Connection Reset Exception - CloseableHttpClient

I need to be able to post via an ssl connection.  The code below gives a "connection reset" exception.  Beneath the code is the stack trace, and the substance of the javax.net.debug output.  Does anyone recognize what's wrong here?


 KeyStore trustStore  = KeyStore.getInstance("JKS");
 FileInputStream instream = new FileInputStream(new File(sCertificate));
 String sJksPwd = CmsUtilities.getDecryptedPassword(Defs.JKS_PWD_ENCRYPTED);
 trustStore.load(instream, sJksPwd.toCharArray());
 instream.close();

 SSLContext sslcontext = SSLContexts.custom()
              .loadTrustMaterial(trustStore, new TrustSelfSignedStrategy())
              .build();
 SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(
              sslcontext,
              new String[] {"TLSv1"},
              null,
              SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
 CloseableHttpClient httpclient = HttpClients.custom()
              .setSSLSocketFactory(sslsf)
              .build();
             
 HttpPost post = new HttpPost(sMauiUrl);
 HttpEntity reqEntity = new StringEntity(sRequest);
 post.setEntity(reqEntity);

 RequestConfig requestConfig = RequestConfig.custom()
                                 .setConnectionRequestTimeout(30000)
                                 .setConnectTimeout(30000)
                                 .setSocketTimeout(30000)
                                 .build();
 post.setConfig(requestConfig);

 CloseableHttpResponse response = httpclient.execute(post);
 

 Stack trace:
 java.net.SocketException: Connection reset
         at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:107)
         at java.net.SocketOutputStream.write(SocketOutputStream.java:147)
         at com.ibm.jsse2.d.a(d.java:119)
         at com.ibm.jsse2.d.a(d.java:100)
         at com.ibm.jsse2.SSLSocketImpl.b(SSLSocketImpl.java:45)
         at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:180)
         at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:350)
         at com.ibm.jsse2.kb.a(kb.java:32)
         at com.ibm.jsse2.lb.b(lb.java:369)
         at com.ibm.jsse2.lb.a(lb.java:471)
         at com.ibm.jsse2.lb.a(lb.java:29)
         at com.ibm.jsse2.kb.s(kb.java:391)
         at com.ibm.jsse2.kb.a(kb.java:165)
         at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:8)
         at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:554)
         at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:806)
         at com.ibm.jsse2.SSLSocketImpl.startHandshake(SSLSocketImpl.java:97)
         at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:261)
         at org.apache.http.impl.conn.HttpClientConnectionOperator.connect(HttpClientConnectionOperator.java:118)
         at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:314)
         at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:357)
         at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:218)
         at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:194)
         at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:85)
         at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:108)
         at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:186)
         at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
         at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106)
 

 java.net.debug
 [6/2/15 16:05:12:924 EDT] 00000098 SystemOut     O *** ClientHello, TLSv1
 [6/2/15 16:05:12:924 EDT] 00000098 SystemOut     O RandomCookie:  GMT: 1433275512 bytes = { 41, 25, 18, 7, 102, 87, 235, 108, 93, 213, 1, 176, 198, 116, 167, 100, 95, 83, 19, 9, 88, 111, 203, 224, 49, 238, 12, 1 }
 [6/2/15 16:05:12:924 EDT] 00000098 SystemOut     O Session ID:  {}
 [6/2/15 16:05:12:924 EDT] 00000098 SystemOut     O Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_RC4_128_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_RENEGO_PROTECTION_REQUEST]
 [6/2/15 16:05:12:925 EDT] 00000098 SystemOut     O Compression Methods:  { 0 }
 [6/2/15 16:05:12:925 EDT] 00000098 SystemOut     O ***
 [6/2/15 16:05:12:925 EDT] 00000098 SystemOut     O [write] MD5 and SHA1 hashes:  len = 81
 [6/2/15 16:05:12:925 EDT] 00000098 SystemOut     O 0000: [output]
 [6/2/15 16:05:12:925 EDT] 00000098 SystemOut     O WebContainer : 0, WRITE: TLSv1 Handshake, length = 81
 [6/2/15 16:05:12:925 EDT] 00000098 SystemOut     O [Raw write]: length = 86
 [6/2/15 16:05:12:925 EDT] 00000098 SystemOut     O 0000: [output]
 [6/2/15 16:05:12:925 EDT] 00000098 SystemOut     O [Raw read]: length = 5
 [6/2/15 16:05:12:925 EDT] 00000098 SystemOut     O 0000: [output]
 [6/2/15 16:05:12:925 EDT] 00000098 SystemOut     O [Raw read]: length = 81
 [6/2/15 16:05:12:925 EDT] 00000098 SystemOut     O 0000: [output]
 [6/2/15 16:05:12:925 EDT] 00000098 SystemOut     O WebContainer : 0, READ: TLSv1 Handshake, length = 81
 [6/2/15 16:05:12:925 EDT] 00000098 SystemOut     O *** ServerHello, TLSv1
 [6/2/15 16:05:12:925 EDT] 00000098 SystemOut     O RandomCookie:  GMT: -1399930972 bytes = { 24, 212, 214, 15, 25, 239, 48, 200, 156, 104, 252, 221, 9, 2, 137, 169, 17, 251, 107, 213, 41, 255, 223, 115, 26, 94, 120, 142 }
 [6/2/15 16:05:12:926 EDT] 00000098 SystemOut     O Session ID:  {24, 100, 130, 154, 116, 121, 212, 140, 99, 102, 232, 40, 86, 137, 157, 125, 38, 168, 253, 144, 193, 233, 230, 31, 209, 229, 218, 79, 55, 133, 251, 211}
 [6/2/15 16:05:12:926 EDT] 00000098 SystemOut     O Cipher Suite: SSL_RSA_WITH_RC4_128_SHA
 [6/2/15 16:05:12:926 EDT] 00000098 SystemOut     O Compression Method: 0
 [6/2/15 16:05:12:926 EDT] 00000098 SystemOut     O Extension renegotiation_info, ri_length: 0, ri_connection_data: { null }
 [6/2/15 16:05:12:926 EDT] 00000098 SystemOut     O ***
 [6/2/15 16:05:12:926 EDT] 00000098 SystemOut     O JsseJCE:  Using MessageDigest MD5 from provider IBMJCE version 1.2
 [6/2/15 16:05:12:926 EDT] 00000098 SystemOut     O JsseJCE:  Using MessageDigest SHA from provider IBMJCE version 1.2
 [6/2/15 16:05:12:926 EDT] 00000098 SystemOut     O %% Initialized:  [Session-24, SSL_RSA_WITH_RC4_128_SHA]
 [6/2/15 16:05:12:926 EDT] 00000098 SystemOut     O ** SSL_RSA_WITH_RC4_128_SHA
 [6/2/15 16:05:12:926 EDT] 00000098 SystemOut     O [read] MD5 and SHA1 hashes:  len = 81
 [6/2/15 16:05:12:926 EDT] 00000098 SystemOut     O 0000: [output]
 [6/2/15 16:05:12:926 EDT] 00000098 SystemOut     O [Raw read]: length = 5
 [6/2/15 16:05:12:926 EDT] 00000098 SystemOut     O 0000: [output]
 [6/2/15 16:05:12:927 EDT] 00000098 SystemOut     O [Raw read]: length = 1134
 [6/2/15 16:05:12:927 EDT] 00000098 SystemOut     O 0000: [output]
 [6/2/15 16:05:12:927 EDT] 00000098 SystemOut     O WebContainer : 0, READ: TLSv1 Handshake, length = 1134
 [6/2/15 16:05:12:927 EDT] 00000098 SystemOut     O *** Certificate chain
 [6/2/15 16:05:12:928 EDT] 00000098 SystemOut     O chain [0] = [output]
 [6/2/15 16:05:12:928 EDT] 00000098 SystemOut     O [read] MD5 and SHA1 hashes:  len = 1134
 [6/2/15 16:05:12:929 EDT] 00000098 SystemOut     O 0000: [output]
 [6/2/15 16:05:12:929 EDT] 00000098 SystemOut     O [Raw read]: length = 111
 [6/2/15 16:05:12:929 EDT] 00000098 SystemOut     O 0000: [output]
 [6/2/15 16:05:12:929 EDT] 00000098 SystemOut     O WebContainer : 0, READ: TLSv1 Handshake, length = 111
 [6/2/15 16:05:12:929 EDT] 00000098 SystemOut     O *** CertificateRequest
 [6/2/15 16:05:12:929 EDT] 00000098 SystemOut     O Cert Types: RSA
 [6/2/15 16:05:12:929 EDT] 00000098 SystemOut     O Cert Authorities:[output]
 [6/2/15 16:05:12:929 EDT] 00000098 SystemOut     O [Raw read]: length = 5
 [6/2/15 16:05:12:929 EDT] 00000098 SystemOut     O 0000: [output]
 [6/2/15 16:05:12:930 EDT] 00000098 SystemOut     O [Raw read]: length = 4
 [6/2/15 16:05:12:930 EDT] 00000098 SystemOut     O 0000: [output]
 [6/2/15 16:05:12:930 EDT] 00000098 SystemOut     O WebContainer : 0, READ: TLSv1 Handshake, length = 4
 [6/2/15 16:05:12:930 EDT] 00000098 SystemOut     O *** ServerHelloDone
 [6/2/15 16:05:12:930 EDT] 00000098 SystemOut     O [read] MD5 and SHA1 hashes:  len = 4
 [6/2/15 16:05:12:930 EDT] 00000098 SystemOut     O 0000: [output]
 [6/2/15 16:05:12:930 EDT] 00000098 SystemOut     O ClientHandshaker: KeyManager com.ibm.jsse2.hd
 [6/2/15 16:05:12:930 EDT] 00000098 SystemOut     O *** Certificate chain
 [6/2/15 16:05:12:930 EDT] 00000098 SystemOut     O PreMasterSecret:  Using cipher for wrap RSA/SSL/PKCS1Padding from provider from init IBMJCE version 1.2
 [6/2/15 16:05:12:931 EDT] 00000098 SystemOut     O *** ClientKeyExchange, RSA PreMasterSecret, TLSv1
 [6/2/15 16:05:12:931 EDT] 00000098 SystemOut     O [write] MD5 and SHA1 hashes:  len = 141
 [6/2/15 16:05:12:931 EDT] 00000098 SystemOut     O 0000: [output]
 [6/2/15 16:05:12:931 EDT] 00000098 SystemOut     O WebContainer : 0, WRITE: TLSv1 Handshake, length = 141
 [6/2/15 16:05:12:931 EDT] 00000098 SystemOut     O [Raw write]: length = 146
 [6/2/15 16:05:12:931 EDT] 00000098 SystemOut     O 0000: [output]
 [6/2/15 16:05:12:931 EDT] 00000098 SystemOut     O SESSION KEYGEN:
 [6/2/15 16:05:12:931 EDT] 00000098 SystemOut     O PreMaster Secret:
 [6/2/15 16:05:12:931 EDT] 00000098 SystemOut     O 0000: [output]
 [6/2/15 16:05:12:931 EDT] 00000098 SystemOut     O javax.crypto.spec.SecretKeySpec@13e7648
 [6/2/15 16:05:12:931 EDT] 00000098 SystemOut     O JsseJCE:  Using KeyGenerator IbmTlsMasterSecret from provider TBD via init
 [6/2/15 16:05:12:931 EDT] 00000098 SystemOut     O JsseJCE:  Using KeyGenerator IbmTlsKeyMaterial from provider TBD via init
 [6/2/15 16:05:12:932 EDT] 00000098 SystemOut     O CONNECTION KEYGEN:
 [6/2/15 16:05:12:932 EDT] 00000098 SystemOut     O 0000: [output]
 [6/2/15 16:05:12:932 EDT] 00000098 SystemOut     O ... no IV used for this cipher
 [6/2/15 16:05:12:932 EDT] 00000098 SystemOut     O JsseJCE:  Using KeyGenerator IbmTlsPrf from provider TBD via init
 [6/2/15 16:05:12:932 EDT] 00000098 SystemOut     O HandshakeMessage:  TLS Keygenerator IbmTlsPrf  from provider from init IBMJCE version 1.2
 [6/2/15 16:05:12:933 EDT] 00000098 SystemOut     O WebContainer : 0, WRITE: TLSv1 Change Cipher Spec, length = 1
 [6/2/15 16:05:12:933 EDT] 00000098 SystemOut     O WebContainer : 0, handling exception: java.net.SocketException: Connection reset
 [6/2/15 16:05:12:933 EDT] 00000098 SystemOut     O WebContainer : 0, called close()
 [6/2/15 16:05:12:933 EDT] 00000098 SystemOut     O WebContainer : 0, called closeInternal(true)
 [6/2/15 16:05:12:933 EDT] 00000098 SystemOut     O WebContainer : 0, SEND TLSv1 ALERT:  warning, description = close_notify
 [6/2/15 16:05:12:933 EDT] 00000098 SystemOut     O WebContainer : 0, WRITE: TLSv1 Alert, length = 2
 [6/2/15 16:05:12:933 EDT] 00000098 SystemOut     O WebContainer : 0, Exception sending alert: java.net.SocketException: Broken pipe
 [6/2/15 16:05:12:933 EDT] 00000098 SystemOut     O WebContainer : 0, called closeSocket(selfInitiated)
jkavxAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gheistCommented:
RC4 is weak encryption and is gradually being wiped out by software upgrades.
Since you give no versions it is hard to tell if you need to upgrade whole JDK, or just add unrestricted policy jar, or both.
jkavxAuthor Commented:
This is a large corporate environment.  We're migrating a .Net web application to Java and Websphere 8.5.  There's an internal service call involved which needs to post via ssl.  Testing locally I have Java 1.7.  On the Linux machines, we have 1.6.  Unfortunately, a JDK upgrade is not an option.  Also, the internal support is very weak.  The keystore has been generated following standard procedures, and the engineer has reviewed its contents and says that it's valid.  Beyond that we're on our  own, more or less.

I don't know how to interpret the javax.net.debug output.
gheistCommented:
Unfortunately Java 6 is EOL already and Java 7 follows in couple of months and it does not support any kind of reasonable encryption.
I have Linux systems that run Java 7, Java 8 and Java 9, so that requirement is moot and technically unfounded.
Only thing you need to get websphere on Java 7 is to install java 7 before websphere.
Instead of using weak encryption you can go in clear - security is equivalent and compatibility universal.
Fundamentals of JavaScript

Learn the fundamentals of the popular programming language JavaScript so that you can explore the realm of web development.

jkavxAuthor Commented:
Thx.  I don't understand what clear-security is.  Is this something I can control in Java code?
gheistCommented:
something like unencrypted http, no outdated SSL toolkits involved.
jkavxAuthor Commented:
Do you have an example of the Java code involved?
gheistCommented:
just take out sslsf line from http connection?

Your Linux admins should make sure that at least one cipher from https://www.rfc-editor.org/bcp/bcp195.txt is supported and working over TLS 1.0 or better ("better is not part of java 6, and ciphers are enabled using unlimited strength policy JARs)
jkavxAuthor Commented:
Well I don't think I'll be able to get any help on either end of this - either from those who maintain the web service or from the SA who maintains the WebSphere environment.  Testing locally, when I remove the sslsf line, I get this:
http-bio-8080-exec-3, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

I have very limited understanding of this - can you explain what the javax.net.debug output explains about the connection reset error?  All of the handshakes seem to have succeeded.
gheistCommented:
This line:
CloseableHttpClient httpclient = HttpClients.custom()
             .setSSLSocketFactory(sslsf)
             .build();

No really - you know that java 6 is available only under paid support and 1.6.0_45 has few hundreds of serious security holes?
jkavxAuthor Commented:
It's beyond my control.  The WebSphere environment is set.  The web service is set.  There's a minor piece of functionality that needs to be able to make this internal web service call.  I've generated the certificate.  I just need Java code that can do the ssl post.
gheistCommented:
the encryption has critical flaws that must be addressed. What you do currently is waste of CPU time for fake encryption and false sense of security. Read through BCP. At least you are not in embargoed nation and can use full crypto.
jkavxAuthor Commented:
I would just like to know what the javax.net.debug output above indicates.
gheistCommented:
server disconnected the socket on attempting to set up PFS aka one of sides was vulnerable to logjam, other had all defences in place.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jkavxAuthor Commented:
Thx.  Upgrading is not an alternative.  The unrestricted policy jars are already in place.  Conceding that this may not be an optimal approach, is there anything that can be done in the Java code, any property that can be set, to get this to work?
gheistCommented:
Both sides need to talk same encryption, for now weakest available is TLSv1 and 3DES.
e.g RC4, MD5, simple DES, SSLv3, 1k long SSL keys, 512 long DH templates are all removed by updates during last year, you need to keep up with speed of internet to keep SSL secure, and indeed working.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Java

From novice to tech pro — start learning today.