You are here

Remote host closed connection during handshake

Submitted by rdill17 on Mon, 05/15/2017 - 13:53

Hi,

I'm in the process of writing a CPIP Connector to perform SSO with AcademicWorks, so I will probably create a number of threads here. For some reason, the SSL handshake is failing. I have set the logging level to TRACE. Here's the luminis.log messages.

2017-05-15 10:26:22,893 ERROR [http-bio-8443-exec-2] com.sghe.luminis.gcf.sso.authenticator.SSOOperationsImpl:227 authentication failed with exception:
com.sghe.luminis.gcf.exception.GCFException: java.util.concurrent.ExecutionException: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
at com.sghe.luminis.gcf.web.GCFConnectionManager.execute(GCFConnectionManager.java:88)
at com.sghe.luminis.gcf.sso.authenticator.HttpSteps.opGet(HttpSteps.java:535)
at com.sghe.luminis.gcf.sso.authenticator.HttpSteps.opExecuteSession(HttpSteps.java:1368)
at com.sghe.luminis.gcf.sso.authenticator.HttpSteps.opSession(HttpSteps.java:1477)
...

After the SSL connection fails, Luminis appears to enter an infinite loop. More from the luminis.log file.

2017-05-15 10:50:34,235 DEBUG [http-bio-8443-exec-4] com.sghe.luminis.gcf.sso.authenticator.SSOOperationsImpl:234 failed login to external system academicworks
2017-05-15 10:50:34,236 TRACE [http-bio-8443-exec-4] com.sghe.luminis.gcf.sso.authenticator.SSOOperationsImpl:238 }}}} authenticateUser
2017-05-15 10:50:35,410 DEBUG [http-bio-8443-exec-9] com.sghe.luminis.gcf.servlet.GCFActionHandler:99 perform active on academicworks
2017-05-15 10:50:35,412 DEBUG [http-bio-8443-exec-9] com.sghe.luminis.gcf.servlet.GCFActionHandler:885 JSON: {"gcfLogout":{"fail":"Fail","done":"Done","appToLogout":[],"success":"Success","header":"Logging out of any external applications accessed through Luminis"}}
2017-05-15 10:50:35,982 DEBUG [http-bio-8443-exec-7] com.sghe.luminis.gcf.servlet.GCFActionHandler:99 perform active on academicworks
2017-05-15 10:50:35,985 DEBUG [http-bio-8443-exec-7] com.sghe.luminis.gcf.servlet.GCFActionHandler:885 JSON: {"gcfLogout":{"fail":"Fail","done":"Done","appToLogout":[],"success":"Success","header":"Logging out of any external applications accessed through Luminis"}}
2017-05-15 10:50:36,542 DEBUG [http-bio-8443-exec-1] com.sghe.luminis.gcf.servlet.GCFActionHandler:99 perform active on academicworks
2017-05-15 10:50:36,545 DEBUG [http-bio-8443-exec-1] com.sghe.luminis.gcf.servlet.GCFActionHandler:885 JSON: {"gcfLogout":{"fail":"Fail","done":"Done","appToLogout":[],"success":"Success","header":"Logging out of any external applications accessed through Luminis"}}
2017-05-15 10:50:37,111 DEBUG [http-bio-8443-exec-15] com.sghe.luminis.gcf.servlet.GCFActionHandler:99 perform active on academicworks
2017-05-15 10:50:37,113 DEBUG [http-bio-8443-exec-15] com.sghe.luminis.gcf.servlet.GCFActionHandler:885 JSON: {"gcfLogout":{"fail":"Fail","done":"Done","appToLogout":[],"success":"Success","header":"Logging out of any external applications accessed through Luminis"}}
2017-05-15 10:50:37,665 DEBUG [http-bio-8443-exec-12] com.sghe.luminis.gcf.servlet.GCFActionHandler:99 perform active on academicworks
2017-05-15 10:50:37,668 DEBUG [http-bio-8443-exec-12] com.sghe.luminis.gcf.servlet.GCFActionHandler:885 JSON: {"gcfLogout":{"fail":"Fail","done":"Done","appToLogout":[],"success":"Success","header":"Logging out of any external applications accessed through Luminis"}}
2017-05-15 10:50:38,230 DEBUG [http-bio-8443-exec-14] com.sghe.luminis.gcf.servlet.GCFActionHandler:99 perform active on academicworks
2017-05-15 10:50:38,232 DEBUG [http-bio-8443-exec-14] com.sghe.luminis.gcf.servlet.GCFActionHandler:885 JSON: {"gcfLogout":{"fail":"Fail","done":"Done","appToLogout":[],"success":"Success","header":"Logging out of any external applications accessed through Luminis"}}
2017-05-15 10:50:38,885 DEBUG [http-bio-8443-exec-20] com.sghe.luminis.gcf.servlet.GCFActionHandler:99 perform active on academicworks
2017-05-15 10:50:38,887 DEBUG [http-bio-8443-exec-20] com.sghe.luminis.gcf.servlet.GCFActionHandler:885 JSON: {"gcfLogout":{"fail":"Fail","done":"Done","appToLogout":[],"success":"Success","header":"Logging out of any external applications accessed through Luminis"}}

Finally, here's the code for the .xml file.

<operations>
<authenticate>
<CLIENT>
<SESSION a:server="${properties.externalSystemURL}" >
<GET a:url="https://cameron.academicworks.com/users/shibboleth/init" a:query="" a:redirects="yes" />
<!-- Grab the URL to post to. This is accomplished by grabbing the get url from the
header of the HTML page. -->
<SEARCH a:symbol="post_url" a:source="${_RESPONSE}" a:value="${_VALUE}" >
<GRABFROMHEADER a:name="Referer" a:start="camcas.cameron.edu:8443" a:end="" />
</SEARCH>
<!-- Consider the first form the login form -->
<LOADFORM a:symbol="LoginForm" a:tagname="" />
<SET a:symbol="LoginForm.j_username" a:value="${_USERNAME}" />
<SET a:symbol="LoginForm.j_password" a:value="${_PASSWORD}" />
<!-- Post the login form -->
<POST a:url="${post_url}" a:query="" a:redirects="yes">
<PARAM a:list="LoginForm" />
</POST>
<RESULT a:value="FALSE" />
</SESSION>
</CLIENT>
</authenticate>
<!-- Logout URL is https://cameron.academicworks.com/sign_out -->
<deauthenticate>
<CLIENT>
<SESSION a:server="${properties.externalSystemURL}" >
<RESULT a:value="TRUE" />
</SESSION>
</CLIENT>
</deauthenticate>
<lastActive>
<CLIENT>
<SESSION a:server="${properties.externalSystemURL}" >
<RESULT a:value="FALSE" />
</SESSION>
</CLIENT>
</lastActive>
<checkstate>
<CLIENT>
<SESSION a:server="${properties.externalSystemURL}" >
<RESULT a:value="FALSE" />
</SESSION>
</CLIENT>
</checkstate>
</operations>

And the code for the .properties file.

###########################################################################################
# External System Properties
###########################################################################################

academicworks.externalSystemName = academicworks
academicworks.systemdescription = AcademicWorks
academicworks.hostname = https://cameron.academicworks.com

# By default, following a successful GCF authenticate and pickup operation,
# the system will redirect the user's browser to the URL specified in the
# academicworks.externalSystemURL property.
academicworks.externalSystemURL = https://cameron.academicworks.com
# academicworks.convertSiteCookies = false
academicworks.requesttimeout.seconds = 30

academicworks.sso.operations.class = com.sghe.luminis.gcf.sso.authenticator.SSOOperationsImpl
academicworks.urlBase = ${cpipconnector.urlBase}/${academicworks.externalSystemName}

# academicworks.cpipconnector.getconfig.sessionPlaceHolder = sessionPlaceHolder
academicworks.cpipconnector.getconfig.useSISCredentials = false
academicworks.cpipconnector.getconfig.usePDSCredentials = false
academicworks.cpipconnector.getconfig.shortcircuitlogin = true

# Makes the authenticate URL look like
# /luminis/gcf/sakai/authenticate?url=http://sakaihost.edu:8080/portal/site/mercury
academicworks.pickup.destURLParameter = url

Does anyone here know why the SSL handshake is failing? Is there anything wrong with the authenticate portion of the code that I provided?

Luminis Version:

After talking with Ellucian. I discovered that the SSL handshake fails because Academic Works (AW) has disabled TLS 1.0. AW uses TLS 1.1 and 1.2. These protocols are not supported by the current CPIP Connector, and there's no option to enable support for them. If you need SSO with a server using TLS 1.1 or higher, you're out of luck.

That is correct - you would need an updated JDK to support the updated SSL protocols and cipher lengths.

Tom

I'm fighting a similar issue. Java 8 will not be supported with LP5.3 until Oct/Dec according to the roadmap released a few days ago. But we have vendors already trying to force TLS 1.2 only, and our code running under the Luminis webapp is breaking.

Has anyone figured out a way to enable TLS 1.2 for Java 7? I'm seeing lots of articles about it, but nothing I've tried has worked so far.

Tried this:
tomcat_liferay.sh:CATALINA_OPTS="$CATALINA_OPTS -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 -Ddeployment.security.TLSv1.2=true" no luck.