Java SSL: Invalid service principal name

Question

On my game's Java server I ran 'sudo yum update' and now I am getting the following error when trying to connect via my game client:

[2015-07-26 01:58:12] [Thread-2] INFO - Socket class: class sun.security.ssl.SSLSocketImpl
[2015-07-26 01:58:12] [Thread-2] INFO -    Remote address = /54.165.60.189
[2015-07-26 01:58:12] [Thread-2] INFO -    Remote port = 34215
[2015-07-26 01:58:12] [Thread-2] INFO -    Local socket address = /192.168.1.4:59805
[2015-07-26 01:58:12] [Thread-2] INFO -    Local address = /192.168.1.4
[2015-07-26 01:58:12] [Thread-2] INFO -    Local port = 59805
[2015-07-26 01:58:12] [Thread-2] INFO -    Need client authentication = false
[2015-07-26 01:58:17] [Thread-2] INFO -    Cipher suite = SSL_NULL_WITH_NULL_NULL
[2015-07-26 01:58:17] [Thread-2] INFO -    Protocol = NONE
[2015-07-26 01:58:17] [Thread-2] FATAL - (SSLSocket) factory.createSocket
javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException: java.io.IOException: Invalid service principal name: host/54.165.60.189
    at sun.security.ssl.SSLSocketImpl.checkEOF(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.checkWrite(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at com.jayavon.game.client.an.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLException: java.io.IOException: Invalid service principal name: host/54.165.60.189
    at sun.security.ssl.Alerts.getSSLException(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.handleException(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.getSession(Unknown Source)
    at com.jayavon.game.client.KisnardOnline.a(Unknown Source)
    ... 2 more
Caused by: java.io.IOException: Invalid service principal name: host/54.165.60.189
    at sun.security.ssl.krb5.KerberosClientKeyExchangeImpl.getServiceTicket(Unknown Source)
    at sun.security.ssl.krb5.KerberosClientKeyExchangeImpl.init(Unknown Source)
    at sun.security.ssl.KerberosClientKeyExchange.init(Unknown Source)
    at sun.security.ssl.KerberosClientKeyExchange.<init>(Unknown Source)
    at sun.security.ssl.ClientHandshaker.serverHelloDone(Unknown Source)
    at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
    at sun.security.ssl.Handshaker.processLoop(Unknown Source)
    at sun.security.ssl.Handshaker.process_record(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
    ... 5 more
Caused by: KrbException: KrbException: Cannot locate default realm
    at sun.security.krb5.Realm.getDefault(Unknown Source)
    at sun.security.krb5.PrincipalName.<init>(Unknown Source)
    at sun.security.krb5.PrincipalName.<init>(Unknown Source)
    ... 15 more
Caused by: KrbException: Cannot locate default realm
    at sun.security.krb5.Config.getDefaultRealm(Unknown Source)
    ... 18 more
Caused by: KrbException: Generic error (description in e-text) (60) - Unable to locate Kerberos realm
    at sun.security.krb5.Config.getRealmFromDNS(Unknown Source)
    ... 19 more

5 days ago this is what I saw when connecting to my game server from my client:

[2015-07-21 00:07:34] [Thread-2] INFO - Socket class: class sun.security.ssl.SSLSocketImpl
[2015-07-21 00:07:34] [Thread-2] INFO -    Remote address = /54.165.60.189
[2015-07-21 00:07:34] [Thread-2] INFO -    Remote port = 34215
[2015-07-21 00:07:34] [Thread-2] INFO -    Local socket address = /192.168.1.4:61480
[2015-07-21 00:07:34] [Thread-2] INFO -    Local address = /192.168.1.4
[2015-07-21 00:07:34] [Thread-2] INFO -    Local port = 61480
[2015-07-21 00:07:34] [Thread-2] INFO -    Need client authentication = false
[2015-07-21 00:07:34] [Thread-2] INFO -    Cipher suite = TLS_DH_anon_WITH_AES_128_CBC_SHA256
[2015-07-21 00:07:34] [Thread-2] INFO -    Protocol = TLSv1.2

I thought it was that my keystore.jks file's certificate had expired, but I even tried to update with the certificate I just updated with startssl to no avail. Any help would be so appreciated.

Ideally I would like to fix this (so I can continue to update my EC2 server).

EDIT

I found the following java update in the list of my last updates with the following command: rpm -qa --last

java-1.7.0-openjdk-1.7.0.85-2.6.1.3.61.amzn1.x86_64 Sun 26 Jul 2015 12:23:17 AM EDT

EDIT2

Client:

[2015-08-04 08:32:16] 15 [main] INFO - java.version: 1.8.0_20
[2015-08-04 08:32:17] 1028 [AWT-EventQueue-0] DEBUG - conf/
[2015-08-04 08:32:17] 1185 [main] INFO - Contacting Download Server...
...
[2015-08-04 08:32:57] 40786 [main] INFO - Finished updating game files!
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_WITH_RC4_128_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_RSA_WITH_RC4_128_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_RSA_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_WITH_RC4_128_MD5
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DH_anon_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_anon_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_anon_WITH_RC4_128_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DH_anon_WITH_RC4_128_MD5
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_RSA_WITH_NULL_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_ECDSA_WITH_NULL_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_RSA_WITH_NULL_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_WITH_NULL_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_ECDSA_WITH_NULL_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_RSA_WITH_NULL_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_anon_WITH_NULL_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_WITH_NULL_MD5
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_WITH_DES_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DHE_RSA_WITH_DES_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DHE_DSS_WITH_DES_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DH_anon_WITH_DES_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_WITH_RC4_128_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_WITH_RC4_128_MD5
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_MD5
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_WITH_DES_CBC_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_WITH_DES_CBC_MD5
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_MD5
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - Socket class: class sun.security.ssl.SSLSocketImpl
[2015-08-04 08:33:06] 50102 [Thread-2] INFO -    Remote address = /54.165.60.189
[2015-08-04 08:33:06] 50102 [Thread-2] INFO -    Remote port = 34215
[2015-08-04 08:33:06] 50102 [Thread-2] INFO -    Local socket address = /192.168.1.8:56729
[2015-08-04 08:33:06] 50102 [Thread-2] INFO -    Local address = /192.168.1.8
[2015-08-04 08:33:06] 50102 [Thread-2] INFO -    Local port = 56729
[2015-08-04 08:33:06] 50102 [Thread-2] INFO -    Need client authentication = false
[2015-08-04 08:33:12] 55873 [Thread-2] INFO -    Cipher suite = SSL_NULL_WITH_NULL_NULL
[2015-08-04 08:33:12] 55873 [Thread-2] INFO -    Protocol = NONE
[2015-08-04 08:33:12] 55889 [Thread-2] FATAL - (SSLSocket) factory.createSocket
javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException: java.io.IOException: Invalid service principal name: host/54.165.60.189
    at sun.security.ssl.SSLSocketImpl.checkEOF(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.checkWrite(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at com.jayavon.game.client.an.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLException: java.io.IOException: Invalid service principal name: host/54.165.60.189
    at sun.security.ssl.Alerts.getSSLException(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.handleException(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.getSession(Unknown Source)
    at com.jayavon.game.client.KisnardOnline.a(Unknown Source)
    ... 2 more
Caused by: java.io.IOException: Invalid service principal name: host/54.165.60.189
    at sun.security.ssl.krb5.KerberosClientKeyExchangeImpl.getServiceTicket(Unknown Source)
    at sun.security.ssl.krb5.KerberosClientKeyExchangeImpl.init(Unknown Source)
    at sun.security.ssl.KerberosClientKeyExchange.init(Unknown Source)
    at sun.security.ssl.KerberosClientKeyExchange.<init>(Unknown Source)
    at sun.security.ssl.ClientHandshaker.serverHelloDone(Unknown Source)
    at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
    at sun.security.ssl.Handshaker.processLoop(Unknown Source)
    at sun.security.ssl.Handshaker.process_record(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
    ... 5 more
Caused by: KrbException: KrbException: Cannot locate default realm
    at sun.security.krb5.Realm.getDefault(Unknown Source)
    at sun.security.krb5.PrincipalName.<init>(Unknown Source)
    at sun.security.krb5.PrincipalName.<init>(Unknown Source)
    ... 15 more
Caused by: KrbException: Cannot locate default realm
    at sun.security.krb5.Config.getDefaultRealm(Unknown Source)
    ... 18 more
Caused by: KrbException: Generic error (description in e-text) (60) - Unable to locate Kerberos realm
    at sun.security.krb5.Config.getRealmFromDNS(Unknown Source)
    ... 19 more

Server:

65795 [main] DEBUG - handleConnections thread started
65795 [main] DEBUG - Server is running on port 34215
124540 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_256_CBC_SHA256
124541 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
124541 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
124541 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_256_CBC_SHA
124541 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
124541 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
124541 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA256
124541 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
124541 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
124542 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA
124542 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
124542 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
124542 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
124542 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
124542 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
124542 [connectionHandlerThread] INFO - suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
124542 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256
124542 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_256_CBC_SHA
124542 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA256
124543 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA
124543 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
124543 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_RC4_128_SHA
124543 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_RC4_128_MD5
124543 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_RC4_128_MD5
124543 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_DES_CBC_SHA
124543 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_WITH_DES_CBC_SHA
124543 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_WITH_DES_CBC_SHA
124543 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_DES_CBC_SHA
124543 [connectionHandlerThread] INFO - suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
124544 [connectionHandlerThread] INFO - suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
124544 [connectionHandlerThread] INFO - suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
124544 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
124544 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
124545 [connectionHandlerThread] INFO - suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
124545 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_NULL_SHA256
124545 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_NULL_SHA
124545 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_NULL_MD5
124545 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_SHA
124545 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_MD5
124545 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_RC4_128_SHA
124548 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_RC4_128_MD5
124548 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_DES_CBC_SHA
124548 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_DES_CBC_MD5
124549 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
124549 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
124549 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_SHA
124549 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_MD5
125142 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_256_CBC_SHA256
125152 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
125153 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
125153 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_256_CBC_SHA
125153 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
125153 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
125153 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA256
125153 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
125153 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
125153 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA
125153 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
125154 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
125154 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
125154 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
125154 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
125154 [connectionHandlerThread] INFO - suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
125154 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256
125154 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_256_CBC_SHA
125154 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA256
125154 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA
125154 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
125155 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_RC4_128_SHA
125155 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_RC4_128_MD5
125155 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_RC4_128_MD5
125155 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_DES_CBC_SHA
125155 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_WITH_DES_CBC_SHA
125155 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_WITH_DES_CBC_SHA
125155 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_DES_CBC_SHA
125155 [connectionHandlerThread] INFO - suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
125155 [connectionHandlerThread] INFO - suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
125155 [connectionHandlerThread] INFO - suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
125155 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
125156 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
125156 [connectionHandlerThread] INFO - suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
125156 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_NULL_SHA256
125156 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_NULL_SHA
125156 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_NULL_MD5
125156 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_SHA
125156 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_MD5
125156 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_RC4_128_SHA
125156 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_RC4_128_MD5
125156 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_DES_CBC_SHA
125157 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_DES_CBC_MD5
125157 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
125157 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
125157 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_SHA
125157 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_MD5
126102 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_256_CBC_SHA256
126103 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
126103 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
126103 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_256_CBC_SHA
126103 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
126103 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
126103 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA256
126103 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
126103 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
126104 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA
126104 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
126104 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
126104 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
126104 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
126104 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
126104 [connectionHandlerThread] INFO - suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
126104 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256
126104 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_256_CBC_SHA
126104 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA256
126105 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA
126105 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
126105 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_RC4_128_SHA
126105 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_RC4_128_MD5
126105 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_RC4_128_MD5
126105 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_DES_CBC_SHA
126105 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_WITH_DES_CBC_SHA
126105 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_WITH_DES_CBC_SHA
126105 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_DES_CBC_SHA
126105 [connectionHandlerThread] INFO - suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
126106 [connectionHandlerThread] INFO - suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
126106 [connectionHandlerThread] INFO - suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
126106 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
126106 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
126106 [connectionHandlerThread] INFO - suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
126106 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_NULL_SHA256
126106 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_NULL_SHA
126106 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_NULL_MD5
126106 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_SHA
126106 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_MD5
126106 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_RC4_128_SHA
126107 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_RC4_128_MD5
126107 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_DES_CBC_SHA
126107 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_DES_CBC_MD5
126107 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
126107 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
126107 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_SHA
126107 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_MD5
126107 [connectionHandlerThread] INFO - Server socket class: class sun.security.ssl.SSLServerSocketImpl
126107 [connectionHandlerThread] INFO -    Socket address = 0.0.0.0/0.0.0.0
126107 [connectionHandlerThread] INFO -    Socket port = 34215
126108 [connectionHandlerThread] INFO -    Need client authentication = false
126108 [connectionHandlerThread] INFO -    Want client authentication = false
126108 [connectionHandlerThread] INFO -    Use client mode = false
126108 [connectionHandlerThread] INFO - Socket class: class sun.security.ssl.SSLSocketImpl
126108 [connectionHandlerThread] INFO -    Remote address = /173.54.54.76
126108 [connectionHandlerThread] INFO -    Remote port = 56729
126108 [connectionHandlerThread] INFO -    Local socket address = /172.31.25.254:34215
126108 [connectionHandlerThread] INFO -    Local address = /172.31.25.254
126108 [connectionHandlerThread] INFO -    Local port = 34215
126109 [connectionHandlerThread] INFO -    Need client authentication = false
131889 [connectionHandlerThread] INFO -    Cipher suite = SSL_NULL_WITH_NULL_NULL
131889 [connectionHandlerThread] INFO -    Protocol = NONE
131890 [connectionHandlerThread] FATAL - Socket connection could not be made!!
131890 [connectionHandlerThread] ERROR - client bad connection
javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
        at sun.security.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1508)
        at sun.security.ssl.SSLSocketImpl.checkWrite(SSLSocketImpl.java:1520)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1367)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355)
        at com.jayavon.game.server.MyServer.handleConnections(MyServer.java:4770)
        at com.jayavon.game.server.MyServer.access$0(MyServer.java:4739)
        at com.jayavon.game.server.MyServer$1.run(MyServer.java:435)
        at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
        at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1991)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1098)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1344)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1371)
        at sun.security.ssl.SSLSocketImpl.getSession(SSLSocketImpl.java:2233)
        at com.jayavon.game.server.MyServer.printSocketInfo(MyServer.java:4725)
        at com.jayavon.game.server.MyServer.handleConnections(MyServer.java:4758)
        ... 3 more

Maybe the keyUsage on your cert is bad? Try following http://stackoverflow.com/a/12150604/2646526 — heenenee, Jul 29 '15 at 02:58
Which java version are you using? Did java get updated? Note that the Cipher suite is not listed properly in the error. — Grasshopper, Jul 29 '15 at 11:34
Java version 1.7.0_85... i found that same post, but dont use openssl. I am trying to remember how I created my key :X. My goal is to protect my mmorpg (Java Client/Java Server) so when someone logs into their account using my java fat client there is no snooping, etc. — KisnardOnline, Jul 29 '15 at 17:20

score 7 · Accepted Answer · edited May 23 '17 at 12:32

Originally (i.e. before you updated your system via rpm), you used the Cipher suite TLS_DH_anon_WITH_AES_128_CBC_SHA256 which has no Diffie-Hellman Key-Exchange authentication in place. (Note: A protocol that is susceptible to Man-in-the-Middle attacks)

According to the Red Hat Customer Portal and to Amazon Linux AMI Security Center) a critical java-1.7.0-openjdk security update was released recently. You most certainly are experiencing the above problems due to this issue, described here:

A flaw was found in the way the TLS protocol composed the Diffie-Hellman (DH) key exchange. A man-in-the-middle attacker could use this flaw to force the use of weak 512 bit export-grade keys during the key exchange, allowing them do decrypt all traffic. (CVE-2015-4000)

Note: This update forces the TLS/SSL client implementation in OpenJDK to reject DH key sizes below 768 bits, which prevents sessions to be downgraded to export-grade keys. Refer to Red Hat Bugzilla bug 1223211, linked to in the References section, for additional details about this change.

This explains - at least to some extent - why you're now getting Cipher suite = SSL_NULL_WITH_NULL_NULL since it seems that the original cipher suite is no longer available on your system (or it has been disabled now). This is also supported by: Protocol = NONE in the output you provided.

The 'Java Cryptography Architecture Oracle Providers Documentation for Java Platform Standard Edition 7' overview document has your original cipher suite also in the Default Disabled Cipher Suites list. So I think that the OpenJDK implementation did fix this security issue accordingly (see above URL references).

In general, this security fix for Java relates to the so called Logjam attack and the recommendation is:

Make sure any TLS libraries you use are up-to-date, that servers you maintain use 2048-bit or larger primes, and that clients you maintain reject Diffie-Hellman primes smaller than 1024-bit

As a solution idea, maybe you could just change the SSL/Encryption settings of your Game-application (client and/or server) to use a non-DH-anon cipher suite?

Have a look at the Default Enabled Cipher Suites in the documentation provided by Oracle or have a look at the simple yet effective tool to detect Enabled ciphers on Ubuntu OpenJDK 7 provided by @dolmen.

Edit 1:

Have a look at this StackOverflow post and the answer by @EJP It looks very similar to your StackTrace (*hooray!). It seems that you better...

Don't mess with the enabled cipher suites. Take that code out and retest. You've enabled the anonymous suites, via which there is no authentication at all in either direction.

So you might change your code to not use setEnabledCipherSuites(..) explicitly as it enables cipher-suites not enabled by default ("DH-anon"...). Try to check what is the result if you take out these lines of code, as described.

Maybe go for TLS_ECDH_anon_WITH_AES_128_CBC_SHA as cipher suite (no classic DH parameters here). But, therefore you should update to OpenJDK 8 or Oracle JRE/JDK 8 on your server side, as this is not available in OpenJDK 7 (see your server debug log output).

Hope, it helps.

Thank you so much for the information!!! Here is my issue: I am already enabling all of the supported cipher suites. Is there anything else I can do to enable more? String[] suites = sC.getSupportedCipherSuites(); sC.setEnabledCipherSuites(suites); — KisnardOnline, Aug 03 '15 at 13:23
What is the output of "getSupportedCipherSuites()"? Which suites are in that array? Could you verify that your client side can use a CipherSuite that your server application supports as well? — MWiesner, Aug 03 '15 at 18:08
I will need to check later when I get home. If I am using both java 1.7 on client and server shouldn't there be something in common? Do I need to download additional cipher suites or something? — KisnardOnline, Aug 03 '15 at 18:25
you need to verify the "vendor", the "version" and the "ciphersuites" of both. there is a mismatch somewhere since the update, see links that I gave in my answer. — MWiesner, Aug 03 '15 at 19:04
I understand what you are saying - and I will look further into it when I get home. My question is, what do you do if there is nothing in common? What would cause that when using the same exact version of java? — KisnardOnline, Aug 03 '15 at 19:37
I have provided EDIT2 which contains the cipher suites used for both the client and the server. Running a compare in Notepad++ I found there are 34 suites in common. Let me know if you need more detail :D and thank you soooooo much for all of the help so far!!! — KisnardOnline, Aug 04 '15 at 15:32
Edited my answer. Take a look, it looks rather similar to your stacktrace and the solution might be quite simple? — MWiesner, Aug 04 '15 at 15:49
If i recall I had issues without those lines of code and that is why they were added. I will give it a shot tonight and go from there. I will update here as necessary. I am awarding you my bounty even though my issue is not resolved, as a thanks for all of your help. I think I am pointed in the correct direction to be able to figure this out. Swing by my game sometime - hopefully the server will be up :D — KisnardOnline, Aug 04 '15 at 18:46

Java SSL: Invalid service principal name

1 Answers1