Broken SSL

Ok… I got bored and thought I’'d play with SSL, so I follow the instructions in the docs for a self-signed cert and now i cant load the ssl-settings.jsp page, and I get the following errors on the console:

root@EARS:/opt/jive_messenger/bin# ./messenger.sh

Error starting SSL XMPP listener on port 5223: null

Jive Messenger 2.3.0 Alpha 1

Error starting admin console: Multiple exceptions

Sep 5, 2005 10:19:01 PM org.jivesoftware.phone.asterisk.AsteriskPlugin init

INFO: Initializing Asterisk-IM Plugin

Sep 5, 2005 10:19:01 PM org.jivesoftware.phone.asterisk.AsteriskPlugin init

INFO: Initializing Hibernate for Asterisk-IM

Sep 5, 2005 10:19:11 PM org.jivesoftware.phone.asterisk.AsteriskPlugin init

INFO: Checking to see if Asterisk-IM database schema is present

Sep 5, 2005 10:19:11 PM org.jivesoftware.phone.asterisk.AsteriskPlugin init

INFO: Ensuring Asterisk-IM schema is up to date

Sep 5, 2005 10:19:11 PM org.jivesoftware.phone.asterisk.AsteriskPlugin init

INFO: Initializing Asterisk-IM thread Pool

java.io.IOException

at org.jivesoftware.messenger.net.SSLConfig.getKeyStore(SSLConfig.java:120)

at org.jivesoftware.messenger.admin.ssl_002dsettings_jsp._jspService(ssl_002dsetti ngs_jsp.java:87)

at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:94)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:688)

at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:427)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:822)

at org.jivesoftware.util.LocaleFilter.doFilter(LocaleFilter.java:43)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:813)

at org.jivesoftware.util.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingF ilter.java:41)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:813)

at org.jivesoftware.admin.AuthCheckFilter.doFilter(AuthCheckFilter.java:98)

at org.mortbay.jetty.servlet.WebApplicationHandler$CachedChain.doFilter(WebApplica tionHandler.java:813)

at org.mortbay.jetty.servlet.WebApplicationHandler.dispatch(WebApplicationHandler. java:494)

at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:569)

at org.mortbay.http.HttpContext.handle(HttpContext.java:1482)

at org.mortbay.jetty.servlet.WebApplicationContext.handle(WebApplicationContext.ja va:624)

at org.mortbay.http.HttpContext.handle(HttpContext.java:1434)

at org.mortbay.http.HttpServer.service(HttpServer.java:896)

at org.mortbay.http.HttpConnection.service(HttpConnection.java:814)

at org.mortbay.http.HttpConnection.handleNext(HttpConnection.java:981)

at org.mortbay.http.HttpConnection.handle(HttpConnection.java:831)

at org.mortbay.http.SocketListener.handleConnection(SocketListener.java:244)

at org.mortbay.util.ThreadedServer.handle(ThreadedServer.java:366)

at org.mortbay.util.ThreadPool$PoolThread.run(ThreadPool.java:534)

There is more in the error logs but I didn’'t want ot make this post a mile long so if there is anything in particular let me know…

Oh… almost forgot, build is nightly sept 5 2005 on a slackware box. and everything worked fine before i made the self-signed cert…

Peter

Hey Peter,

The exception that you pasted is related to the error when trying to open the SSL page in the admin console. Could you post the exception regarding SSL when the server is started? BTW, have you changed the password of the keystore? Is JM using the same password for the keystore? Is the key password of the certificate the same of the keystore?

Regards,

– Gato

Alright… problem one… instructions on SSL say you “can” list the path to keystore, but the default will be assumed. I chose to specify and entered “resources/security” but neglected to put keystore as the file. I removed it and got a little further…

Problem two…

I recreated the keystore file just to make sure passwords and domains were all correct. the follwoing is the 104 lines from the error log after a fresh start. i have followed all instructions from SSL setup points 2 and 6.

2005.09.06 19:11:59 org.jivesoftware.messenger.net.SSLJiveServerSocketFactory.getInstance(SSLJiveSer verSocketFactory.java:53)

java.security.UnrecoverableKeyException: Cannot recover key

at sun.security.provider.KeyProtector.recover(Unknown Source)

at sun.security.provider.JavaKeyStore.engineGetKey(Unknown Source)

at java.security.KeyStore.getKey(Unknown Source)

at com.sun.net.ssl.internal.ssl.SunX509KeyManagerImpl.(SSLConfig.java:76)] SSLConfig startup problem.

storeType:

keyStoreLocation: /opt/jive_messenger/resources/security/keystore

keypass:

trustStoreLocation: /opt/jive_messenger/resources/security/truststore

trustpass:

java.io.IOException: Cannot recover key

at org.jivesoftware.messenger.net.SSLJiveServerSocketFactory.getInstance(SSLJiveSe rverSocketFactory.java:54)

at org.jivesoftware.messenger.net.SSLConfig.(XMPPServer.java:133)

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)

at java.lang.reflect.Constructor.newInstance(Unknown Source)

at java.lang.Class.newInstance0(Unknown Source)

at java.lang.Class.newInstance(Unknown Source)

at org.jivesoftware.messenger.starter.ServerStarter.start(ServerStarter.java:82)

at org.jivesoftware.messenger.starter.ServerStarter.main(ServerStarter.java:46)

2005.09.06 19:12:00 org.jivesoftware.messenger.spi.ConnectionManagerImpl.startClientSSLListeners(Con nectionManagerImpl.java:205) Could not setup SSL socket

java.io.IOException

at org.jivesoftware.messenger.net.SSLConfig.createServerSocket(SSLConfig.java:148)

at org.jivesoftware.messenger.net.SSLSocketAcceptThread.(XMPPServer.java:133)

at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)

at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)

at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)

at java.lang.reflect.Constructor.newInstance(Unknown Source)

at java.lang.Class.newInstance0(Unknown Source)

at java.lang.Class.newInstance(Unknown Source)

at org.jivesoftware.messenger.starter.ServerStarter.start(ServerStarter.java:82)

at org.jivesoftware.messenger.starter.ServerStarter.main(ServerStarter.java:46)

2005.09.06 19:12:12 org.jivesoftware.messenger.container.AdminConsolePlugin.initializePlugin(AdminCo nsolePlugin.java:184) Trouble initializing admin console

org.mortbay.util.MultiException[java.io.IOException: Could not create JsseListener: java.security.UnrecoverableKeyException: Cannot recover key]

at org.mortbay.http.HttpServer.doStart(HttpServer.java:673)

at org.mortbay.util.Container.start(Container.java:72)

at org.jivesoftware.messenger.container.AdminConsolePlugin.initializePlugin(AdminC onsolePlugin.java:151)

at org.jivesoftware.messenger.container.PluginManager.loadPlugin(PluginManager.jav a:273)

at org.jivesoftware.messenger.container.PluginManager.access$200(PluginManager.jav a:49)

at org.jivesoftware.messenger.container.PluginManager$PluginMonitor.run(PluginMana ger.java:636)

at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)

at java.util.concurrent.FutureTask$Sync.innerRunAndReset(Unknown Source)

at java.util.concurrent.FutureTask.runAndReset(Unknown Source)

at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101 (Unknown Source)

at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.runPeriodi c(Unknown Source)

at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknow n Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

java.io.IOException: Could not create JsseListener: java.security.UnrecoverableKeyException: Cannot recover key

at org.mortbay.http.JsseListener.newServerSocket(JsseListener.java:218)

at org.mortbay.util.ThreadedServer.open(ThreadedServer.java:466)

at org.mortbay.util.ThreadedServer.start(ThreadedServer.java:495)

at org.mortbay.http.SocketListener.start(SocketListener.java:203)

at org.mortbay.http.HttpServer.doStart(HttpServer.java:703)

at org.mortbay.util.Container.start(Container.java:72)

at org.jivesoftware.messenger.container.AdminConsolePlugin.initializePlugin(AdminC onsolePlugin.java:151)

at org.jivesoftware.messenger.container.PluginManager.loadPlugin(PluginManager.jav a:273)

at org.jivesoftware.messenger.container.PluginManager.access$200(PluginManager.jav a:49)

at org.jivesoftware.messenger.container.PluginManager$PluginMonitor.run(PluginMana ger.java:636)

at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)

at java.util.concurrent.FutureTask$Sync.innerRunAndReset(Unknown Source)

at java.util.concurrent.FutureTask.runAndReset(Unknown Source)

at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101 (Unknown Source)

at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.runPeriodi c(Unknown Source)

at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknow n Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

Hope this makes more sence…

same conditions still apply and the ssl-settings.jsp page still does not load.

Thanks

Peter

also… I’'ve tried running it as user jive and root (ownership modified as necessary) with the same results both ways…

I’'m using MySQL if it makes a difference…

Its on a whitebox built on a wednesday with a full moon :stuck_out_tongue:

PA

Hey Peter,

After doing a quick google search I found this link http://search.thawte.com/thawte/solution.jsp?id=vs17011. Basically, the problem is that the keystore password and the keyEntry password are different.

Regards,

– Gato

Sorry Gato… not that simple.

I reset the password just make sure and did a copy/paste from the admin console so the old password and new password definitly matched.

So I googled the error and found a link back to jive forums… It seems that there is already a know issue with the instructions… noted in JM-171

So I’‘ve restore the default keys… learned my lesson about meaningless tinkering when I’'m bored and voted for JM-171

Please… any one else vote for this so we can get the self signed cert issue fixed up… no point in having all this SSL/TLS if we cant use self-signed certs as well.

Thanks for the time Gato…

Peter

I encountered the same type issues after following the document ssl-guide.html, which were:

  • ssl works fine with the default install certs

  • installing a self signed cert caused:


“UnrecoverableKeyException” errors


SSL settings page in Admin console not to render


Unable to https:// connect on Admin console on port 9091

I followed the suggestions on the forum regarding password for self signed cert, no joy. I finally got it to work by manually deleting the two default self signed certs (rsa and dsa) from the keystore. Not sure if that particular step is documented anywhere, but someone may want to add this information for review as a possible fix for the documentation regarding this issue (JM-171).

Thanks

Don