0

I am using weblogic server which has keystores in use like :

enter image description here

Now when my application running on this server tries to download images from another server, it throws javax.net.ssl.SSLHandshakeException: General SSLEngine problem

I have added server certificates to these both DemoTrust.jks and JDK CACERTS using this link : after adding certificates, it looks like :

enter image description here

And java certs has

enter image description here

As suggested by different posts, I have also added to startWeblogic.cmd

set JAVA_OPTIONS=%JAVA_OPTIONS% -Dweblogic.security.SSL.verbose=true set JAVA_OPTIONS=%JAVA_OPTIONS% -Dweblogic.security.SSL.enable.renegotiation=true set JAVA_OPTIONS=%JAVA_OPTIONS% -Dsun.security.ssl.allowUnsafeRenegotiation=true

Am I missing something ? Any Suggestions ?

Edit 1 : Adding exception stacktrace

vax.net.ssl.SSLHandshakeException: General SSLEngine problem at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1529) at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214) at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186) at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) at weblogic.security.SSL.jsseadapter.JaSSLEngine$1.run(JaSSLEngine.java:69) at weblogic.security.SSL.jsseadapter.JaSSLEngine.doAction(JaSSLEngine.java:743) at weblogic.security.SSL.jsseadapter.JaSSLEngine.wrap(JaSSLEngine.java:67) at weblogic.socket.JSSEFilterImpl.wrapAndWrite(JSSEFilterImpl.java:771) at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:119) at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:87) at weblogic.socket.JSSESocket.startHandshake(JSSESocket.java:250) at weblogic.net.http.HttpsClient.New(HttpsClient.java:577) at weblogic.net.http.HttpsClient.New(HttpsClient.java:557) at weblogic.net.http.HttpsURLConnection.connect(HttpsURLConnection.java:265) at org.jsoup.helper.HttpConnection$Response.execute(HttpConnection.java:651) at org.jsoup.helper.HttpConnection$Response.execute(HttpConnection.java:628) at org.jsoup.helper.HttpConnection.execute(HttpConnection.java:260) at org.jsoup.helper.HttpConnection.get(HttpConnection.java:249) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:333) at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:190) at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157) at com.oracle.pitchfork.intercept.MethodInvocationInvocationContext.proceed(MethodInvocationInvocationContext.java:101) at com.oracle.pitchfork.intercept.JeeInterceptorInterceptor.invoke(JeeInterceptorInterceptor.java:101) at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179) at com.oracle.pitchfork.intercept.MethodInvocationInvocationContext.proceed(MethodInvocationInvocationContext.java:101) at org.jboss.weld.ejb.AbstractEJBRequestScopeActivationInterceptor.aroundInvoke(AbstractEJBRequestScopeActivationInterceptor.java:73) at org.jboss.weld.ejb.SessionBeanInterceptor.aroundInvoke(SessionBeanInterceptor.java:52) at sun.reflect.GeneratedMethodAccessor235.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at com.oracle.pitchfork.intercept.JeeInterceptorInterceptor.invoke(JeeInterceptorInterceptor.java:94) at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179) at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.doProceed(DelegatingIntroductionInterceptor.java:133) at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:121) at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:179) at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:213) at com.sun.proxy.$Proxy254.execute(Unknown Source) at weblogic.ejb.container.internal.SessionLocalMethodInvoker.invoke(SessionLocalMethodInvoker.java:33) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:330) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) at sun.security.ssl.Handshaker$1.run(Handshaker.java:992) at sun.security.ssl.Handshaker$1.run(Handshaker.java:989) at java.security.AccessController.doPrivileged(Native Method) at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1467) at weblogic.socket.JSSEFilterImpl.doTasks(JSSEFilterImpl.java:223) at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:123) ... 44 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:105) at weblogic.security.SSL.jsseadapter.JaTrustManager.checkServerTrusted(JaTrustManager.java:128) at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:999) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1601) ... 52 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) ... 60 more

kAmol
  • 1,297
  • 1
  • 18
  • 29
  • Sha1 keys are different may be because they were exported and added on different dates. But when tried to add again, it gives me error, it already exists. – kAmol Dec 13 '20 at 09:57
  • To add : It worked up yesterday post importing certificates, but post restarting laptop and weblogic server, I am facing this issue – kAmol Dec 13 '20 at 10:05
  • Let's try to understand what is actually happening during the handshake proces. For that we need the logs of it. Could you start your server with the following parameters: `-Djavax.net.debug=SSL,keymanager,trustmanager,ssl:handshake` and share the full logs including the part when the request has been executed to the other server? – Hakan54 Dec 13 '20 at 10:27
  • @Hakan54 added stacktrace – kAmol Dec 13 '20 at 13:54
  • A bit late from my side. I have the feeling that the ssl configuration you have provided is only being used for the server. However the server is executing a https request to another server with a http client. I don't think that http client within the server has a ssl configuration present. Can you maybe share how the external request is being constructed and executed? – Hakan54 Dec 18 '20 at 14:49

1 Answers1

-1

Hello to whoever still looking for an answer,

Hope this helps you.

I also had similar issue in running my application in Jdeveloper 12.2.1.4.0.

Let me explain my situation and solution.

My application in Jdeveloper calls a REST api running in remote server. I downloaded the cert from browser by loading the remote server URL. I uploaded to Demotrust.jks file in oracle middleware folder. While running the application, I can see remote server cert appearing in Jdev logs (after turning on ssl debugging), but still the application was facing javax.net.ssl.SSLHandshakeException: General SSLEngine error while calling remote server REST api. I verified that the certificate is not expired.

In Weblogic admin console, I turned off Use KSS demo flag (Under Domain -> Security -> Advanced).

I have also set Hostname verification to None in SSL because its a wildcard certificate (Servers -> DefaultServer -> SSL -> advanced). Still getting the SSLEngine problem. I found one more thing that needs to be set correctly.

The remote server is running within corp network. I found that proxy in Jdeveloper preferences is set to automatic. I set it to None (ofcourse test connection will fail and its ok) and restarted the server. With all of these configuration in place, the application is able to connect to REST API.

Vigneshwar Ponnusamy
  • 1
  • 1