I am pretty new to SSL and have been hit by what seems like known issue. My application is the SSL client and invokes another component which is enabled for two way SSL. The certificates in both the components are proper and connection works fine sometimes. Each server has its own server certificate and private key , but same root and intermediate certificate.
The SSL check in Server is done in Apache SW LB.
|-------------|
/ | Tomcat1 |
|-------------| / |-------------|
|---------->|Apache SW LB |/
| |-------------|\
| \
| \ |-------------|
|-----------| |------------| | | Tomcat 2 |
|SSL Client |---HTTPS--->|Hardware LB |------| |-------------|
|-----------| |------------| | |-------------|
| / | Tomcat3 |
| |-------------| / |-------------|
|---------->|Apache SW LB |/
|-------------|\
\
\|-------------|
| Tomcat4 |
|-------------|
Sometimes I am getting an error as below:-
***
%% Invalidated: [Session-10, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256]
http-nio-8443-exec-10, SEND TLSv1.2 ALERT: fatal, description = bad_certificate
http-nio-8443-exec-10, WRITE: TLSv1.2 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 03 00 02 02 2A ......*
http-nio-8443-exec-10, called closeSocket()
http-nio-8443-exec-10, handling exception: javax.net.ssl.SSLHandshakeException: server certificate change is restricted during renegotiation
I am using Spring REST template to invoke the REST call and using only TLS_V1.2, but still getting the above error.
TrustStrategy ts = new TrustStrategy() {
@Override
public boolean isTrusted(
X509Certificate[] x509Certificates, String s)
throws CertificateException {
return true; // TODO : revisit
}
};
SSLContext sslcontext = org.apache.http.ssl.SSLContexts.custom()
.loadKeyMaterial(keyStore, keypass.toCharArray())
.loadTrustMaterial(trustStore, ts)
.build();
SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(
sslcontext, new String[] {
"TLSv1.2" }, null,
SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
return HttpClients.custom().setSSLSocketFactory(sslsf).build();
}
ON googling i find like that this issue will not be happeneing for TLSv1.2 and Java 8(java version "1.8.0_60"). I am using Spring 4 RestTemplete for invoking rest calls.
And I am using the below version of httpclinet :-
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
<version>4.4.1</version>
</dependency>
Since I am new to SSL , i have few questions to start with:-
1). Is this a SSL clinet or SSL server issue?
2). Any real reason why the connection is working sometimes and breaking sometime?The technical reason for the failure.
3). Is this to do with any caching at client side
Also it be great if someone can point to the real slotion for this issue.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 我欲成王,谁敢阻挡 的文章《server certificate change is restricted during ren》','https://www.manongdao.com/article-679660.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}