Task #12339 (closed)
Opened 10 years ago
Closed 10 years ago
BUG: Insight with Java 8 fails to connect to some servers
Reported by: | spli | Owned by: | jburel |
---|---|---|---|
Priority: | blocker | Milestone: | 5.0.4 |
Component: | Insight | Version: | 5.0.2 |
Keywords: | java8 | Cc: | java@…, ux@… |
Resources: | n.a. | Referenced By: | n.a. |
References: | n.a. | Remaining Time: | n.a. |
Sprint: | n.a. |
Description
Running Insight Ice35 on OS X with Java 1.8.0_05 I can't connect to:
OMERO.server-5.0.2-ice35-b26 running with Linux OpenJDK 1.7.0_55
!! 29/05/14 11:50:11:442 error: Ice.ThreadPool.Client-0: exception in `Ice.ThreadPool.Client': java.lang.RuntimeException: Algorithm NONE not available at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1362) at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:529) at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:807) at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:775) at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) at IceSSL.TransceiverI.handshakeNonBlocking(TransceiverI.java:543) at IceSSL.TransceiverI.initialize(TransceiverI.java:109) at Ice.ConnectionI.initialize(ConnectionI.java:1933) at Ice.ConnectionI.message(ConnectionI.java:1084) at IceInternal.ThreadPool.run(ThreadPool.java:321) at IceInternal.ThreadPool.access$300(ThreadPool.java:12) at IceInternal.ThreadPool$EventHandlerThread.run(ThreadPool.java:693) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.RuntimeException: Algorithm NONE not available at sun.security.ssl.JsseJce.getMessageDigest(JsseJce.java:354) at sun.security.ssl.CloneableDigest.getDigest(HandshakeHash.java:310) at sun.security.ssl.HandshakeHash.setFinishedAlg(HandshakeHash.java:229) at sun.security.ssl.ClientHandshaker.serverHello(ClientHandshaker.java:473) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:146) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:925) at sun.security.ssl.Handshaker$1.run(Handshaker.java:865) at sun.security.ssl.Handshaker$1.run(Handshaker.java:862) at java.security.AccessController.doPrivileged(Native Method) at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1302) at IceSSL.TransceiverI.handshakeNonBlocking(TransceiverI.java:530) ... 7 more Caused by: java.security.NoSuchAlgorithmException: NONE MessageDigest not available at sun.security.jca.GetInstance.getInstance(GetInstance.java:159) at java.security.Security.getImpl(Security.java:695) at java.security.MessageDigest.getInstance(MessageDigest.java:159) at sun.security.ssl.JsseJce.getMessageDigest(JsseJce.java:349) ... 17 more event handler: local address = <not available> remote address = 127.0.0.1:4064 !! 29/05/14 11:50:16:448 error: Ice.ThreadPool.Client-1: exception in `Ice.ThreadPool.Client': java.lang.RuntimeException: Algorithm NONE not available at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1362) at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:529) at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:807) at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:775) at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) at IceSSL.TransceiverI.handshakeNonBlocking(TransceiverI.java:543) at IceSSL.TransceiverI.initialize(TransceiverI.java:109) at Ice.ConnectionI.initialize(ConnectionI.java:1933) at Ice.ConnectionI.message(ConnectionI.java:1084) at IceInternal.ThreadPool.run(ThreadPool.java:321) at IceInternal.ThreadPool.access$300(ThreadPool.java:12) at IceInternal.ThreadPool$EventHandlerThread.run(ThreadPool.java:693) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.RuntimeException: Algorithm NONE not available at sun.security.ssl.JsseJce.getMessageDigest(JsseJce.java:354) at sun.security.ssl.CloneableDigest.getDigest(HandshakeHash.java:310) at sun.security.ssl.HandshakeHash.setFinishedAlg(HandshakeHash.java:229) at sun.security.ssl.ClientHandshaker.serverHello(ClientHandshaker.java:473) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:146) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:925) at sun.security.ssl.Handshaker$1.run(Handshaker.java:865) at sun.security.ssl.Handshaker$1.run(Handshaker.java:862) at java.security.AccessController.doPrivileged(Native Method) at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1302) at IceSSL.TransceiverI.handshakeNonBlocking(TransceiverI.java:530) ... 7 more Caused by: java.security.NoSuchAlgorithmException: NONE MessageDigest not available at sun.security.jca.GetInstance.getInstance(GetInstance.java:159) at java.security.Security.getImpl(Security.java:695) at java.security.MessageDigest.getInstance(MessageDigest.java:159) at sun.security.ssl.JsseJce.getMessageDigest(JsseJce.java:349) ... 17 more event handler: local address = <not available> remote address = 0:0:0:0:0:0:0:1:4064
Mark Woodbridge reports being unable to connect to a 1.8.0_05 ice35 server from Linux/Windows? running 1.8.0_05: http://lists.openmicroscopy.org.uk/pipermail/ome-users/2014-May/004464.html
Note if testing this on a Mac opening the Insight client from the Desktop uses the default system java even if you've installed a more recent java, so to test this you should download the Linux client package and use the scripts from the command line.
I can successfully connect to gretzky (1.6.0_20, ice33), ome-ci-c6-07 (1.7.0_05-icedtea, ice34), and also a local ice35 server running under 1.8.0_05.
Change History (19)
comment:1 Changed 10 years ago by jamoore
- Milestone changed from Unscheduled to 5.0.3
comment:2 Changed 10 years ago by cblackburn
- Priority changed from major to blocker
comment:3 Changed 10 years ago by pwalczysko
- Component changed from Client to Insight
- Owner set to jburel
comment:4 Changed 10 years ago by spli
This isn't specific to insight, it also occurs with bin/omero import ....
... 2014-06-24 10:21:14,525 2669 [ main] INFO ome.formats.OMEROMetadataStoreClient - Attempting initial SSL connection to ome-ci-c6-07.openmicroscopy.org:4064 !! 24/06/14 10:21:14:983 error: Ice.ThreadPool.Client-0: exception in `Ice.ThreadPool.Client': java.lang.RuntimeException: Algorithm NONE not available ...
Maybe this affects all java clients? I can connect using python without any problems. If I switch back to Java 7 the import works.
comment:5 Changed 10 years ago by pwalczysko
@spli yes, the suspicion is that it is concerning all clients. Nevertheless, I have put this as Insight bug, because like that, it goes straight to jburel, and so will get hopefully more attention than when it would be filed as "Clients".
comment:6 Changed 10 years ago by jburel
- Milestone changed from 5.0.3 to 5.1.0-m1
Moving to 5.1.0 as discussed on Tuesday, this bug will have to be back ported if we release for a 5.0.4
comment:7 Changed 10 years ago by spli
bin/omero import is still failing with Java 1.8.0_11 on OS X 10.9.4
comment:8 Changed 10 years ago by jburel
OSX 10.8.5
java version "1.8.0_11"
is not working against octopus but I can connect to localhost
comment:9 Changed 10 years ago by jburel
bin/omero import is working with Java 1.8.0.11 on OS X 10.8.5 (localhost)
comment:10 Changed 10 years ago by jburel
OSX 10.8.5 java version 1.8.0.11, clients (ice34/35) work against Hake (Windows server).
comment:11 Changed 10 years ago by jburel
You can also test using the latest Eclipse (Luna) and add Java 1.8 to the list of compiler.
comment:12 Changed 10 years ago by jburel
Problem is due to id.properties.setProperty("IceSSL.Ciphers", "NONE (DH_anon)"); in omero. Currently testing other configurations.
comment:13 Changed 10 years ago by mtbcarroll
Interesting. It's given in an example at http://doc.zeroc.com/display/Ice/Configuring+IceSSL#ConfiguringIceSSL-ADHExampleforJava
comment:14 Changed 10 years ago by jburel
from ZeroC website (http://www.zeroc.com/doc/Ice-3.4.0/manual/IceSSL.42.4.html)
`
ADH is not a good choice in most cases because, as its name implies, there is no authentication of the communicating parties, and it is vulnerable to man-in-the-middle attacks. However, it still provides encryption of the session traffic and requires very little administration and therefore may be useful in certain situations.
`
comment:15 Changed 10 years ago by jburel
Something like
id.properties.setProperty("IceSSL.Ciphers", "ALL !(ADH) !(LOW) !(EXPORT) !(MD5) (@STRENGTH)");
works again localhost/hake/octopus
comment:16 Changed 10 years ago by jburel
comment:17 Changed 10 years ago by jburel
Reference https://www.openssl.org/docs/apps/ciphers.html
ALL
all cipher suites except the eNULL ciphers which must be explicitly enabled; as of OpenSSL, the ALL cipher suites are reasonably ordered by default
Setting the following in omero.client, should be ok since it also includes aNull i.e.
id.properties.setProperty("IceSSL.Ciphers", "ALL (@STRENGTH)");
aNULL
the cipher suites offering no authentication. This is currently the anonymous DH algorithms and anonymous ECDH algorithms. These cipher suites are vulnerable to a man in the middle attack and so their use is normally discouraged.
comment:18 Changed 10 years ago by jamoore
- Milestone changed from 5.1.0-m1 to 5.0.4
Moving all Java8 issues to the clean 5.0.4 milestone
comment:19 Changed 10 years ago by jburel
- Resolution set to fixed
- Status changed from new to closed
PR now open see https://github.com/openmicroscopy/openmicroscopy/pull/2912. Problem is not related to the Cipher but to the ssl protocol not being enabled.
Closing
Using the 64-bit Ice-35 5.0.2 clients on Windows 8 with Java 8 installed I can't connect to local or remote servers. The exception I get is: