Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

server certificate change is restricted during renegotiation for TLS_1.2 with Java 8

I am pretty new to SSL and have been hit by what seems like known issue. My application is the SSL client and invokes another component which is enabled for two way SSL. The certificates in both the components are proper and connection works fine sometimes. Each server has its own server certificate and private key , but same root and intermediate certificate.

The SSL check in Server is done in Apache SW LB.

                                                                            |-------------|
                                                                          / |   Tomcat1   |
                                                         |-------------| /  |-------------| 
                                             |---------->|Apache SW LB |/ 
                                             |           |-------------|\       
                                             |                           \
                                             |                            \  |-------------|
|-----------|            |------------|      |                               |  Tomcat 2   |
|SSL Client |---HTTPS--->|Hardware LB |------|                               |-------------|    
|-----------|            |------------|      |                              |-------------| 
                                             |                            / |   Tomcat3   |
                                             |           |-------------| /  |-------------|
                                             |---------->|Apache SW LB |/   
                                                         |-------------|\
                                                                         \
                                                                          \|-------------|  
                                                                           |    Tomcat4  |
                                                                           |-------------|

Sometimes I am getting an error as below:-

***
%% Invalidated:  [Session-10, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256]
http-nio-8443-exec-10, SEND TLSv1.2 ALERT:  fatal, description = bad_certificate
http-nio-8443-exec-10, WRITE: TLSv1.2 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 03 00 02 02 2A                               ......*
http-nio-8443-exec-10, called closeSocket()
http-nio-8443-exec-10, handling exception: javax.net.ssl.SSLHandshakeException: server certificate change is restricted during renegotiation

I am using Spring REST template to invoke the REST call and using only TLS_V1.2, but still getting the above error.

TrustStrategy ts = new TrustStrategy() {
      @Override
      public boolean isTrusted(
          X509Certificate[] x509Certificates, String s)
          throws CertificateException {
        return true; // TODO : revisit
      }
    };
    SSLContext sslcontext = org.apache.http.ssl.SSLContexts.custom()
        .loadKeyMaterial(keyStore, keypass.toCharArray())
        .loadTrustMaterial(trustStore, ts) 
        .build();

 SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(

            sslcontext, new String[] {
                "TLSv1.2" }, null,
            SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);   
        return HttpClients.custom().setSSLSocketFactory(sslsf).build();

      }

ON googling i find like that this issue will not be happeneing for TLSv1.2 and Java 8(java version "1.8.0_60"). I am using Spring 4 RestTemplete for invoking rest calls.

And I am using the below version of httpclinet :-

 <dependency>
        <groupId>org.apache.httpcomponents</groupId>
        <artifactId>httpclient</artifactId>
        <version>4.4.1</version>
    </dependency>

Since I am new to SSL , i have few questions to start with:-

1). Is this a SSL clinet or SSL server issue?

2). Any real reason why the connection is working sometimes and breaking sometime?The technical reason for the failure.

3). Is this to do with any caching at client side

Also it be great if someone can point to the real slotion for this issue.

like image 778
Manu Avatar asked Jun 14 '16 20:06

Manu


1 Answers

Java SSL stack rejects re-negotiation probably after hardware loadbalancer has switched your connexion from one node to the other.

For such a deployment to work, both "Apache SW LB" instances have to use the very same virtual host URL and SSL configurations. And there is no obvious reason not do to so, as it does not conflict with any system configurations.

So your issue is a mixed between a client behaviour that rejects your cluster deployment for which each node use a different private key / server certificate, even if virtual host URL is the same.

like image 110
Yves Martin Avatar answered Oct 15 '22 09:10

Yves Martin