Warning: Can't synchronize with repository "(default)" (/home/git/ome.git does not appear to be a Git repository.). Look in the Trac log for more information.
Notice: In order to edit this ticket you need to be either: a Product Owner, The owner or the reporter of the ticket, or, in case of a Task not yet assigned, a team_member"

Task #12339 (closed)

Opened 9 years ago

Closed 9 years ago

BUG: Insight with Java 8 fails to connect to some servers

Reported by: spli Owned by: jburel
Priority: blocker Milestone: 5.0.4
Component: Insight Version: 5.0.2
Keywords: java8 Cc: java@…, ux@…
Resources: n.a. Referenced By: n.a.
References: n.a. Remaining Time: n.a.
Sprint: n.a.

Description

Running Insight Ice35 on OS X with Java 1.8.0_05 I can't connect to:
OMERO.server-5.0.2-ice35-b26 running with Linux OpenJDK 1.7.0_55

!! 29/05/14 11:50:11:442 error: Ice.ThreadPool.Client-0: exception in `Ice.ThreadPool.Client':
   java.lang.RuntimeException: Algorithm NONE not available
   	at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1362)
   	at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:529)
   	at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:807)
   	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:775)
   	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
   	at IceSSL.TransceiverI.handshakeNonBlocking(TransceiverI.java:543)
   	at IceSSL.TransceiverI.initialize(TransceiverI.java:109)
   	at Ice.ConnectionI.initialize(ConnectionI.java:1933)
   	at Ice.ConnectionI.message(ConnectionI.java:1084)
   	at IceInternal.ThreadPool.run(ThreadPool.java:321)
   	at IceInternal.ThreadPool.access$300(ThreadPool.java:12)
   	at IceInternal.ThreadPool$EventHandlerThread.run(ThreadPool.java:693)
   	at java.lang.Thread.run(Thread.java:745)
   Caused by: java.lang.RuntimeException: Algorithm NONE not available
   	at sun.security.ssl.JsseJce.getMessageDigest(JsseJce.java:354)
   	at sun.security.ssl.CloneableDigest.getDigest(HandshakeHash.java:310)
   	at sun.security.ssl.HandshakeHash.setFinishedAlg(HandshakeHash.java:229)
   	at sun.security.ssl.ClientHandshaker.serverHello(ClientHandshaker.java:473)
   	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:146)
   	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:925)
   	at sun.security.ssl.Handshaker$1.run(Handshaker.java:865)
   	at sun.security.ssl.Handshaker$1.run(Handshaker.java:862)
   	at java.security.AccessController.doPrivileged(Native Method)
   	at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1302)
   	at IceSSL.TransceiverI.handshakeNonBlocking(TransceiverI.java:530)
   	... 7 more
   Caused by: java.security.NoSuchAlgorithmException: NONE MessageDigest not available
   	at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
   	at java.security.Security.getImpl(Security.java:695)
   	at java.security.MessageDigest.getInstance(MessageDigest.java:159)
   	at sun.security.ssl.JsseJce.getMessageDigest(JsseJce.java:349)
   	... 17 more
   
   event handler: local address = <not available>
   remote address = 127.0.0.1:4064
!! 29/05/14 11:50:16:448 error: Ice.ThreadPool.Client-1: exception in `Ice.ThreadPool.Client':
   java.lang.RuntimeException: Algorithm NONE not available
   	at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1362)
   	at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:529)
   	at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:807)
   	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:775)
   	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
   	at IceSSL.TransceiverI.handshakeNonBlocking(TransceiverI.java:543)
   	at IceSSL.TransceiverI.initialize(TransceiverI.java:109)
   	at Ice.ConnectionI.initialize(ConnectionI.java:1933)
   	at Ice.ConnectionI.message(ConnectionI.java:1084)
   	at IceInternal.ThreadPool.run(ThreadPool.java:321)
   	at IceInternal.ThreadPool.access$300(ThreadPool.java:12)
   	at IceInternal.ThreadPool$EventHandlerThread.run(ThreadPool.java:693)
   	at java.lang.Thread.run(Thread.java:745)
   Caused by: java.lang.RuntimeException: Algorithm NONE not available
   	at sun.security.ssl.JsseJce.getMessageDigest(JsseJce.java:354)
   	at sun.security.ssl.CloneableDigest.getDigest(HandshakeHash.java:310)
   	at sun.security.ssl.HandshakeHash.setFinishedAlg(HandshakeHash.java:229)
   	at sun.security.ssl.ClientHandshaker.serverHello(ClientHandshaker.java:473)
   	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:146)
   	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:925)
   	at sun.security.ssl.Handshaker$1.run(Handshaker.java:865)
   	at sun.security.ssl.Handshaker$1.run(Handshaker.java:862)
   	at java.security.AccessController.doPrivileged(Native Method)
   	at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1302)
   	at IceSSL.TransceiverI.handshakeNonBlocking(TransceiverI.java:530)
   	... 7 more
   Caused by: java.security.NoSuchAlgorithmException: NONE MessageDigest not available
   	at sun.security.jca.GetInstance.getInstance(GetInstance.java:159)
   	at java.security.Security.getImpl(Security.java:695)
   	at java.security.MessageDigest.getInstance(MessageDigest.java:159)
   	at sun.security.ssl.JsseJce.getMessageDigest(JsseJce.java:349)
   	... 17 more
   
   event handler: local address = <not available>
   remote address = 0:0:0:0:0:0:0:1:4064

Mark Woodbridge reports being unable to connect to a 1.8.0_05 ice35 server from Linux/Windows? running 1.8.0_05: http://lists.openmicroscopy.org.uk/pipermail/ome-users/2014-May/004464.html

Note if testing this on a Mac opening the Insight client from the Desktop uses the default system java even if you've installed a more recent java, so to test this you should download the Linux client package and use the scripts from the command line.

I can successfully connect to gretzky (1.6.0_20, ice33), ome-ci-c6-07 (1.7.0_05-icedtea, ice34), and also a local ice35 server running under 1.8.0_05.

Change History (19)

comment:1 Changed 9 years ago by jamoore

  • Milestone changed from Unscheduled to 5.0.3

comment:2 Changed 9 years ago by cblackburn

  • Priority changed from major to blocker

Using the 64-bit Ice-35 5.0.2 clients on Windows 8 with Java 8 installed I can't connect to local or remote servers. The exception I get is:

OMERO address: nightshade.openmicroscopy.org
User Name: cblackburn -- Password: ************
org.openmicroscopy.shoola.env.data.DSOutOfServiceException: Can't connect to OMERO. OMERO info not valid.

Ice.ConnectionLostException
    error = 0
	at IceInternal.ConnectRequestHandler.getConnection(ConnectRequestHandler.java:244)
	at IceInternal.ConnectRequestHandler.sendRequest(ConnectRequestHandler.java:141)
	at IceInternal.Outgoing.invoke(Outgoing.java:77)
	at Ice._ObjectDelM.ice_isA(_ObjectDelM.java:33)
	at Ice.ObjectPrxHelperBase.ice_isA(ObjectPrxHelperBase.java:98)
	at Ice.ObjectPrxHelperBase.ice_isA(ObjectPrxHelperBase.java:61)
	at Glacier2.RouterPrxHelper.checkedCast(RouterPrxHelper.java:2262)
	at omero.client.getRouter(client.java:770)
	at omero.client.createSession(client.java:693)
	at org.openmicroscopy.shoola.env.data.OMEROGateway.createSession(OMEROGateway.java:1853)
	at org.openmicroscopy.shoola.env.data.DataServicesFactory.connect(DataServicesFactory.java:590)
	at org.openmicroscopy.shoola.env.data.login.LoginServiceImpl.attempt(LoginServiceImpl.java:136)
	at org.openmicroscopy.shoola.env.data.login.LoginServiceImpl.login(LoginServiceImpl.java:265)
	at org.openmicroscopy.shoola.env.data.login.LoginManager.login(LoginManager.java:98)
	at org.openmicroscopy.shoola.env.init.SplashScreenInit.onEnd(SplashScreenInit.java:169)
	at org.openmicroscopy.shoola.env.init.Initializer.notifyEnd(Initializer.java:189)
	at org.openmicroscopy.shoola.env.Container.runStartupProcedure(Container.java:129)
	at org.openmicroscopy.shoola.env.Container.access$000(Container.java:78)
	at org.openmicroscopy.shoola.env.Container$1.run(Container.java:174)
	at java.lang.Thread.run(Unknown Source)

	at org.openmicroscopy.shoola.env.data.OMEROGateway.createSession(OMEROGateway.java:1872)
	at org.openmicroscopy.shoola.env.data.DataServicesFactory.connect(DataServicesFactory.java:590)
	at org.openmicroscopy.shoola.env.data.login.LoginServiceImpl.attempt(LoginServiceImpl.java:136)
	at org.openmicroscopy.shoola.env.data.login.LoginServiceImpl.login(LoginServiceImpl.java:265)
	at org.openmicroscopy.shoola.env.data.login.LoginManager.login(LoginManager.java:98)
	at org.openmicroscopy.shoola.env.init.SplashScreenInit.onEnd(SplashScreenInit.java:169)
	at org.openmicroscopy.shoola.env.init.Initializer.notifyEnd(Initializer.java:189)
	at org.openmicroscopy.shoola.env.Container.runStartupProcedure(Container.java:129)
	at org.openmicroscopy.shoola.env.Container.access$000(Container.java:78)
	at org.openmicroscopy.shoola.env.Container$1.run(Container.java:174)
	at java.lang.Thread.run(Unknown Source)
Caused by: Ice.ConnectionLostException
    error = 0
	at IceInternal.ConnectRequestHandler.getConnection(ConnectRequestHandler.java:244)
	at IceInternal.ConnectRequestHandler.sendRequest(ConnectRequestHandler.java:141)
	at IceInternal.Outgoing.invoke(Outgoing.java:77)
	at Ice._ObjectDelM.ice_isA(_ObjectDelM.java:33)
	at Ice.ObjectPrxHelperBase.ice_isA(ObjectPrxHelperBase.java:98)
	at Ice.ObjectPrxHelperBase.ice_isA(ObjectPrxHelperBase.java:61)
	at Glacier2.RouterPrxHelper.checkedCast(RouterPrxHelper.java:2262)
	at omero.client.getRouter(client.java:770)
	at omero.client.createSession(client.java:693)
	at org.openmicroscopy.shoola.env.data.OMEROGateway.createSession(OMEROGateway.java:1853)
	... 10 more
Exception in thread "Initializer"
Last edited 9 years ago by cblackburn (previous) (diff)

comment:3 Changed 9 years ago by pwalczysko

  • Component changed from Client to Insight
  • Owner set to jburel

comment:4 Changed 9 years ago by spli

This isn't specific to insight, it also occurs with bin/omero import ....

...
2014-06-24 10:21:14,525 2669       [      main] INFO       ome.formats.OMEROMetadataStoreClient - Attempting initial SSL connection to ome-ci-c6-07.openmicroscopy.org:4064
!! 24/06/14 10:21:14:983 error: Ice.ThreadPool.Client-0: exception in `Ice.ThreadPool.Client':
   java.lang.RuntimeException: Algorithm NONE not available
...

Maybe this affects all java clients? I can connect using python without any problems. If I switch back to Java 7 the import works.

Last edited 9 years ago by spli (previous) (diff)

comment:5 Changed 9 years ago by pwalczysko

@spli yes, the suspicion is that it is concerning all clients. Nevertheless, I have put this as Insight bug, because like that, it goes straight to jburel, and so will get hopefully more attention than when it would be filed as "Clients".

comment:6 Changed 9 years ago by jburel

  • Milestone changed from 5.0.3 to 5.1.0-m1

Moving to 5.1.0 as discussed on Tuesday, this bug will have to be back ported if we release for a 5.0.4

comment:7 Changed 9 years ago by spli

bin/omero import is still failing with Java 1.8.0_11 on OS X 10.9.4

comment:8 Changed 9 years ago by jburel

OSX 10.8.5
java version "1.8.0_11"
is not working against octopus but I can connect to localhost

Last edited 9 years ago by jburel (previous) (diff)

comment:9 Changed 9 years ago by jburel

bin/omero import is working with Java 1.8.0.11 on OS X 10.8.5 (localhost)

Last edited 9 years ago by jburel (previous) (diff)

comment:10 Changed 9 years ago by jburel

OSX 10.8.5 java version 1.8.0.11, clients (ice34/35) work against Hake (Windows server).

Last edited 9 years ago by jburel (previous) (diff)

comment:11 Changed 9 years ago by jburel

You can also test using the latest Eclipse (Luna) and add Java 1.8 to the list of installed JREs and select java 1.8 in compiler list.

Last edited 9 years ago by jburel (previous) (diff)

comment:12 Changed 9 years ago by jburel

Problem is due to id.properties.setProperty("IceSSL.Ciphers", "NONE (DH_anon)"); in omero. Currently testing other configurations.

comment:14 Changed 9 years ago by jburel

from ZeroC website (http://www.zeroc.com/doc/Ice-3.4.0/manual/IceSSL.42.4.html)

`
ADH is not a good choice in most cases because, as its name implies, there is no authen­tication of the communicating parties, and it is vulnerable to man-in-the-middle attacks. However, it still provides encryption of the session traffic and requires very little administration and therefore may be useful in certain situations.
`

Last edited 9 years ago by jburel (previous) (diff)

comment:15 Changed 9 years ago by jburel

Something like

id.properties.setProperty("IceSSL.Ciphers", "ALL !(ADH) !(LOW) !(EXPORT) !(MD5) (@STRENGTH)");

works again localhost/hake/octopus

comment:17 Changed 9 years ago by jburel

Reference https://www.openssl.org/docs/apps/ciphers.html

ALL
all cipher suites except the eNULL ciphers which must be explicitly enabled; as of OpenSSL, the ALL cipher suites are reasonably ordered by default

Setting the following in omero.client, should be ok since it also includes aNull i.e.

id.properties.setProperty("IceSSL.Ciphers", "ALL (@STRENGTH)");

aNULL
the cipher suites offering no authentication. This is currently the anonymous DH algorithms and anonymous ECDH algorithms. These cipher suites are vulnerable to a man in the middle attack and so their use is normally discouraged.

comment:18 Changed 9 years ago by jamoore

  • Milestone changed from 5.1.0-m1 to 5.0.4

Moving all Java8 issues to the clean 5.0.4 milestone

comment:19 Changed 9 years ago by jburel

  • Resolution set to fixed
  • Status changed from new to closed

PR now open see https://github.com/openmicroscopy/openmicroscopy/pull/2912. Problem is not related to the Cipher but to the ssl protocol not being enabled.
Closing

Note: See TracTickets for help on using tickets. You may also have a look at Agilo extensions to the ticket.

1.3.13-PRO © 2008-2011 Agilo Software all rights reserved (this page was served in: 0.65302 sec.)

© 2000-2014 University of Dundee & Open Microscopy Environment. Creative Commons Attribution 3.0 Unported License
OME source code is available under the GNU General public license or through commercial license from Glencoe Software

We're Hiring!