private void maybeProcessHandshakeFailure(SSLException sslException, boolean flush, IOException ioException) throws IOException { if (sslException instanceof SSLHandshakeException || sslException instanceof SSLProtocolException || sslException instanceof SSLPeerUnverifiedException || sslException instanceof SSLKeyException || sslException.getMessage().contains("Unrecognized SSL message")) handshakeFailure(sslException, flush); else if (ioException == null) throw sslException; else { log.debug("SSLException while unwrapping data after IOException, original IOException will be propagated", sslException); throw ioException; } }
@Override public boolean verify(final String host, final SSLSession session) { try { final Certificate[] certs = session.getPeerCertificates(); final X509Certificate x509 = (X509Certificate) certs[0]; verify(host, x509); return true; } catch (final SSLException ex) { if (log.isDebugEnabled()) { log.debug(ex.getMessage(), ex); } return false; } }
/** * @param sslEx * SSLException thrown during connect * @return True is the SSL session cache should be cleared, false otherwise. */ @Override public boolean test(SSLException sslEx) { return isExceptionAffected(sslEx.getMessage()) && isJvmAffected(); }
private void handleSslException(SSLException e) throws CertificateValidationException, SSLException { if (e.getCause() instanceof CertificateException) { throw new CertificateValidationException(e.getMessage(), e); } else { throw e; } }
/** * Shuts down the handler. */ void shutdown() { try { sslEngine.closeInbound(); } catch (SSLException e) { // According to javadoc, the only case when exception is thrown is when no close_notify // message was received before TCP connection get closed. if (log.isDebugEnabled()) log.debug("Unable to correctly close inbound data stream (will ignore) [msg=" + e.getMessage() + ", ses=" + ses + ']'); } }
LOG.debug( "Cert is NOT trusted: {}", e.getMessage() );
tlsEngineResult = tlsEngine.unwrap( net, out ); } catch ( SSLException e ) { if ( e.getMessage().startsWith( "Unsupported record version Unknown-" ) ) { throw new SSLException( "We appear to have received plain text data where we expected encrypted data. A common cause for this is a peer sending us a plain-text error message when it shouldn't send a message, but close the socket instead).", e );
protected AppClient(String host, int port, Random msgIdGenerator, ServerProperties properties) { super(host, port, msgIdGenerator, properties); log.info("Creating app client. Host {}, sslPort : {}", host, port); File serverCert = makeCertificateFile("server.ssl.cert"); File clientCert = makeCertificateFile("client.ssl.cert"); File clientKey = makeCertificateFile("client.ssl.key"); try { if (!serverCert.exists() || !clientCert.exists() || !clientKey.exists()) { log.info("Enabling one-way auth with no certs checks."); this.sslCtx = SslContextBuilder.forClient().sslProvider(SslProvider.JDK) .trustManager(InsecureTrustManagerFactory.INSTANCE) .build(); } else { log.info("Enabling mutual auth."); String clientPass = props.getProperty("client.ssl.key.pass"); this.sslCtx = SslContextBuilder.forClient() .sslProvider(SslProvider.JDK) .trustManager(serverCert) .keyManager(clientCert, clientKey, clientPass) .build(); } } catch (SSLException e) { log.error("Error initializing SSL context. Reason : {}", e.getMessage()); log.debug(e); throw new RuntimeException(e); } }
String msg = e.getMessage(); if (msg == null || !(msg.contains("possible truncation attack") || msg.contains("closing inbound before receiving peer's close_notify"))) {
} catch (javax.net.ssl.SSLException ex) { if ("Inbound closed before receiving peer's close_notify: possible truncation attack?".equals( ex.getMessage() ) ) { throw new SSLHandshakeException( "The peer closed the connection while performing a TLS handshake." );
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { String message; X509Certificate certificate = chain[0]; Throwable cause; try { defaultTrustManager.checkServerTrusted(chain, authType); new StrictHostnameVerifier().verify(mHost, certificate); return; } catch (CertificateException e) { // cert. chain can't be validated message = e.getMessage(); cause = e; } catch (SSLException e) { // host name doesn't match certificate message = e.getMessage(); cause = e; } // Check the local key store if we couldn't verify the certificate using the global // key store or if the host name doesn't match the certificate name if (!keyStore.isValidCertificate(certificate, mHost, mPort)) { throw new CertificateChainException(message, chain, cause); } }
throw new CertificateValidationException(e.getMessage(), e); } catch (IOException ioe) { Timber.e(ioe, "IOException during initial connection");
Response resp = Response.newFixedLengthResponse(Status.INTERNAL_ERROR, NanoHTTPD.MIME_PLAINTEXT, "SSL PROTOCOL FAILURE: " + ssle.getMessage()); resp.send(this.outputStream); NanoHTTPD.safeClose(this.outputStream);
String msg = e.getMessage(); if (msg == null || !msg.contains("possible truncation attack")) { logger.debug("{} SSLEngine.closeInbound() raised an exception.", ctx.channel(), e);
} catch (SSLException e) { close(); throw new CertificateValidationException(e.getMessage(), e); } catch (GeneralSecurityException gse) { close();
} catch (SSLException e) { if (e.getCause() instanceof CertificateException) { throw new CertificateValidationException(e.getMessage(), e); } else { throw new MessagingException("Unable to connect", e);
"check ssl context factory configuration): " + e.getMessage(), e);
} catch (SSLException ignore) { getGfsh().logToFile(ignore.getMessage(), ignore); responseFailureMessage = "Check your SSL configuration and try again."; } catch (Exception ignore) {
"is properly configured: " + e.getMessage());
/** * @param sslEx * SSLException thrown during connect * @return True is the SSL session cache should be cleared, false otherwise. */ @Override public boolean test(SSLException sslEx) { return isExceptionAffected(sslEx.getMessage()) && isJvmAffected(); }