search

CatalogueOfLife / checklistbank

UI for checklistbank.org
https://www.checklistbank.org/
6 stars 2 forks source link

javax.net.ssl.SSLHandshakeException error while SSL certificate is valid #1295

Closed marijn-naturalis closed 9 months ago

marijn-naturalis commented 9 months ago

The dataset page of Dutch Species Register mentions an error:

Last Import Job of this dataset failed. DownloadException: Download of https://api.biodiversitydata.nl/v2/taxon/dwca/getDataSet/nsr failed. javax.net.ssl.SSLHandshakeException: Received fatal alert: protocol_version; SSLHandshakeException: Received fatal alert: protocol_version

The error suggests an SSL certificate issue, but the certificate we (at Naturalis Biodiversity Center) use is valid and in order. It can be checked at https://www.ssllabs.com/ssltest/analyze.html?d=api.biodiversitydata.nl.

So we presume this error is caused by a bug in ChecklistBank.

mdoering commented 9 months ago

Looks like some TLS protocol version mismatch for some reason.

% openssl s_client -connect api.biodiversitydata.nl:443 

CONNECTED(00000005)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = api.biodiversitydata.nl
verify return:1
---
Certificate chain
 0 s:CN = api.biodiversitydata.nl
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Oct 10 07:28:51 2023 GMT; NotAfter: Jan  8 07:28:50 2024 GMT
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF+TCCBOGgAwIBAgISBDogVmZFETlK9NzA8AYY07xvMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzEwMTAwNzI4NTFaFw0yNDAxMDgwNzI4NTBaMCIxIDAeBgNVBAMT
F2FwaS5iaW9kaXZlcnNpdHlkYXRhLm5sMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
MIICCgKCAgEAqrkChp6JUoaS00NaGiSlXcQfsVlR/TGo6WZ9MebyrEp2hDeSFtyB
lo1Q3C7IALqijCAiXjQlw26mFm9sg1h6Dbr7CnFkv6xXaNPrMAZvjpahOpc7hGIF
3MXq+bGiPWkccQGDLoQXc+jPQ3sHkUPWC548N3PgS8NK+yQ095MAExZYa5zm0GOE
tMjFIMpHXUCFsznHQ1wEBvnFmeCE+Z2PI4Xa0tsWXmZydcIHJA0bM8UmIurbkPnT
phzyrFmH3XNPxs4vLKoY953m38U8mHRjgCk49qofb1nQ/Lo+fBVGGtGsAnH2EAGP
B+Zl6ei6oKvdaXhT+BjcyGE+5iGGf+THTkvWEbZKYmZo44RDBt5mps9vBx4yiyKh
Y/Ic+I3AItUlf1IgHUsc2nwPMiodRQarPj9OpwH8IYlYi/AaBOYschxBG6WfreL/
WfOz2x472WzBdcONkcYeLsJpqvoUTIvJ+jQ/5OrVfic+y27s3y2j8Zmvg+Oe2aCx
2WaYr42QFx8XCzgutpHPrlH2SCroSFf35HEQXbgMmD5CNo0vwixV01UpEsUP1T5A
gtpaHpDsfuM2czl2l91zXqTNrzrjugCtPlXl1NeMHmLwTmyIZDhPT9CVoE3wl3z4
fY4IokQHbkMyhq+6AXVkyFp6RNfyqcGJg0hHiU5iAn37jmxQkR9xIqUCAwEAAaOC
AhcwggITMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUIWkZVh6/YLdCrkC/DdWXMI4y
GHQwHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEE
STBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUH
MAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8wIgYDVR0RBBswGYIXYXBpLmJpb2Rp
dmVyc2l0eWRhdGEubmwwEwYDVR0gBAwwCjAIBgZngQwBAgEwggECBgorBgEEAdZ5
AgQCBIHzBIHwAO4AdQDatr9rP7W2Ip+bwrtca+hwkXFsu1GEhTS9pD0wSNf7qwAA
AYsYs/+bAAAEAwBGMEQCIHjlSINyJhAeIY3u6UjcCrzqgI6JkQuzZwhlGfZozH/s
AiBLC22w6+Lw11XRDTnn25v5p+cCmmhovbKasAPmoLYe0AB1ADtTd3U+LbmATosw
Wwb+QDtn2E/D9Me9AA0tcm/h+tQXAAABixiz/4wAAAQDAEYwRAIgNRy2rAOOLxqn
eATpDuTqY8Yh3lOB8bRS7kcRSJACPPsCIFwwV/5aI/zLfieXa2UZm711B6d0Dkfs
wLieTIe54UM7MA0GCSqGSIb3DQEBCwUAA4IBAQBiI1CbfeZsLHV/9xJHziTsrfd+
pzNFLZtG/a+GnPddBxIk1QV5F4mX0+e6C6Hw9KoybA9rfoyAup8h7eyRCfYU++UY
7pVab4Zxvtx6KaQQbE6EstRM9VkWgWTHGGh/ZRODhjZiZZL4a49v407jIsj+e2uX
fVQOuGDC/SMXkheUxJ15yd/PS61B6dyAJDfVgARiw35WjDX7SCcY1vdbph3at4Jw
6lQFWMIA6QbdTWV6yO0FJh8tVpsTI0+PODBg8S9jiYnn/kOyZoQG37C6wmfPEMsg
qaQG6ZW/+lnThyFjuOInSJrHTaXQxC483bdCorCmshbr2SvRUVGPip+iEuoU
-----END CERTIFICATE-----
subject=CN = api.biodiversitydata.nl
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5025 bytes and written 389 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 4096 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_128_GCM_SHA256
    Session-ID: EAB5713BD7908CDC2DFCBE4F47178EDACA42EBE0261F8DD3D95B3AFD2E889397
    Session-ID-ctx: 
    Resumption PSK: EFAA09BB37221E0292B28CA87115301CA292B571B0211BD91A8404941999FF20
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 604800 (seconds)
    TLS session ticket:
    0000 - a0 63 54 01 6d 61 89 09-69 1c e2 73 42 aa a6 8e   .cT.ma..i..sB...
    0010 - 9e ae 50 7c 2a 8c bd cb-b3 f3 95 b5 37 98 61 ef   ..P|*.......7.a.
    0020 - da b5 60 39 3f cf 32 c3-ee 0a 8c 97 40 b6 d0 98   ..`9?.2.....@...
    0030 - 6a 79 db 1a c8 ed b2 1a-f6 84 ed 96 32 15 6c 3a   jy..........2.l:
    0040 - 2c 02 cf 23 a5 cc 5f 98-b1 da d0 94 de a6 95 0e   ,..#.._.........
    0050 - d3 17 b9 58 62 98 f5 0a-8c 3e b3 d7 00 30 d0 88   ...Xb....>...0..
    0060 - 04 bd 87 2c 5a b7 ea 0f-31 e4 70 3e e2 0e 33 b6   ...,Z...1.p>..3.
    0070 - 46                                                F

    Start Time: 1696928346
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0

Looks like TLSv1.3 is expected

mdoering commented 9 months ago

I think I found the problem. Dropwizard defaults to TLSv1.2 when you apply some ssl configs like allowing self signed certificates - which we want to do. That default causes v1.3 not to be working. I have removed it in code now, a bit hacky, but impossible to fix with configs only.

mdoering commented 9 months ago

It is working on dev now, prod deployment coming soon

mdoering commented 9 months ago

imports succeeded on dev: https://www.dev.checklistbank.org/dataset/2014/about

marijn-naturalis commented 8 months ago

I see that import has now also succeeded on production. Thanks for addressing this issue so quickly!