Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1355658 - SSL handshake failure
Summary: SSL handshake failure
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Candlepin
Classification: Community
Component: candlepin
Version: 2.0
Hardware: Unspecified
OS: Unspecified
medium
low
Target Milestone: ---
: ---
Assignee: Kevin Howell
QA Contact: Katello QA List
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-12 07:38 UTC by Filip Nguyen
Modified: 2016-10-18 21:54 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-10-18 21:54:14 UTC


Attachments (Terms of Use)

Description Filip Nguyen 2016-07-12 07:38:45 UTC
Description of problem:
With some versions of Java it is not possible to run spec tests because of SSL failures such as [1]. Workaround to this is to remove 'ciphers' from [2] or add appropriate ciphers that both ruby client and the Java version provides.

My theory is that our deploy script modifies attribute 'ciphers' of [2] in such a way that:
 1) The specific Java doesn't support most of the ciphers
 2) Ruby client doesn't support the few ciphers that 1) provides

[1] 
  237) Environments can be created by owner admin
     Failure/Error: Unable to find matching line from backtrace
     OpenSSL::SSL::SSLError:
       SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: sslv3 alert handshake failure

[2] 
/etc/tomcat/server.xml element Connector[@port=8443] 

Version-Release number of selected component (if applicable):
Either of these:
 - Java(TM) SE Runtime Environment (build 1.8.0_91-b14)
 - OpenJDK java that is in Fedora 24

How reproducible:
Always

Steps to Reproduce:
1. Install one of the above mentioned Java versions and set it as JAVA_HOME for your Tomcat
2. Run spec tests


Actual results:
Exceptions SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: sslv3 alert handshake failure

Expected results:
No Exceptions

Comment 1 Kevin Howell 2016-10-18 21:54:14 UTC
In a fresh Fedora 24 VM with latest java, nss, ruby, openssl packages:

[vagrant@localhost server]$ rpm -qa ruby java-* nss openssl-* | sort
java-1.8.0-openjdk-1.8.0.102-1.b14.fc24.x86_64
java-1.8.0-openjdk-devel-1.8.0.102-1.b14.fc24.x86_64
java-1.8.0-openjdk-headless-1.8.0.102-1.b14.fc24.x86_64
nss-3.27.0-1.1.fc24.x86_64
openssl-libs-1.0.2j-1.fc24.x86_64
ruby-2.3.1-56.fc24.x86_64

and gems installed by bundler:

[vagrant@localhost candlepin]$ gem list

*** LOCAL GEMS ***

activesupport (4.2.6)
ast (2.2.0)
atoulme-Antwrap (0.7.5)
bigdecimal (1.2.8)
binding_of_caller (0.7.2)
builder (3.2.2)
buildr (1.4.24)
buildr-findBugs (0.1.1)
bundler (1.10.6)
byebug (8.2.4)
coderay (1.1.1)
debug_inspector (0.0.2)
did_you_mean (1.0.0)
diff-lcs (1.2.4)
digest-murmurhash (1.1.1)
hoe (3.7.1)
httpclient (2.7.1)
i18n (0.7.0)
io-console (0.4.5)
json (1.8.3)
json_pure (1.8.0)
method_source (0.8.2)
mime-types (1.25.1)
minitar (0.5.4)
minitest (5.8.4)
net-sftp (2.1.2)
net-ssh (2.7.0)
oauth (0.5.1)
orderedhash (0.0.6)
parallel (1.8.0)
parallel_tests (2.5.0)
parser (2.3.0.7)
pmd (1.0.1)
powerpack (0.1.1)
pry (0.10.3)
pry-byebug (3.3.0)
pry-stack_explorer (0.4.9.2)
psych (2.0.17)
rainbow (2.1.0)
rake (0.9.2.2)
rdoc (4.2.2)
rest-client (1.6.9)
rjb (1.5.1)
rspec (3.4.0)
rspec-core (3.4.4)
rspec-expectations (3.4.0)
rspec-mocks (3.4.1)
rspec-support (3.4.1)
rubocop (0.36.0)
ruby-progressbar (1.7.5)
rubyzip (0.9.9)
slop (3.6.0)
stringex (2.6.0)
thread_safe (0.3.5)
tzinfo (1.2.2)
webrick (1.3.1)
xml-simple (1.1.2)

cannot reproduce (i.e. tested successfully), so closing for now. We can reopen if we rediscover with another combination which we want to support.

I also discovered that if you *don't* install tomcat-native RPM (or remove it if installed), then the implementation chosen for connectors at runtime will be NIO, and APR doesn't have to be disabled (i.e. no manual changes to server.xml are necessary).


Note You need to log in before you can comment on or make changes to this bug.