SSL WebSocket exception - Received fatal alert: certificate_unknown

[supertick]

Hello !
Many thanks for nettosphere and its support !

I'm trying to get a self signed certificate with ssl to nettosphere working.
I checked in the unit tests of nettosphere for something appropriate and ended up with this :

        SelfSignedCertificate ssc = new SelfSignedCertificate();
        SslContext sslServer = SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey()).build();
        configBuilder.sslContext(sslServer);// .sslContext(sslCtx);
        configBuilder.enabledCipherSuites(sslServer.cipherSuites().toArray(new String[]{}));
        configBuilder.maxWebSocketFrameAggregatorContentLength(maxMsgSize);
        configBuilder.initParam("org.atmosphere.cpr.asyncSupport", "org.atmosphere.container.NettyCometSupport");
        configBuilder.initParam(ApplicationConfig.SCAN_CLASSPATH, "false");
        configBuilder.initParam(ApplicationConfig.PROPERTY_SESSION_SUPPORT, "true").port(port).host(address); // all
        configBuilder.maxChunkContentLength(maxMsgSize);
        configBuilder.maxWebSocketFrameSize(maxMsgSize);
        nettosphere = new Nettosphere.Builder().config(configBuilder.build()).build();        
        nettosphere.start();        

The results are mixed.
This exception is constantly being thrown

ERROR o.a.n.BridgeRuntime [BridgeRuntime.java:784] Unexpected and unhandled I/O Exception
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:477) ~[netty-all-4.1.66.Final.jar:4.1.66.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276) ~[netty-all-4.1.66.Final.jar:4.1.66.Final]

Strangely it does not appear to affect the resource handlers I have written, however it does kill the
org.atmosphere.nettosphere.HttpStaticFileServerHandler

09:52:15.366 [nioEventLoopGroup-3-1] DEBUG i.n.c.AbstractChannelHandlerContext [AbstractChannelHandlerContext.java:305] An exception java.lang.NullPointerException
	at org.atmosphere.nettosphere.HttpStaticFileServerHandler.exceptionCaught(HttpStaticFileServerHandler.java:285)
	at org.atmosphere.nettosphere.BridgeRuntime.exceptionCaught(BridgeRuntime.java:785)
	at io.netty.channel.AbstractChannelHandlerContext.invokeExceptionCaught(AbstractChannelHandlerContext.java:302)
	at io.netty.channel.AbstractChannelHandlerContext.invokeExceptionCaught(AbstractChannelHandlerContext.java:281)
	at io.netty.channel.AbstractChannelHandlerContext.fireExceptionCaught(AbstractChannelHandlerContext.java:273)
	at io.netty.handler.ssl.SslHandler.exceptionCaught(SslHandler.java:1106)
	at io.netty.channel.AbstractChannelHandlerContext.invokeExceptionCaught(AbstractChannelHandlerContext.java:302)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:381)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:719)
	at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:655)
	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:581)
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:986)
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.base/java.lang.Thread.run(Thread.java:829)

So in the end the browser won't load the site.

Any ideas, examples, or suggestions on how to remove this exception, but still have a "valid" self signed certificate ?
Thanks !

[thabach]

Hi there, you might want to give https://github.com/FiloSottile/mkcert a try, as an alternative to a self-signed certificate for local development.

[supertick]

I installed gvm
which allowed me to install go1.5
which allowed me to install mkcert
which I installed and ran the example.com example ..
which only produces pem files, which I had to convert to pkcs12 format
then convert that to a jks store :P

After all that - I don't get the trace stack anymore on the server Yay !
But it doesn't send back the static file (same end result as before) Booo !

It does send back a header - with a file size .. but no actual file

[supertick]

Here is the debug logging I currently get :

17:47:27.305 [nioEventLoopGroup-3-1] DEBUG i.n.u.Recycler [Recycler.java:103] -Dio.netty.recycler.maxCapacityPerThread: 4096
17:47:27.305 [nioEventLoopGroup-3-1] DEBUG i.n.u.Recycler [Recycler.java:104] -Dio.netty.recycler.maxSharedCapacityFactor: 2
17:47:27.305 [nioEventLoopGroup-3-1] DEBUG i.n.u.Recycler [Recycler.java:105] -Dio.netty.recycler.linkCapacity: 16
17:47:27.306 [nioEventLoopGroup-3-1] DEBUG i.n.u.Recycler [Recycler.java:106] -Dio.netty.recycler.ratio: 8
17:47:27.306 [nioEventLoopGroup-3-1] DEBUG i.n.u.Recycler [Recycler.java:107] -Dio.netty.recycler.delayedQueue.ratio: 8
17:47:27.322 [nioEventLoopGroup-3-1] DEBUG i.n.b.AbstractByteBuf [AbstractByteBuf.java:63] -Dio.netty.buffer.checkAccessible: true
17:47:27.322 [nioEventLoopGroup-3-1] DEBUG i.n.b.AbstractByteBuf [AbstractByteBuf.java:64] -Dio.netty.buffer.checkBounds: true
17:47:27.324 [nioEventLoopGroup-3-1] DEBUG i.n.u.ResourceLeakDetectorFactory [ResourceLeakDetectorFactory.java:196] Loaded default ResourceLeakDetector: io.netty.util.ResourceLeakDetector@555197f7
17:47:27.544 [nioEventLoopGroup-3-2] DEBUG i.n.h.s.SslHandler [SslHandler.java:1831] [id: 0x7d77ab04, L:/127.0.0.1:8888 - R:/127.0.0.1:45118] HANDSHAKEN: protocol:TLSv1.3 cipher suite:TLS_AES_128_GCM_SHA256
17:47:27.544 [nioEventLoopGroup-3-1] DEBUG i.n.h.s.SslHandler [SslHandler.java:1831] [id: 0x9d6f107c, L:/127.0.0.1:8888 - R:/127.0.0.1:45116] HANDSHAKEN: protocol:TLSv1.3 cipher suite:TLS_AES_128_GCM_SHA256
17:48:18.812 [nioEventLoopGroup-3-3] DEBUG i.n.h.s.SslHandler [SslHandler.java:1831] [id: 0x80572d11, L:/127.0.0.1:8888 - R:/127.0.0.1:45528] HANDSHAKEN: protocol:TLSv1.3 cipher suite:TLS_AES_128_GCM_SHA256

[supertick]

Thanks for the suggestion ...

[supertick]

curl is a little more informative ...

curl -vvv https://example.com:8888/index.html
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to example.com (127.0.0.1) port 8888 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Client hello (1):
* TLSv1.3 (OUT), TLS Unknown, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: O=mkcert development certificate; OU=greg@t14-gperry (Greg Perry)
*  start date: Aug  8 00:30:11 2021 GMT
*  expire date: Nov  8 01:30:11 2023 GMT
*  subjectAltName: host "example.com" matched cert's "example.com"
*  issuer: O=mkcert development CA; OU=greg@t14-gperry (Greg Perry); CN=mkcert greg@t14-gperry (Greg Perry)
*  SSL certificate verify ok.
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
> GET /index.html HTTP/1.1
> Host: example.com:8888
> User-Agent: curl/7.58.0
> Accept: */*
> 
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
< HTTP/1.1 200 OK
< content-length: 7512
< Content-Type: text/html
< date: Sun, 08 Aug 2021 01:06:52 GMT
< expires: Sun, 08 Aug 2021 01:07:52 GMT
< cache-control: private, max-age=60
< last-modified: Thu, 05 Aug 2021 02:29:04 GMT
< 
* TLSv1.3 (IN), TLS Unknown, Unknown (21):
* TLSv1.3 (IN), TLS alert, Client hello (1):
* transfer closed with 7512 bytes remaining to read
* stopped the pause stream!
* Closing connection 0
* TLSv1.3 (OUT), TLS Unknown, Unknown (21):
* TLSv1.3 (OUT), TLS alert, Client hello (1):
curl: (18) transfer closed with 7512 bytes remaining to read
greg@t14-gperry:~/github/mkcert$

so the 7512 bytes never come .....
The headers are exchanged so it seems that TLS over HTTP1.1 is worky
No exceptions, no errors, but no data

[supertick]

Any thoughts for this ?
TLS works headers are exchanged, but exceptions are coming from netty + no static file returned ?

[thabach]

I don’t quite get why this is configured as a web socket, or is it? The title has it declared as such. U try to serve a simple GET request right?

[supertick]

The js of the client initially is served from static pages .. I'm using the Atmosphere javascript client - https://github.com/Atmosphere/atmosphere-javascript

So, yes - a handler is set to serve the static page, the page loads in the browser, executes the js client which opens the websocket. It works without SSL, but not with SSL ...

[thabach]

Gotya, could you run your curl -v with --ignore-content-length and paste the output? Does a similar curl request against the working version reply with the same content-length for your index.html?

[supertick]

heh, sorry about the extremely long pause ... apparently some pandemic got loose ...
@thabach - ya ... works fine under http

curl -k -vvv --ignore-content-length http://example.com:8888/index.html
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to example.com (127.0.0.1) port 8888 (#0)
> GET /index.html HTTP/1.1
> Host: example.com:8888
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< content-length: 7560
< Content-Type: text/html
< date: Thu, 28 Apr 2022 06:13:47 GMT
< expires: Thu, 28 Apr 2022 06:14:47 GMT
< cache-control: private, max-age=60
< last-modified: Sat, 05 Mar 2022 17:24:32 GMT
* no chunk, no close, no size. Assume close to signal end
< 
<!doctype html>
<html lang="en" ng-app="mrlapp">
    <head>
        <meta charset="utf-8">
    ( full html page )

All bytes are returned specifically 7560 of them ...
but switching to use ssl - I get this ..

curl -k -vvv --ignore-content-length https://example.com:8888/index.html
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to example.com (127.0.0.1) port 8888 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Client hello (1):
* TLSv1.3 (OUT), TLS Unknown, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=localhost
*  start date: Apr 28 06:17:43 2021 GMT
*  expire date: Dec 31 23:59:59 9999 GMT
*  issuer: CN=localhost
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
> GET /index.html HTTP/1.1
> Host: example.com:8888
> User-Agent: curl/7.58.0
> Accept: */*
> 
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
< HTTP/1.1 200 OK
< content-length: 7560
< Content-Type: text/html
< date: Thu, 28 Apr 2022 06:18:02 GMT
< expires: Thu, 28 Apr 2022 06:19:02 GMT
< cache-control: private, max-age=60
< last-modified: Sat, 05 Mar 2022 17:24:32 GMT
* no chunk, no close, no size. Assume close to signal end
< 
* TLSv1.3 (IN), TLS Unknown, Unknown (21):
* TLSv1.3 (IN), TLS alert, Client hello (1):
* Closing connection 0
* TLSv1.3 (OUT), TLS Unknown, Unknown (21):
* TLSv1.3 (OUT), TLS alert, Client hello (1):

It returns the correct byte count ... but no data

[supertick]

can we re-open this ?

[supertick]

interestingly, my custom resource works fine in https
configBuilder.resource("/api", this);

curl -k -vvv --ignore-content-length https://example.com:8888/api/service/runtime/getUptime
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to example.com (127.0.0.1) port 8888 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Client hello (1):
* TLSv1.3 (OUT), TLS Unknown, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=localhost
*  start date: Apr 28 06:17:43 2021 GMT
*  expire date: Dec 31 23:59:59 9999 GMT
*  issuer: CN=localhost
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
> GET /api/service/runtime/getUptime HTTP/1.1
> Host: example.com:8888
> User-Agent: curl/7.58.0
> Accept: */*
> 
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
< HTTP/1.1 200 OK
< Content-Type:application/json
< Transfer-Encoding:chunked
< Server:Nettosphere/3.2.5
< Cache-Control:no-store, no-cache, must-revalidate
< X-Atmosphere-first-request:true
< Connection:Keep-Alive
< Expires:-1
< Pragma:no-cache
< X-Atmosphere-tracking-id:68ae2672-b974-47df-b7fc-773b81bd2b69
< 
* TLSv1.3 (IN), TLS Unknown, Unknown (23):
* Connection #0 to host example.com left intact
"0 days 0 hours 10 minutes 5 seconds"

but any static file with the default file path resource - does not work
e.g. index.html inside this path
configBuilder.resource("./src/main/resources/resource/WebGui/app");

[jfarcand]

@supertick If you can share a github's repo with a test case I will take a look