Client can't connect

Emil_Hesslow · July 16, 2008, 12:28pm

I’ve created a Python Client using the Twisted framework. And when I started I used ejabberd and have no problem. But to test performance I wanted to test Openfire also. But I can’t get my client to login.

If I use Pidgin there is no problem to login so Openfire obviously works. But when I use my client I get the following in the Debug log:

2008.07.16 14:12:57 NIOConnection: startTLS: using c2s

2008.07.16 14:12:57 ConnectionHandler:

javax.net.ssl.SSLHandshakeException: SSL handshake failed.

at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:416)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)

at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)

at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)

at org.apache.mina.common.support.AbstractIoFilterChain$HeadFilter.messageReceived (AbstractIoFilterChain.java:499)

at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)

at org.apache.mina.common.support.AbstractIoFilterChain.fireMessageReceived(Abstra ctIoFilterChain.java:293)

at org.apache.mina.transport.socket.nio.SocketIoProcessor.read(SocketIoProcessor.j ava:228)

at org.apache.mina.transport.socket.nio.SocketIoProcessor.process(SocketIoProcesso r.java:198)

at org.apache.mina.transport.socket.nio.SocketIoProcessor.access$400(SocketIoProce ssor.java:45)

at org.apache.mina.transport.socket.nio.SocketIoProcessor$Worker.run(SocketIoProce ssor.java:485)

at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java: 885)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:907)

at java.lang.Thread.run(Thread.java:619)

Caused by: javax.net.ssl.SSLException: Unexpected end of handshake data

at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:954)

at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:4 65)

at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:701 )

at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:669)

at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:607)

at org.apache.mina.filter.support.SSLHandler.unwrap0(SSLHandler.java:658)

at org.apache.mina.filter.support.SSLHandler.unwrapHandshake(SSLHandler.java:614)

at org.apache.mina.filter.support.SSLHandler.handshake(SSLHandler.java:493)

at org.apache.mina.filter.support.SSLHandler.messageReceived(SSLHandler.java:306)

at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:392)

… 14 more

Caused by: javax.net.ssl.SSLException: Unexpected end of handshake data

at com.sun.net.ssl.internal.ssl.HandshakeInStream.read(HandshakeInStream.java:81)

at java.io.InputStream.read(InputStream.java:85)

at com.sun.net.ssl.internal.ssl.UnknownExtension.<init>(HelloExtensions.java :204)

at com.sun.net.ssl.internal.ssl.HelloExtensions.<init>(HelloExtensions.java: 69)

at com.sun.net.ssl.internal.ssl.HandshakeMessage$ClientHello.<init>(Handshak eMessage.java:252)

at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.j ava:135)

at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)

at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:458)

at java.security.AccessController.doPrivileged(Native Method)

at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:875)

at org.apache.mina.filter.support.SSLHandler.doTasks(SSLHandler.java:686)

at org.apache.mina.filter.support.SSLHandler.handshake(SSLHandler.java:486)

… 16 more

And I get the same error when I try the Twisted example client.

Is there any setting that I need to change or is it just that the Twisted client is doing something wrong?

Emil_Hesslow · July 17, 2008, 3:53pm

I finally find out what was happening. The problem is a bug in Javas SSL implementation.

When a client sends a Client Hello message to the server the last part of the packet is extensions. Twisted uses OpenSSL for their SSL implementation. And it uses an extension called Session Ticket (RFC 4507) (at least on my computer that happens by default). According to the RFC the client should add an empty Session Ticket to tell the server that it supports the Session Ticket extension.

When Java then tries to parse the packet and comes to the extension part it don’t know about Session Ticket so it uses the UnknownExtension to parse it (http://www.java2s.com/Open-Source/Java-Document/6.0-JDK-Modules-sun/security/sun /security/ssl/HelloExtensions.java.htm line 225). What it does is to read the content which in this case is 0 bytes. And it does that by calling HandshakeInStream::read which calls another method and so on until ByteArrayInputStream::read is called (http://www.java2s.com/Open-Source/Java-Document/6.0-JDK-Core/io-nio/java/io/Byte ArrayInputStream.java.htm line 176). And on line 182 it is checked if we are last in the buffer which we are so it returns -1. Which makes HandshakeInStream (http://www.java2s.com/Open-Source/Java-Document/6.0-JDK-Modules-sun/security/sun /security/ssl/HandshakeInStream.java.htm line 99) throw an error. Because it tried to read 0 bytes and got -1 back.

There is a workaround in Twisted. You can deactivate Session Ticket but it is a pretty big job to do it and at the same time using the classes that exists to create an XMPP client

I haven’t reported this to Sun yet because I’m not really sure where to do that. But I hope this is something Ignite Realtime want to fix because it is a real blocker if someone want to use Twisted to talk to Openfire. And it is really really simple to create an XMPP client using Twisted. And the fix for the bug is really simple.

I have tcpdumps and stuff like that if someone want more information.

Minh_Tran_Dinh · June 21, 2010, 8:52am

Hi everybody,

i was just installing and configuring karaka with openfire 3.6.4. according the “General Complete Setup Guide.pdf” posted in this community and i get completely the same exception. All is installed on the same machine. configuration is done as provided in the document. i got the master client showing up connected but slave and register will show up all the time as connecting and showing in openfire log the exception of this thread.

Is there now a solution available?

Thanks