Hi All,
We are embedding H2 in java process. We use h2 1.4.192 version. We use
jdk1_8_0_u91. We are using it in SSL mode.
We start H2 like this in the code
svrArgs = *new* String[] { "-tcpSSL", "-tcpPort", portNum,"-tcpAllowOthers"
};
Server.*createTcpServer*(svrArgs).start();
When we use jdbc:h2:ssl://localhost:<portnum>/mem: LogDB;DB_CLOSE_DELAY=-1;
as jdbc url, we can see the data. If we try to use
jdbc:h2:tcp://localhost:<portnum>/mem: LogDB;DB_CLOSE_DELAY=-1; it does not
get the data. This is expected behavior.
Now my problem is that If I run following commands to see port status, it
does not find any keystore/certificates. It seems like it is runningas
non-ssl port. Even QA folks used wireshark and they found that data between
client and H2 server is not encrypted even though we use SSL in jdbc url.
.
openssl s_client -debug -connect localhost:<portnum> -tls1
I get this response
CONNECTED(00000003)
write to -0x7ffa64c0 [-0x7ff895d5] (226 bytes => 226 (0xE2))
0000 - 16 03 01 00 dd 01 00 00-d9 03 01 57 a3 d7 19 74 ...........W...t
0010 - bb ff 0d a2 e5 42 cb 17-69 f1 c2 b3 b9 77 0a 3c .....B..i....w.<
0020 - e4 5a dd c6 88 9b 4f 83-9c b5 0e 00 00 66 c0 14 .Z....O......f..
0030 - c0 0a c0 22 c0 21 00 39-00 38 00 88 00 87 c0 0f ...".!.9.8......
0040 - c0 05 00 35 00 84 c0 12-c0 08 c0 1c c0 1b 00 16 ...5............
0050 - 00 13 c0 0d c0 03 00 0a-c0 13 c0 09 c0 1f c0 1e ................
0060 - 00 33 00 32 00 9a 00 99-00 45 00 44 c0 0e c0 04 .3.2.....E.D....
0070 - 00 2f 00 96 00 41 c0 11-c0 07 c0 0c c0 02 00 05 ./...A..........
0080 - 00 04 00 15 00 12 00 09-00 14 00 11 00 08 00 06 ................
0090 - 00 03 00 ff 02 01 00 00-49 00 0b 00 04 03 00 01 ........I.......
00a0 - 02 00 0a 00 34 00 32 00-0e 00 0d 00 19 00 0b 00 ....4.2.........
00b0 - 0c 00 18 00 09 00 0a 00-16 00 17 00 08 00 06 00 ................
00c0 - 07 00 14 00 15 00 04 00-05 00 12 00 13 00 01 00 ................
00d0 - 02 00 03 00 0f 00 10 00-11 00 23 00 00 00 0f 00 ..........#.....
00e0 - 01 01 ..
read from -0x7ffa64c0 [-0x7ffa6465] (5 bytes => 5 (0x5))
0000 - 15 03 01 00 02 .....
read from -0x7ffa64c0 [-0x7ffa6460] (2 bytes => 2 (0x2))
0000 - 02 28 .(
2675740:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:s3_pkt.c:1256:SSL alert number 40
2675740:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:596:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1470355225
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
After this , I added code to set system properties like this to use my own
keystore.
System.*setProperty*("javax.net.ssl.keyStore", keystoreLocation);
System.*setProperty*("javax.net.ssl.keyStorePassword", keystorePassword);
System.*setProperty*("javax.net.ssl.trustStore", truststoreLocation);
System.*setProperty*("javax.net.ssl.trustStorePassword", truststorePassword
);
System.*setProperty*("javax.net.ssl.keyStoreType", "JKS");
System.*setProperty*("javax.net.ssl.trustStoreType", "JKS");
System.*setProperty*("h2.enableAnonymousTLS", "false");
h2Server = Server.*createTcpServer*(svrArgs).start();
But I still don't see any certificates/keystore if I run openssl s_client
-debug -connect localhost:<portnum> -tls1 command.
I know keystore/password is good as I am using it in same java processes to
enable SSL for other embedded servers.
Any idea if it is known issue or what am I doing wrong?
Thanks
Subhash Agrawal.
--
Regards,
Subhash Agrawal
--
You received this message because you are subscribed to the Google Groups "H2
Database" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/h2-database.
For more options, visit https://groups.google.com/d/optout.
