Project

General

Profile

PartnerIssue #177

"Login Test" on https://eid.services.ageto.net/eid/ fails due to TLSv1 Handshake Failure

Added by Andreas Kuckartz almost 8 years ago. Updated almost 8 years ago.

Status:
Closed
Priority:
High
Assignee:
Target version:
Start date:
03/09/2013
Due date:
% Done:

100%

Estimated time:

Description

The "Login Test" on this page seems to access a URL starting with "http://localhost:24727/eID-Client?tcTokenURL=https....":
https://eid.services.ageto.net/eid/

But it does not activate the Open eCard client. Instead I see this error in Chromium after clicking on "Start eID":

"Keine Daten empfangen
Die Webseite kann nicht geladen werden, da der Server keine Daten gesendet hat.
Vorschläge:
Laden Sie diese Webseite später erneut.
Fehler 324 (net::ERR_EMPTY_RESPONSE): Server hat die Verbindung geschlossen. Es wurden keine Daten gesendet."

Who is responsible for this problem, server or client ?


Files

ageto.pcap (6.97 KB) ageto.pcap Tobias Wich, 03/09/2013 12:09 PM

Related issues

Has duplicate Bug #172: Error "Bad TLS Request - This could be an attac!"Rejected02/17/2013

Actions

Associated revisions

Revision 0f905ce5 (diff)
Added by Dirk Petrautzki almost 8 years ago

Fallback to TLS 1.0 when server implementations are errornous (fixes #177)

If grabbing the TCToken using TLSv1.1 results in an error in the TLSProtocolHandler we now try
again using TLSv1.0. This also applies to PAOS connections.

The rationale behind this is that most production eID servers are not capable of handling TLS 1.1
connections as required by TR-03130 (Version 1.1.2) Section 2. We are currently speaking with the
eID Server producers to address this problem, so that we can remove the fallback.

Revision d0e1b685 (diff)
Added by Dirk Petrautzki almost 8 years ago

Fallback to TLS 1.0 when server implementations are errornous (fixes #177)

If grabbing the TCToken using TLSv1.1 results in an error in the TLSProtocolHandler we now try
again using TLSv1.0. This also applies to PAOS connections.

The rationale behind this is that most production eID servers are not capable of handling TLS 1.1
connections as required by TR-03130 (Version 1.1.2) Section 2. We are currently speaking with the
eID Server producers to address this problem, so that we can remove the fallback.

History

#1

Updated by Tobias Wich almost 8 years ago

There is a problem with the TLS channel when fetching the TCToken. The attached wireshark dump shows that.

What do our TLS experts say?

#2

Updated by Tobias Wich almost 8 years ago

  • Target version changed from 1.x to 1.0.1
#3

Updated by Detlef Hühnlein almost 8 years ago

  • Tracker changed from Bug to PartnerIssue
#4

Updated by Andreas Kuckartz almost 8 years ago

  • Subject changed from Problem with "Login Test" on https://eid.services.ageto.net/eid/ to "Login Test" on https://eid.services.ageto.net/eid/ fails due to TLSv1 Handshake Failure
#5

Updated by Andreas Kuckartz almost 8 years ago

A few observations from someone who is not a TLS expert:

1. BSI TR-03130-1, Version 2.0, October 24, 2012 ("Technical Guideline eID-Server") refers to RFC 5246, The Transport Layer Security (TLS)
Protocol, Version 1.2, and not older TLS versions.

On the other hand the previous version of BSI TR-03130-1 (1.6) uses the TLA "TLS" without refering to an RFC or mentioning a version.

2. eid.services.ageto.net seems to only support TLS 1.0.

3. There are not many causes of Handshake Failures specified in RFC2246 (TLS 1.0). One of them is contained in this paragraph:
"The CipherSuite list, passed from the client to the server in the
client hello message, contains the combinations of cryptographic
algorithms supported by the client in order of the client's
preference (favorite choice first). Each CipherSuite defines a key
exchange algorithm, a bulk encryption algorithm (including secret key
length) and a MAC algorithm. The server will select a cipher suite
or, if no acceptable choices are presented, return a handshake
failure alert and close the connection."

#6

Updated by Andreas Kuckartz almost 8 years ago

This Wiki page contains some further information:
https://dev.openecard.org/projects/open-ecard/wiki/EID-Server-Issues

#7

Updated by Tobias Wich almost 8 years ago

Andreas Kuckartz wrote:

A few observations from someone who is not a TLS expert:

1. BSI TR-03130-1, Version 2.0, October 24, 2012 ("Technical Guideline eID-Server") refers to RFC 5246, The Transport Layer Security (TLS)
Protocol, Version 1.2, and not older TLS versions.

BSI TR-03112 Version 1.1.2 states that TLS 1.1 (RFC 4346) must be used. Has this requirement changed in the current draft?

#8

Updated by Andreas Kuckartz almost 8 years ago

I see this in ~/openecard/logs/richclient_info.log

2013-03-11 09:08:34,753 [Thread-4] WARN o.o.crypto.tls.TlsNoAuthentication:90 - No certificate verifier available, skipping certificate verification.
2013-03-11 09:08:34,934 [Thread-4] ERROR o.o.c.b.h.h.HttpTCTokenHandler:154 - Internal TLS error, this could be an attack
org.openecard.control.module.tctoken.TCTokenException: Internal TLS error, this could be an attack
at org.openecard.control.module.tctoken.TCTokenGrabber.getResource(TCTokenGrabber.java:172) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.control.module.tctoken.TCTokenFactory.generateTCToken(TCTokenFactory.java:41) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.control.module.tctoken.GenericTCTokenHandler.parseTCTokenRequestURI(GenericTCTokenHandler.java:130) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.control.binding.http.handler.HttpTCTokenHandler.handle(HttpTCTokenHandler.java:136) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.apache.http.protocol.HttpService.doService(HttpService.java:375) [richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.apache.http.protocol.HttpService.handleRequest(HttpService.java:290) [richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.control.binding.http.HTTPService$1.run(HTTPService.java:125) [richclient-1.1.0-SNAPSHOT-bundle.jar:na]
Caused by: java.io.IOException: Internal TLS error, this could be an attack
at org.openecard.bouncycastle.crypto.tls.TlsProtocolHandler.processAlert(TlsProtocolHandler.java:821) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.bouncycastle.crypto.tls.TlsProtocolHandler.processData(TlsProtocolHandler.java:144) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.bouncycastle.crypto.tls.RecordStream.readData(RecordStream.java:68) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.bouncycastle.crypto.tls.TlsProtocolHandler.safeReadData(TlsProtocolHandler.java:1138) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.bouncycastle.crypto.tls.TlsProtocolHandler.connect(TlsProtocolHandler.java:1082) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.control.module.tctoken.TCTokenGrabber.getStream(TCTokenGrabber.java:104) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.control.module.tctoken.TCTokenGrabber.getResource(TCTokenGrabber.java:158) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
... 6 common frames omitted
2013-03-11 09:08:34,941 [Thread-4] ERROR o.o.c.binding.http.HTTPService$1:128 - null
java.lang.NullPointerException: null
at org.openecard.control.binding.http.common.Http11Response.copyHttpResponse(Http11Response.java:66) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.control.binding.http.handler.HttpTCTokenHandler.handle(HttpTCTokenHandler.java:156) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.apache.http.protocol.HttpService.doService(HttpService.java:375) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.apache.http.protocol.HttpService.handleRequest(HttpService.java:290) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.control.binding.http.HTTPService$1.run(HTTPService.java:125) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]

#9

Updated by Dirk Petrautzki almost 8 years ago

  • Status changed from New to Solved
  • % Done changed from 0 to 100

Applied in changeset github-main|commit:0f905ce5a9053d8111b025bdb8c2cc60db42b33a.

#10

Updated by Andreas Kuckartz almost 8 years ago

I still see errors, including "Internal TLS error, this could be an attack".

Tt then continues with other errors but I have no card reader installed so that this is expected. But I expect that such error messages are not just visible in the logs.

2013-03-11 16:18:10,292 [Thread-6] ERROR o.o.c.binding.http.HTTPService$1:128 - null
java.lang.NullPointerException: null
at org.openecard.control.binding.http.common.Http11Response.copyHttpResponse(Http11Response.java:66) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.control.binding.http.handler.HttpTCTokenHandler.handle(HttpTCTokenHandler.java:156) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.apache.http.protocol.HttpService.doService(HttpService.java:375) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.apache.http.protocol.HttpService.handleRequest(HttpService.java:290) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.control.binding.http.HTTPService$1.run(HTTPService.java:125) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
2013-03-11 16:18:15,776 [Thread-8] WARN o.o.crypto.tls.TlsNoAuthentication:90 - No certificate verifier available, skipping certificate verification.
2013-03-11 16:18:15,875 [Thread-8] ERROR o.o.c.b.h.h.HttpTCTokenHandler:154 - Internal TLS error, this could be an attack
org.openecard.control.module.tctoken.TCTokenException: Internal TLS error, this could be an attack
at org.openecard.control.module.tctoken.TCTokenGrabber.getResource(TCTokenGrabber.java:172) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.control.module.tctoken.TCTokenFactory.generateTCToken(TCTokenFactory.java:39) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.control.module.tctoken.GenericTCTokenHandler.parseTCTokenRequestURI(GenericTCTokenHandler.java:130) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.control.binding.http.handler.HttpTCTokenHandler.handle(HttpTCTokenHandler.java:136) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.apache.http.protocol.HttpService.doService(HttpService.java:375) [richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.apache.http.protocol.HttpService.handleRequest(HttpService.java:290) [richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.control.binding.http.HTTPService$1.run(HTTPService.java:125) [richclient-1.1.0-SNAPSHOT-bundle.jar:na]
Caused by: java.io.IOException: Internal TLS error, this could be an attack
at org.openecard.bouncycastle.crypto.tls.TlsProtocolHandler.processAlert(TlsProtocolHandler.java:821) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.bouncycastle.crypto.tls.TlsProtocolHandler.processData(TlsProtocolHandler.java:144) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.bouncycastle.crypto.tls.RecordStream.readData(RecordStream.java:68) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.bouncycastle.crypto.tls.TlsProtocolHandler.safeReadData(TlsProtocolHandler.java:1138) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.bouncycastle.crypto.tls.TlsProtocolHandler.connect(TlsProtocolHandler.java:1082) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.control.module.tctoken.TCTokenGrabber.getStream(TCTokenGrabber.java:104) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.control.module.tctoken.TCTokenGrabber.getResource(TCTokenGrabber.java:158) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
... 6 common frames omitted
2013-03-11 16:18:15,876 [Thread-8] ERROR o.o.c.binding.http.HTTPService$1:128 - null
java.lang.NullPointerException: null
at org.openecard.control.binding.http.common.Http11Response.copyHttpResponse(Http11Response.java:66) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.control.binding.http.handler.HttpTCTokenHandler.handle(HttpTCTokenHandler.java:156) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.apache.http.protocol.HttpService.doService(HttpService.java:375) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.apache.http.protocol.HttpService.handleRequest(HttpService.java:290) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.control.binding.http.HTTPService$1.run(HTTPService.java:125) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
2013-03-11 16:18:34,596 [Open-eCard Localhost-Binding] ERROR o.o.c.binding.http.HTTPService:139 - Socket closed
java.net.SocketException: Socket closed
at java.net.PlainSocketImpl.socketAccept(Native Method) ~[na:1.7.0_15]
at java.net.AbstractPlainSocketImpl.accept(AbstractPlainSocketImpl.java:398) ~[na:1.7.0_15]
at java.net.ServerSocket.implAccept(ServerSocket.java:522) ~[na:1.7.0_15]
at java.net.ServerSocket.accept(ServerSocket.java:490) ~[na:1.7.0_15]
at org.openecard.control.binding.http.HTTPService.run(HTTPService.java:118) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at java.lang.Thread.run(Thread.java:722) [na:1.7.0_15]
2013-03-11 16:18:34,601 [pool-3-thread-2] WARN org.openecard.ifd.scio.IFD:478 - null
java.lang.InterruptedException: null
at java.util.concurrent.locks.AbstractQueuedSynchronizer.doAcquireSharedInterruptibly(AbstractQueuedSynchronizer.java:996) ~[na:1.7.0_15]
at java.util.concurrent.locks.AbstractQueuedSynchronizer.acquireSharedInterruptibly(AbstractQueuedSynchronizer.java:1303) ~[na:1.7.0_15]
at java.util.concurrent.FutureTask$Sync.innerGet(FutureTask.java:248) [na:1.7.0_15]
at java.util.concurrent.FutureTask.get(FutureTask.java:111) [na:1.7.0_15]
at org.openecard.ifd.scio.IFD.wait(IFD.java:463) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.event.WaitFuture.call(WaitFuture.java:53) [richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.event.WaitFuture.call(WaitFuture.java:38) [richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334) [na:1.7.0_15]
at java.util.concurrent.FutureTask.run(FutureTask.java:166) [na:1.7.0_15]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [na:1.7.0_15]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [na:1.7.0_15]
at java.lang.Thread.run(Thread.java:722) [na:1.7.0_15]
2013-03-11 16:18:34,605 [pool-3-thread-2] WARN org.openecard.event.WaitFuture:58 - http://www.bsi.bund.de/ecard/api/1.1/resultminor/al/common#unknownError > Unknown eCard exception occurred.
org.openecard.common.WSHelper$WSException: http://www.bsi.bund.de/ecard/api/1.1/resultminor/al/common#unknownError > Unknown eCard exception occurred.
at org.openecard.common.ECardException.makeException(ECardException.java:64) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.common.WSHelper$WSException.<init>(WSHelper.java:43) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.common.WSHelper.checkResult(WSHelper.java:65) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.event.WaitFuture.call(WaitFuture.java:55) [richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.event.WaitFuture.call(WaitFuture.java:38) [richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334) [na:1.7.0_15]
at java.util.concurrent.FutureTask.run(FutureTask.java:166) [na:1.7.0_15]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [na:1.7.0_15]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [na:1.7.0_15]
at java.lang.Thread.run(Thread.java:722) [na:1.7.0_15]

#11

Updated by Tobias Wich almost 8 years ago

Have you tried the latest master branch, because this one works for me.

#12

Updated by Andreas Kuckartz almost 8 years ago

To ensure that nothing went wrong with git or mvn I deleted the whole directory and downloaded and built the client again according to the README.md.

Accessing the Ageto "Start Login" does not work. I see this in the log:

2013-03-12 09:31:54,637 [Thread-4] WARN o.o.crypto.tls.TlsNoAuthentication:90 - No certificate verifier available, skipping certificate verification.
2013-03-12 09:31:54,859 [Thread-4] ERROR o.o.c.b.h.h.HttpTCTokenHandler:154 - Internal TLS error, this could be an attack
org.openecard.control.module.tctoken.TCTokenException: Internal TLS error, this could be an attack
at org.openecard.control.module.tctoken.TCTokenGrabber.getResource(TCTokenGrabber.java:172) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.control.module.tctoken.TCTokenFactory.generateTCToken(TCTokenFactory.java:39) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.control.module.tctoken.GenericTCTokenHandler.parseTCTokenRequestURI(GenericTCTokenHandler.java:130) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.control.binding.http.handler.HttpTCTokenHandler.handle(HttpTCTokenHandler.java:136) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.apache.http.protocol.HttpService.doService(HttpService.java:375) [richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.apache.http.protocol.HttpService.handleRequest(HttpService.java:290) [richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.control.binding.http.HTTPService$1.run(HTTPService.java:125) [richclient-1.1.0-SNAPSHOT-bundle.jar:na]
Caused by: java.io.IOException: Internal TLS error, this could be an attack
at org.openecard.bouncycastle.crypto.tls.TlsProtocolHandler.processAlert(TlsProtocolHandler.java:821) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.bouncycastle.crypto.tls.TlsProtocolHandler.processData(TlsProtocolHandler.java:144) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.bouncycastle.crypto.tls.RecordStream.readData(RecordStream.java:68) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.bouncycastle.crypto.tls.TlsProtocolHandler.safeReadData(TlsProtocolHandler.java:1138) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.bouncycastle.crypto.tls.TlsProtocolHandler.connect(TlsProtocolHandler.java:1082) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.control.module.tctoken.TCTokenGrabber.getStream(TCTokenGrabber.java:104) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.control.module.tctoken.TCTokenGrabber.getResource(TCTokenGrabber.java:158) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
... 6 common frames omitted
2013-03-12 09:31:54,863 [Thread-4] ERROR o.o.c.binding.http.HTTPService$1:128 - null
java.lang.NullPointerException: null
at org.openecard.control.binding.http.common.Http11Response.copyHttpResponse(Http11Response.java:66) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.control.binding.http.handler.HttpTCTokenHandler.handle(HttpTCTokenHandler.java:156) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.apache.http.protocol.HttpService.doService(HttpService.java:375) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.apache.http.protocol.HttpService.handleRequest(HttpService.java:290) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.control.binding.http.HTTPService$1.run(HTTPService.java:125) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
2013-03-12 09:31:54,967 [Thread-6] WARN o.o.crypto.tls.TlsNoAuthentication:90 - No certificate verifier available, skipping certificate verification.
2013-03-12 09:31:55,062 [Thread-6] ERROR o.o.c.b.h.h.HttpTCTokenHandler:154 - Internal TLS error, this could be an attack
org.openecard.control.module.tctoken.TCTokenException: Internal TLS error, this could be an attack
at org.openecard.control.module.tctoken.TCTokenGrabber.getResource(TCTokenGrabber.java:172) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.control.module.tctoken.TCTokenFactory.generateTCToken(TCTokenFactory.java:39) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.control.module.tctoken.GenericTCTokenHandler.parseTCTokenRequestURI(GenericTCTokenHandler.java:130) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.control.binding.http.handler.HttpTCTokenHandler.handle(HttpTCTokenHandler.java:136) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.apache.http.protocol.HttpService.doService(HttpService.java:375) [richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.apache.http.protocol.HttpService.handleRequest(HttpService.java:290) [richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.control.binding.http.HTTPService$1.run(HTTPService.java:125) [richclient-1.1.0-SNAPSHOT-bundle.jar:na]
Caused by: java.io.IOException: Internal TLS error, this could be an attack
at org.openecard.bouncycastle.crypto.tls.TlsProtocolHandler.processAlert(TlsProtocolHandler.java:821) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.bouncycastle.crypto.tls.TlsProtocolHandler.processData(TlsProtocolHandler.java:144) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.bouncycastle.crypto.tls.RecordStream.readData(RecordStream.java:68) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.bouncycastle.crypto.tls.TlsProtocolHandler.safeReadData(TlsProtocolHandler.java:1138) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.bouncycastle.crypto.tls.TlsProtocolHandler.connect(TlsProtocolHandler.java:1082) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.control.module.tctoken.TCTokenGrabber.getStream(TCTokenGrabber.java:104) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.control.module.tctoken.TCTokenGrabber.getResource(TCTokenGrabber.java:158) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
... 6 common frames omitted
2013-03-12 09:31:55,064 [Thread-6] ERROR o.o.c.binding.http.HTTPService$1:128 - null
java.lang.NullPointerException: null
at org.openecard.control.binding.http.common.Http11Response.copyHttpResponse(Http11Response.java:66) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.control.binding.http.handler.HttpTCTokenHandler.handle(HttpTCTokenHandler.java:156) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.apache.http.protocol.HttpService.doService(HttpService.java:375) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.apache.http.protocol.HttpService.handleRequest(HttpService.java:290) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]
at org.openecard.control.binding.http.HTTPService$1.run(HTTPService.java:125) ~[richclient-1.1.0-SNAPSHOT-bundle.jar:na]

#13

Updated by Andreas Kuckartz almost 8 years ago

Please reopen.

#14

Updated by Tobias Wich almost 8 years ago

You are still running the wrong code. It seems that github serves stage as the main branch instead of master. Normally this one would be atop of the master, but we are currently creating a hotfix release and thus they don't correlate at the moment.

To fix your problem change the branch with
$ git checkout -b master origin/master

In the meantime I will be looking into the problem at github.

#15

Updated by Andreas Kuckartz almost 8 years ago

That helped. Now the client gets activated and I only see these lines in the log. Are the warnings a result of the TLS problem or is that a separate issue ?

2013-03-12 10:33:12,882 [Thread-4] WARN o.o.crypto.tls.TlsNoAuthentication:90 - No certificate verifier available, skipping certificate verification.
2013-03-12 10:33:13,013 [Thread-4] ERROR o.o.c.module.tctoken.TCTokenGrabber:109 - Connecting to the TCToken-URL with TLSv1.1 failed. Falling back to TLSv1.0.
2013-03-12 10:33:13,078 [Thread-4] WARN o.o.crypto.tls.TlsNoAuthentication:90 - No certificate verifier available, skipping certificate verification.

#16

Updated by Tobias Wich almost 8 years ago

  • Status changed from Solved to Closed
  • Assignee set to Tobias Wich
#17

Updated by Andreas Kuckartz almost 8 years ago

Is it also solved in the 1.1 version ?

#18

Updated by Tobias Wich almost 8 years ago

Patch is ported since now ;-)

Also available in: Atom PDF