificate"
at IceInternal.AsyncResultI.__wait(AsyncResultI.java:270)
at Ice.ObjectPrxHelperBase.end_ice_isA(ObjectPrxHelperBase.java:310)
at Ice.ObjectPrxHelperBase.ice_isA(ObjectPrxHelperBase.java:92)
at Ice.ObjectPrxHelperBase.ice_isA(ObjectPrxHelperBase.java:69)
at Ice.ObjectPrxHelperBase.checkedCastImpl(ObjectPrxHelperBase.java:2810)
at Ice.ObjectPrxHelperBase.checkedCastImpl(ObjectPrxHelperBase.java:2770)
at com.feidao.platform.core.communication.ice.slice.MessageEndpointPrxHelper.checkedCast(MessageEndpointPrxHelper.java:592)
at SSLtest.run(SSLtest.java:37)
at Ice.Application.doMain(Application.java:214)
at Ice.Application.main(Application.java:194)
at Ice.Application.main(Application.java:118)
at SSLtest.main(SSLtest.java:118)

server:
-- 15-8-3 15:52:40:298 FeidaoBox-22-onmessage: Security: SSL summary for incomin
g connection
cipher = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
protocol = TLSv1.2
local address = 192.168.2.103:10012
remote address = 192.168.2.103:56928

env: jdk1.8 ice3.6.0

PS: I have used IceSSL in 3.4.1, but now I have no idea about what's wrong with it.

Comments

  • benoit
    benoit Rennes, France
    Hi,

    Can you post the IceSSL configuration of the client? Also try running the client with IceSSL.Trace.Security=1 to see if it provides additional information.

    You need to make sure the client can authenticate the server by configuring the client with a trust store that contains the public certificate of the server. Or if you don't want the client to authenticate the server, you can set IceSSL.VerifyPeer=0. See IceSSL.VerifyPeer documentation for more information.

    Cheers,
    Benoit.
  • fenfenshijie
    fenfenshijie
    thankyou IceSSL.VerifyPeer=0 works!
    if I need the client to authenticate the server,how i config?

    I used to config both client and server :

    Ice.Plugin.IceSSL=IceSSL.PluginFactory
    IceSSL.DefaultDir=E:\Gen\SSL\feidaoroot
    IceSSL.Truststore=feidaoroot.keystore
    IceSSL.Keystore=feidaoroot.keystore
    IceSSL.Password=feidaoroot
    IceSSL.Trace.Security=1

    full log:

    -- 15-8-3 16:43:16:992 Client: Security: enabling SSL ciphersuites:
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    TLS_RSA_WITH_AES_128_CBC_SHA256
    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    TLS_RSA_WITH_AES_128_CBC_SHA
    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_RSA_WITH_AES_128_GCM_SHA256
    TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
    TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    SSL_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
    TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
    TLS_ECDHE_RSA_WITH_RC4_128_SHA
    SSL_RSA_WITH_RC4_128_SHA
    TLS_ECDH_ECDSA_WITH_RC4_128_SHA
    TLS_ECDH_RSA_WITH_RC4_128_SHA
    SSL_RSA_WITH_RC4_128_MD5
    TLS_EMPTY_RENEGOTIATION_INFO_SCSV
    -- 15-8-3 16:43:17:895 Client: Security: enabling SSL ciphersuites:
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    TLS_RSA_WITH_AES_128_CBC_SHA256
    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    TLS_RSA_WITH_AES_128_CBC_SHA
    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_RSA_WITH_AES_128_GCM_SHA256
    TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
    TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
    TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
    TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    SSL_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
    TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
    TLS_ECDHE_RSA_WITH_RC4_128_SHA
    SSL_RSA_WITH_RC4_128_SHA
    TLS_ECDH_ECDSA_WITH_RC4_128_SHA
    TLS_ECDH_RSA_WITH_RC4_128_SHA
    SSL_RSA_WITH_RC4_128_MD5
    TLS_EMPTY_RENEGOTIATION_INFO_SCSV
    !! 15-8-3 16:43:18:147 Client: error: main: Ice.SecurityException
    reason = "IceSSL: server did not supply a certificate"
    at IceInternal.AsyncResultI.__wait(AsyncResultI.java:270)
    at Ice.ObjectPrxHelperBase.end_ice_isA(ObjectPrxHelperBase.java:310)
    at Ice.ObjectPrxHelperBase.ice_isA(ObjectPrxHelperBase.java:92)
    at Ice.ObjectPrxHelperBase.ice_isA(ObjectPrxHelperBase.java:69)
    at Ice.ObjectPrxHelperBase.checkedCastImpl(ObjectPrxHelperBase.java:2810)
    at Ice.ObjectPrxHelperBase.checkedCastImpl(ObjectPrxHelperBase.java:2770)
    at com.feidao.platform.core.communication.ice.slice.MessageEndpointPrxHelper.checkedCast(MessageEndpointPrxHelper.java:592)
    at SSLtest.run(SSLtest.java:37)
    at Ice.Application.doMain(Application.java:214)
    at Ice.Application.main(Application.java:194)
    at Ice.Application.main(Application.java:118)
    at SSLtest.main(SSLtest.java:118)


  • benoit
    benoit Rennes, France
    The client needs to verify the server's certificate for the authentication to succeed. The IceSSL.Truststore property doesn't point to a Java keystore that contains a public certificate for the server's certificate (it only contains the server's self-signed certificate key pair) so the client can't verify the server.

    You either need to create a separate truststore file or import the public certificate part of the self-signed certificate key pair into the feidaoroot.keystore file. This can be achieve with the following commands:
    # Export the public certificate
$ keytool -keystore feidaoroot.keystore -storepass feidaoroot -alias feidaokey -exportcert -rfc > cacert.pem

# Option 1: Create a truststore file
$ keytool -importcert -file cacert.pem -keystore feidaoroot.truststore --storepass feidaoroot

# Option 2: import the public certificate into the feidaoroot.keystore
$ keytool -importcert -file cacert.pem -keystore feidaoroot.keystore --storepass feidaoroot

    With the first option you will need to configure IceSSL.Truststore=feidaoroot.truststore and IceSSL.TruststorePassword=feidaoroot. With the second option, you can remove the configuration of the IceSSL.Truststore property, by default IceSSL will lookup for the trust certificates into the keystore specified with IceSSL.Keystore.

    Note that with your configuration the client and server use the same certificate for authentication. You should either create different certificates for the client and server if you want the client to authenticate the server and the server to authenticate the client or you shouldn't set IceSSL.Keystore in the client configuration if you don't need client authentication (you should still set IceSSL.Truststore in the client configuration to allow the client to verify the server's certificate).
  • fenfenshijie
    fenfenshijie
    thank you very much,I am going to re-generate the CA certificates .

    Is the IceSSL.Truststore=feidaoroot.truststore equals the IceSSL.CAs=feidaoroot.pem in glacier2,after i trun feidaoroot.truststore to feidaoroot.pem by openssl ?

    and I try to set IceSSL.VerifyPeer=0 in client and glacier2,

    client:
    -- 15-8-3 17:55:02:635 Client: Security: IceSSL: ignoring certificate validation failure:
    peer certificate does not have `192.168.2.103' as its commonName or in its subjectAltName extension
    Subject DN: cn=feidao,ou=feidao,o=feidao,l=zz,st=hn,c=cn
    -- 15-8-3 17:55:02:636 Client: Security: SSL summary for outgoing connection
    cipher = TLS_RSA_WITH_AES_128_CBC_SHA256
    protocol = TLSv1.2
    local address = 192.168.2.103:59049
    remote address = 192.168.2.103:9528
    !! 15-8-3 17:55:02:678 Client: error: main: Ice.ConnectionLostException
    error = 0
    at IceInternal.AsyncResultI.__wait(AsyncResultI.java:270)
    at Ice.ObjectPrxHelperBase.end_ice_isA(ObjectPrxHelperBase.java:310)
    at Ice.ObjectPrxHelperBase.ice_isA(ObjectPrxHelperBase.java:92)
    at Ice.ObjectPrxHelperBase.ice_isA(ObjectPrxHelperBase.java:69)
    at Ice.ObjectPrxHelperBase.checkedCastImpl(ObjectPrxHelperBase.java:2810)
    at Ice.ObjectPrxHelperBase.checkedCastImpl(ObjectPrxHelperBase.java:2770)
    at Glacier2.RouterPrxHelper.checkedCast(RouterPrxHelper.java:2655)
    at Glacier2Test.run(Glacier2Test.java:44)
    at Ice.Application.doMain(Application.java:214)
    at Ice.Application.main(Application.java:194)
    at Ice.Application.main(Application.java:118)
    at Glacier2Test.main(Glacier2Test.java:139)

    I want to work it out by a simple self-signed certificate first, or I should bulid the CA certificates ?
  • benoit
    benoit Rennes, France
    Yes, the IceSSL.CAs property in C++/C# is equivalent to IceSSL.Truststore for Java.

    A self-signed certificate should work as long as the client is able to verify it using the public key of the self-signed certificate so the client needs to be configured with a trust store that contains a certificate with this public key (which is what the commands provided in my previous post are doing). Note that we also provide a PyPI package to help with the creation of certificates. The PyPI package contains a small Python library and an iceca script. You can either either the library or the script to create a minimal CA and certificates signed with this CA. See for example ice-demos/certs/makecerts.py for an example on how we create the client & server certificates for the Ice demos.

    You can ignore the verification failure from the trace, it's just an indication that the check for the certificate common name failed. This verification failure isn't fatal as long as you don't require it by setting[FONT=courier new, courier, monospace] IceSSL.CheckCertName=1[/FONT][FONT=arial, helvetica, sans-serif]. See [/FONT]IceSSL.CheckCertName documentation[FONT=arial, helvetica, sans-serif].[/FONT]

    [FONT=arial, helvetica, sans-serif]The Ice.ConnectionLostException exception appears to be un-related to the IceSSL configuration since the trace shows that the connection is successful. How do you establish the session to the Glacier2 router? You can enable[/FONT] Glacier2.Client.Trace.Reject=1 and Glacier2.Trace.Session=1 to gather additional information on the reason why the connection got rejected by Glacier2.

Categories