Problem with Bouncy Castle JCE/JSSE provider and JBoss-5.1.0.GA

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Problem with Bouncy Castle JCE/JSSE provider and JBoss-5.1.0.GA

RobertoBoni
This post was updated on .
I have to enable TLS1.2 support in JBoss-5.1.0.GA.
JBoss-5.1.0.GA only supports JDK6 and the last free release of JDK6
(jdk1.6.0_45) doesn't support TLS1.2.
So I tried to use the BC JCE/JSSE provider to support TLS1.2.

My setup is as follows:

1) Added bcprov-jdk15to18-164.jar bctls-jdk15to18-164.jar libraries to
folder
    C:\ProgramFiles\Java\jdk1.6.0_45\jre\lib\ext

2) Added the BouncyCastle providers to file java.security in folder
    C:\ProgramFiles\Java\jdk1.6.0_45\jre\lib\security:

    [...]
    security.provider.3=org.bouncycastle.jce.provider.BouncyCastleProvider
   
security.provider.4=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
    [...]

    and also set ssl.KeyManagerFactory.algorithm=PKIX in the same file

3) Configured teh SSL/TLS connector in file server.xml in JBoss as:

    <Connector protocol="HTTP/1.1" SSLEnabled="true"
    port="8443" address="${jboss.bind.address}"
    scheme="https" secure="true" clientAuth="false"
    keystoreFile="${jboss.server.home.dir}/conf/keystore.jks"
    keystorePass="kapsch" sslProtocol = "TLSv1.2" maxThreads="170"
    ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
    TLS_ECDHE_RSA_WITH_RC4_128_SHA,
    TLS_RSA_WITH_AES_128_CBC_SHA256,
    TLS_RSA_WITH_AES_128_CBC_SHA,
    TLS_RSA_WITH_AES_256_CBC_SHA256,
    TLS_RSA_WITH_AES_256_CBC_SHA,
    SSL_RSA_WITH_RC4_128_SHA"/>

All seems to work but I frequently get warnings/exceptions like this:

09:43:36,379 WARNING [bouncycastle.jsse.provider.ProvTlsServer]
(http-0.0.0.0-8443-5:) Server raised fatal(2) internal_error(80) alert:
Failed to read record
java.net.SocketException: Software caused connection abort: recv failed
        at java.net.SocketInputStream.socketRead0(Native Method)
        at java.net.SocketInputStream.read(SocketInputStream.java:129)
        at org.bouncycastle.tls.RecordStream$Record.fillTo(Unknown Source)
        at org.bouncycastle.tls.RecordStream$Record.readHeader(Unknown
Source)
        at org.bouncycastle.tls.RecordStream.readRecord(Unknown Source)
        at org.bouncycastle.tls.TlsProtocol.safeReadRecord(Unknown Source)
        at org.bouncycastle.tls.TlsProtocol.readApplicationData(Unknown
Source)
        at
org.bouncycastle.jsse.provider.ProvSSLSocketDirect$AppDataInput.read(Unknown
Source)
        at
org.apache.coyote.http11.InternalInputBuffer.fill(InternalInputBuffer.java:729)
        at
org.apache.coyote.http11.InternalInputBuffer.parseRequestLine(InternalInputBuffer.java:366)
        at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:790)
        at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
        at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
        at java.lang.Thread.run(Thread.java:662)

Could someone help about this issue? Is this a real error? How can I avoid
this problem?




--
Sent from: http://bouncy-castle.1462172.n4.nabble.com/Bouncy-Castle-Dev-f1462173.html