Failed to send message - SSL peer shut down incorrectly

[senikk]

This just happened some minutes ago, sending to 0192:983219721. What could be the reason for this?

org.apache.cxf.binding.soap.SoapFault: Problem writing SAAJ model to stream: Remote host closed connection during handshake at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutEndingInterceptor.handleMessage(SAAJOutInterceptor.java:224) at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutEndingInterceptor.handleMessage(SAAJOutInterceptor.java:174) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:441) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:356) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:314) at org.apache.cxf.endpoint.ClientImpl.invokeWrapped(ClientImpl.java:349) at org.apache.cxf.jaxws.DispatchImpl.invoke(DispatchImpl.java:322) at org.apache.cxf.jaxws.DispatchImpl.invoke(DispatchImpl.java:241) at no.difi.oxalis.as4.outbound.As4MessageSender.invoke(As4MessageSender.java:95) at no.difi.oxalis.as4.outbound.As4MessageSender.send(As4MessageSender.java:87) at no.difi.oxalis.as4.outbound.As4MessageSenderFacade.send(As4MessageSenderFacade.java:20) at no.difi.oxalis.api.outbound.MessageSender.send(MessageSender.java:59) at no.difi.oxalis.outbound.transmission.DefaultTransmitter.perform(DefaultTransmitter.java:149) at no.difi.oxalis.outbound.transmission.DefaultTransmitter.transmit(DefaultTransmitter.java:106) at no.unimicro.ap.outbox.UniSendService.sendFileToReceiver(UniSendService.java:175) at no.unimicro.ap.outbox.UniSendService.main(UniSendService.java:111) Caused by: com.ctc.wstx.exc.WstxIOException: Remote host closed connection during handshake at com.ctc.wstx.sw.BaseStreamWriter.writeCharacters(BaseStreamWriter.java:471) at org.apache.cxf.staxutils.StaxUtils.copy(StaxUtils.java:770) at org.apache.cxf.staxutils.StaxUtils.copy(StaxUtils.java:716) at org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor$SAAJOutEndingInterceptor.handleMessage(SAAJOutInterceptor.java:214) ... 17 common frames omitted Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:994) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1340) at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1315) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:264) at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.setupWrappedStream(URLConnectionHTTPConduit.java:274) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1343) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1304) at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:307) at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47) at org.apache.cxf.io.AbstractThresholdOutputStream.unBuffer(AbstractThresholdOutputStream.java:89) at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:63) at org.apache.cxf.io.CacheAndWriteOutputStream.write(CacheAndWriteOutputStream.java:80) at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:51) at com.ctc.wstx.io.UTF8Writer.write(UTF8Writer.java:143) at com.ctc.wstx.sw.BufferingXmlWriter.writeRaw(BufferingXmlWriter.java:286) at com.ctc.wstx.sw.BufferingXmlWriter.writeCharacters(BufferingXmlWriter.java:600) at com.ctc.wstx.sw.BaseStreamWriter.writeCharacters(BaseStreamWriter.java:469) ... 20 common frames omitted Caused by: java.io.EOFException: SSL peer shut down incorrectly at sun.security.ssl.InputRecord.read(InputRecord.java:505) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:975) ... 41 common frames omitted

[FrodeBjerkholt]

Hmm - I am just inspecting the Domibus client code and see that they are using the following snippet:

        if (endpoint.startsWith("https://")) {
            final TLSClientParameters params = tlsReader.getTlsClientParameters(domain);
            if (params != null) {
                httpConduit.setTlsClientParameters(params);
            }
        }

It is possible that we have to do something similar in Oxalis?

[FrodeBjerkholt]

I found the following in the CXF documentation:

"When using an "https" URL, CXF will, by default, use the certs and keystores that are part
of the JDK. For many HTTPs applications, that is enough and no configuration is necessary.
However, when using custom client certificates or self signed server certificates or similar, you
may need to specifically configure in the keystores and trust managers and such to establish
the SSL connection."

As I understand the HTTPS certificate rules of the PEPPOL network, there should be no need to specially configure this.

[senikk]

Looking at the receiver address its B graded at SSL Labs test because of both weak Diffie-Hellman and also supporting TLS 1.0 and TLS 1.1. But it also support TLS 1.2. Looking at other accesspoints which we have sent successfully to there also several B-graded but with just the TLS 1.0/1.1 warning.

Searching for the error message, its TLS that is the result.

Checking same receiver, its been sent successfully to this receiver today.

[FrodeBjerkholt]

Is the certificate trusted by Oracle as mentioned in the following statement from PEPPOL?

"Your AP must implement HTTPS with certificate chains to Certificate Authorities (CAs) which are trusted by the PEPPOL community. Your certificate must be trusted by both Microsoft and Oracle CAs. Self-signed certificates are considered non-compliant and will not be accepted when onboarding as a PEPPOL service provider. To test your SSL configuration, go to: https://www.ssllabs.com/ssltest/. It must be grade A or above. This will eventually also be controlled by the OpenPEPPOL Operating Office."

[senikk]

I checked another one of these errors today sending to 0192:938587418 its not the same accesspoint but its also have grade B. But this doesn't make any sense. Its sent successfully to the same recipient both before and after it failed with "java.io.EOFException: SSL peer shut down incorrectly". If it was becasuse of grade B or not trusted by Microsoft and Oracle it should have failed every attempt.

[FrodeBjerkholt]

Could it be something like this?

[FrodeBjerkholt]

I see that Domibus sets TLSv1.2 - Maybe I should try the same?

[senikk]

I haven't tried myself, but I thought java 1.8 had this as default.