Hello,
Can anyone explain what is going wrong with the following scenario?
Using NSPR 4.8, NSS 3.12.6, JSS 4.3.1 with JDK 1.6_21 on Windows XP
Professional SP 3. FIPS mode is enabled.
I'm trying to open an LDAP connection to an LDAP server (Apache
Directory Server) running locally on the same system. Both SSL
contexts (server and client) are configured to use the KeyManager
(PKCS11 KeyStore), TrustManager and SecureRandom obtained from the
SunPKCS11-NSS provider.
I have enabled the debug logging for the TLS handshake and I can see
that both sides are using the same certificate for identification and
that this certificate as well as the appropriate CA certificates are
being found in the NSS database.
When executing the code with FIPS mode disabled, the handshake is
successful. However, with FIPS mode enabled, the following stacktrace
is produced:
2010-07-27 08:51:02,154;48156;ERROR;ds.DsServiceImplLiveTest;
(main);Client:
javax.net.ssl.SSLException: java.security.ProviderException: Could not
generate premaster secret
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:
190)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:
1623)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:
1586)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:
1569)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:
1154)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:
1131)
at
com.sun.jndi.ldap.ext.StartTlsResponseImpl.startHandshake(StartTlsResponseImpl.java:
344)
at
com.sun.jndi.ldap.ext.StartTlsResponseImpl.negotiate(StartTlsResponseImpl.java:
208)
at
com.polycom.rm.ds.DsServiceImplLiveTest.testMutualCertificateExchange(DsServiceImplLiveTest.java:
765)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:
39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:
25)
at java.lang.reflect.Method.invoke(Method.java:597)
at
org.junit.internal.runners.TestMethodRunner.executeMethodBody(TestMethodRunner.java:
99)
at
org.junit.internal.runners.TestMethodRunner.runUnprotected(TestMethodRunner.java:
81)
at
org.junit.internal.runners.BeforeAndAfterRunner.runProtected(BeforeAndAfterRunner.java:
34)
at
org.junit.internal.runners.TestMethodRunner.runMethod(TestMethodRunner.java:
75)
at
org.junit.internal.runners.TestMethodRunner.run(TestMethodRunner.java:
45)
at
org.junit.internal.runners.TestClassMethodsRunner.invokeTestMethod(TestClassMethodsRunner.java:
71)
at
org.junit.internal.runners.TestClassMethodsRunner.run(TestClassMethodsRunner.java:
35)
at org.junit.internal.runners.TestClassRunner
$1.runUnprotected(TestClassRunner.java:42)
at
org.junit.internal.runners.BeforeAndAfterRunner.runProtected(BeforeAndAfterRunner.java:
34)
at
org.junit.internal.runners.TestClassRunner.run(TestClassRunner.java:
52)
at
org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:
46)
at
org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:
38)
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:
467)
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:
683)
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:
390)
at
org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:
197)
Caused by: java.security.ProviderException: Could not generate
premaster secret
at
sun.security.pkcs11.P11TlsRsaPremasterSecretGenerator.engineGenerateKey(P11TlsRsaPremasterSecretGenerator.java:
87)
at javax.crypto.KeyGenerator.generateKey(DashoA13*..)
at
com.sun.net.ssl.internal.ssl.RSAClientKeyExchange.<init>(RSAClientKeyExchange.java:
91)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:
673)
at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:
230)
at
com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:
529)
at
com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:
465)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:
884)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:
1120)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:
1147)
... 24 more
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception:
CKR_ATTRIBUTE_VALUE_INVALID
at sun.security.pkcs11.wrapper.PKCS11.C_GenerateKey(Native Method)
at
sun.security.pkcs11.P11TlsRsaPremasterSecretGenerator.engineGenerateKey(P11TlsRsaPremasterSecretGenerator.java:
81)
... 33 more
2010-07-27 08:51:02,154;48156;WARN;ldap.LdapServer$LdapProtocolHandler;
(pool-2-thread-3);[/10.33.40.39:1437] Unexpected exception forcing
session to close: sending disconnect notice to client.
javax.net.ssl.SSLHandshakeException: SSL handshake failed.
at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:
416)
at
org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:
299)
at org.apache.mina.common.support.AbstractIoFilterChain.access
$1100(AbstractIoFilterChain.java:53)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl
$1.messageReceived(AbstractIoFilterChain.java:648)
at org.apache.mina.common.support.AbstractIoFilterChain
$HeadFilter.messageReceived(AbstractIoFilterChain.java:499)
at
org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:
299)
at
org.apache.mina.common.support.AbstractIoFilterChain.fireMessageReceived(AbstractIoFilterChain.java:
293)
at
org.apache.mina.transport.socket.nio.SocketIoProcessor.read(SocketIoProcessor.java:
228)
at
org.apache.mina.transport.socket.nio.SocketIoProcessor.process(SocketIoProcessor.java:
198)
at org.apache.mina.transport.socket.nio.SocketIoProcessor.access
$400(SocketIoProcessor.java:45)
at org.apache.mina.transport.socket.nio.SocketIoProcessor
$Worker.run(SocketIoProcessor.java:485)
at
org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:
51)
at java.util.concurrent.ThreadPoolExecutor
$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor
$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:619)
Caused by: javax.net.ssl.SSLException: Received fatal alert:
internal_error
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:
190)
at
com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:
1401)
at
com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:
1369)
at
com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:
1535)
at
com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:
995)
at
com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:
815)
at
com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:
691)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:607)
at org.apache.mina.filter.support.SSLHandler.unwrap0(SSLHandler.java:
657)
at
org.apache.mina.filter.support.SSLHandler.unwrapHandshake(SSLHandler.java:
613)
at
org.apache.mina.filter.support.SSLHandler.handshake(SSLHandler.java:
493)
at
org.apache.mina.filter.support.SSLHandler.messageReceived(SSLHandler.java:
306)
at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:
392)
... 14 more
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
