javax.net.ssl.SSLException: Unsupported record version Unknown-47.115
Description
Environment
Activity
Daryl Herzmann December 13, 2016 at 8:33 PM(edited)
This "issue" is back again, a current master build WARN log entry
2016.12.13 20:13:40 WARN [Server SR - 877268634]: org.jivesoftware.openfire.net.SocketReadingMode - An exception occurred while performing STARTTLS negotiation (with: org.jivesoftware.openfire.net.SocketConnection@6c91411d socket: Socket[addr=/45.79.172.72,port=58148,localport=5269] session: org.jivesoftware.openfire.session.LocalIncomingServerSession@7d992572 status: 1 address: igniterealtime.org/a0f97r5rie id: a0f97r5rie)
javax.net.ssl.SSLException: Unsupported record version Unknown-47.115
at sun.security.ssl.EngineInputRecord.bytesInCompletePacket(EngineInputRecord.java:116)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:849)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:762)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.java:241)
at org.jivesoftware.openfire.net.TLSStreamHandler.start(TLSStreamHandler.java:178)
at org.jivesoftware.openfire.net.SocketConnection.startTLS(SocketConnection.java:195)
at org.jivesoftware.openfire.net.SocketReadingMode.negotiateTLS(SocketReadingMode.java:87)
at org.jivesoftware.openfire.net.BlockingReadingMode.readStream(BlockingReadingMode.java:138)
at org.jivesoftware.openfire.net.BlockingReadingMode.run(BlockingReadingMode.java:76)
at org.jivesoftware.openfire.net.SocketReader.run(SocketReader.java:145)
at java.lang.Thread.run(Thread.java:745)Guus der Kinderen December 17, 2015 at 12:14 AM
The change in this PR should make the exception message more descriptive: https://github.com/igniterealtime/Openfire/pull/461
Guus der Kinderen December 8, 2015 at 8:53 PM
What the RFC is not clear on is what the initiating party should do in both instances. Where the receiving party is closing the socket without sending data, it's probably best to not send data as the initiating party either?
Guus der Kinderen December 8, 2015 at 7:51 PM
I am experimenting with a fix in this pull request: https://github.com/igniterealtime/Openfire/pull/439/
Guus der Kinderen December 8, 2015 at 6:29 PM
So, according to RFC6120, there is a significant difference between:
section 5.4.2.2 Failure Case, such as malformed commands and internal server errors.
section 5.4.3.2 STARTTLS Failure, which includes TLS errors such as bad_certificate or handshake_failure.
There is an important difference in how the receiving entity should respond. section 5.4.2.2 Failure Case states:
MUST return a <failure/> element (...) close the XML stream, and terminate the underlying TCP connection.
On the other hand, section 5.4.3.2 STARTTLS Failure reads:
MUST terminate the TCP connection (...) MUST NOT send a closing </stream> tag before terminating the TCP connection
I don't believe that Openfire makes a distinction between Failure Case and STARTTLS Failure: STARTTLS is assumed successful, unless an exception is thrown. Handling of both cases is probably similar in each implementation (S2S and C2S have different implementation) - from what I gather (in SocketReadingMode.java), Openfire always sends a <failure/> element.
Is the root cause of this issue the lack of distinct handling of both cases?
A commonly logged error from openfire
2014.05.06 13:28:13 org.jivesoftware.openfire.net.SocketReadingMode - Error while negotiating TLS: org.jivesoftware.openfire.net.SocketConnection@2491601c socket: Socket[addr=/204.93.66.11,port=50320,localport=5269] session: org.jivesoftware.openfire.session.LocalIncomingServerSession@2615416b status: 1 address: igniterealtime.org/e371022 id: e371022 javax.net.ssl.SSLException: Unsupported record version Unknown-47.115 at sun.security.ssl.EngineInputRecord.bytesInCompletePacket(EngineInputRecord.java:116) at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:845) at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:758) at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.java:222) at org.jivesoftware.openfire.net.TLSStreamHandler.start(TLSStreamHandler.java:168) at org.jivesoftware.openfire.net.SocketConnection.startTLS(SocketConnection.java:182) at org.jivesoftware.openfire.net.SocketReadingMode.negotiateTLS(SocketReadingMode.java:85) at org.jivesoftware.openfire.net.BlockingReadingMode.readStream(BlockingReadingMode.java:138) at org.jivesoftware.openfire.net.BlockingReadingMode.run(BlockingReadingMode.java:76) at org.jivesoftware.openfire.net.SocketReader.run(SocketReader.java:137) at java.lang.Thread.run(Thread.java:745)