1.
      lychen214

      [Avatar]
      2007-05-21 11:21:28 UTC
      Hi

      I use wolfssl as SSL lib. to develop https server. But I encounter some problems. In general all functions work normally except opening a applet web page. Some error messages are showed as below

      Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
      at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
      at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
      at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
      at java.net.HttpURLConnection.getResponseCode(Unknown Source)
      at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown Source)
      at sun.applet.AppletClassLoader.getBytes(Unknown Source)
      at sun.applet.AppletClassLoader.access$100(Unknown Source)
      at sun.applet.AppletClassLoader$1.run(Unknown Source)
      at java.security.AccessController.doPrivileged(Native Method)
      ... 10 more
      Caused by: java.io.EOFException: SSL peer shut down incorrectly
      at com.sun.net.ssl.internal.ssl.InputRecord.read(Unknown Source)
      ... 23 more

      Could any body help me figure out this problem? Thanks a lot~
   2.
      touskaProject Admin

      [Avatar]
      2007-05-21 19:45:34 UTC
      Hi Eric,

      Are you getting an error on the wolfSSL side, if so, what is it? Do you get the same error/problem when you use the sample server (after changing the address and port of course)?

      Thanks for the input,
      Todd
   3.
      lychen214

      [Avatar]
      2007-05-22 13:04:33 UTC
      Hi Todd

      Thanks for your quick reply.

      I don't get any error messages on the wolfssl side. All those error messages are copied from java console. It seems that it can't finish handshake procedure if using java to connect wolfssl side. The reason seems to be that java fails to get jar or class files due to ssl handshake fail. But I can't exactly point out where the problem is. I try to add some codes to print something on console on the wolfssl side.

      Success case:
      If I succeed to get a web page, it will print
      ACCEPT_BEGIN
      ACCEPT_FIRST_REPLY_DONE
      SERVER_HELLO_DONE
      ACCEPT_SECOND_REPLY_DONE
      ACCEPT_FINISHED_DONE
      ACCEPT_THIRD_REPLY_DONE

      Fail case:
      If I try to get a applet web page, it only print
      ACCEPT_BEGIN
      ACCEPT_FIRST_REPLY_DONE
      SERVER_HELLO_DONE

      Ordinarily the general web page could be displayed successfully.

      I will do more try and post later. If you need any information from me, please let me know it. Thanks a lot~
   4.
      touskaProject Admin

      [Avatar]
      2007-05-23 19:52:22 UTC
      Hi Eric,

      One thing I can think of is that the applet web page is slow to respond with the client key exchange message and that your https server is using a non-blocking socket. In that case, SSL_accpet() will reuturn != SSL_SUCCESS and SSL_get_error() will return SSL_ERROR_WANT_READ and you'll need to restart SSL_accept() when the data is ready. If that's not the case, what is SSL_accept returning and what does SSL_get_error() return.

      Thanks again for the info,
      Todd
   5.
      lychen214

      [Avatar]
      2007-05-24 09:35:06 UTC
      Hi Todd

      After few tests, I found that SSL_get_error always returns PMS_VERSION_ERROR rather than SSL_ERROR_WANT_READ. It only happens when java start handshake with wolfssl side. It seems to have problem to use java as client. I don't know if the information is enough for you. If you need any other information from me, please feel free to let me know.

      ps. wolfssl version is 0.6.2

      Thanks a lot~
   6.
      touskaProject Admin

      [Avatar]
      2007-05-24 18:07:57 UTC
      Hi Eric,

      Try using the newest version, although that's not going to help this problem. If you look at the code in wolfssl_int.c, the error is being set on the line:

      ret = PMS_VERSION_ERROR;

      because the first two elements of the Pre Master Secret don't match the major and minor version numbers of the Client Hello. The standard mandates this. I don't know why the java client is disobeying this. Which SSL/TLS version are you setting up the server with? Do you know which version the client is sending in the Client Hello and which version is being encoded in the Pre Master Secret that isn't matching?

      You can get these answers by breaking on the if statement above the ret = PMS_VERSION_ERROR line and checking chVersion (Client Hello Version) and preMasterSecret[0] and [1].

      You can work around this by commenting out the if statement and error set and always just doing a

      ret = MakeMasterSecret(ssl);

      but I don't know why that should be neccessary.

      Regards,
      Todd
   7.
      lychen214

      [Avatar]
      2007-05-25 06:03:11 UTC
      Hi Todd

      Very thanks for your suggestions. The problem is as you said. But it's my entire fault to use wrong initial function. After changing server initial method from SSLv3_server_method to TLSv1_server_method, the applet page works. Anyway it's a very good experience to use this library and thanks for your help again.

      BR
      Eric