Win a copy of Design for the Mind this week in the Design forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

JavaEE - EJB over SSL works only if client and server are at the same host

 
Pasha Turok
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Please help me. I can't do nothing with it. I have gf 4.0.1 and swing client. I want to get EJB over SSL. I've set all certificates. However, I can get it work only when client and server are at the same host. What I see in tcpdump when they are at the same host:

........
10.0.17.2.48524 > 10.0.17.2.3820: Flags [P.], cksum 0x378f (incorrect -> 0xf2b6), seq 399:756, ack 1085, win 273, options [nop,nop,TS val 347297976 ecr 347297966], length 357
13:01:26.334898 IP (tos 0x0, ttl 64, id 51559, offset 0, flags [DF], proto TCP (6), length 665)
10.0.17.2.3820 > 10.0.17.2.48524: Flags [P.], cksum 0x388f (incorrect -> 0x626d), seq 1085:1698, ack 756, win 273, options [nop,nop,TS val 347297977 ecr 347297976], length 613
13:01:26.374075 IP (tos 0x0, ttl 64, id 39617, offset 0, flags [DF], proto TCP (6), length 52)
10.0.17.2.48524 > 10.0.17.2.3820: Flags [.], cksum 0x9282 (correct), seq 756, ack 1698, win 289, options [nop,nop,TS val 347298017 ecr 347297977], length 0
13:01:26.375662 IP (tos 0x0, ttl 64, id 15848, offset 0, flags [DF], proto TCP (6), length 60)
127.0.0.1.42403 > 127.0.0.1.3820: Flags [S], cksum 0x7255 (correct), seq 2517132554, win 32792, options [mss 16396,sackOK,TS val 347298018 ecr 0,nop,wscale 7], length 0
13:01:26.375678 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
127.0.0.1.3820 > 127.0.0.1.42403: Flags [S.], cksum 0x21e9 (correct), seq 2013817557, ack 2517132555, win 32768, options [mss 16396,sackOK,TS val 347298018 ecr 347298018,nop,wscale 7], length 0
........
That is it starts working from one port but at some places it changes to 127.0.0.1 and a new connection is established.

When client and server at different host I don't get any exception but the client hangs. On server in log I have:

[2014-06-09T13:09:07.367+0400] [glassfish 4.0] [INFO] [] [] [tid: _ThreadID=139 _ThreadName=Thread-8] [timeMillis: 1402304947367] [levelValue: 800] [[
p: thread-pool-1; w: 1, WRITE: TLSv1 Handshake, length = 48]]
[2014-06-09T13:09:07.367+0400] [glassfish 4.0] [INFO] [] [] [tid: _ThreadID=139 _ThreadName=Thread-8] [timeMillis: 1402304947367] [levelValue: 800] [[
%% Cached server session: [Session-15, TLS_RSA_WITH_AES_256_CBC_SHA]]]
[2014-06-09T13:09:07.404+0400] [glassfish 4.0] [INFO] [] [] [tid: _ThreadID=139 _ThreadName=Thread-8] [timeMillis: 1402304947404] [levelValue: 800] [[
p: thread-pool-1; w: 1, READ: TLSv1 Application Data, length = 352]]
[2014-06-09T13:09:07.408+0400] [glassfish 4.0] [INFO] [] [] [tid: _ThreadID=139 _ThreadName=Thread-8] [timeMillis: 1402304947408] [levelValue: 800] [[
p: thread-pool-1; w: 1, WRITE: TLSv1 Application Data, length = 608]]

And on client I get endlessly the following message (with different cipher suite):
.......
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
.......

How can it be fixed?
 
Michael Remijan
Author
Ranch Hand
Posts: 130
7
Java
  • Likes 1
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
EJB SSL communication is tricky. It took me a couple weeks and I was working with a GlassFish security developer on it. I have a HOW-TO blogger article on it. http://mjremijan.blogspot.com/2011/06/secure-ssl-ejb-communication-with.html. This was written before GlassFish 4 but hopefully it is still applicable.
 
Pasha Turok
Greenhorn
Posts: 5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Michael Remijan wrote:EJB SSL communication is tricky. It took me a couple weeks and I was working with a GlassFish security developer on it. I have a HOW-TO blogger article on it. http://mjremijan.blogspot.com/2011/06/secure-ssl-ejb-communication-with.html. This was written before GlassFish 4 but hopefully it is still applicable.

Thank you for your time and post. I totally agree that is REALLY TRICKY! I've done it. The problem was in my settings of /etc/hosts The full topic is http://stackoverflow.com/questions/24117040/javaee-ejb-over-ssl-works-only-if-client-and-server-are-at-the-same-host
 
Michael Remijan
Author
Ranch Hand
Posts: 130
7
Java
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
And this solved the issue having the client and server on different hosts?
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic