For looking at possible causes of SSL handshake failures, start your H2 server with
java -Djavax.net.debug=ssl:handshake:verbose [other needed arguments] and capture the output. There is going to be a lot about trust store certificates in the beginning; the details of SSL negotiation exchange are going to be much later. Look at https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_and_https to get some idea of what to expect. You can try to connect to the server with your normal H2 client, or with the openssl as you tried before (but the reasons for failure may not be the same). Regards, Tomas On Friday, August 5, 2016 at 1:22:25 PM UTC-4, Subhash Agrawal wrote: > > Hi All, > > > > We are embedding H2 in java process. We use h2 1.4.192 version. We use > jdk1_8_0_u91. We are using it in SSL mode. > > We start H2 like this in the code > > > > svrArgs = *new* String[] { "-tcpSSL", "-tcpPort", portNum, > "-tcpAllowOthers" }; > > Server.*createTcpServer*(svrArgs).start(); > > > > When we use jdbc:h2:ssl://localhost:<portnum>/mem: > LogDB;DB_CLOSE_DELAY=-1; as jdbc url, we can see the data. If we try to > use > > jdbc:h2:tcp://localhost:<portnum>/mem: LogDB;DB_CLOSE_DELAY=-1; it does > not get the data. This is expected behavior. > > > > Now my problem is that If I run following commands to see port status, it > does not find any keystore/certificates. It seems like it is runningas > non-ssl port. Even QA folks used wireshark and they found that data between > client and H2 server is not encrypted even though we use SSL in jdbc url. > > . > > openssl s_client -debug -connect localhost:<portnum> -tls1 > > > > I get this response > > CONNECTED(00000003) > > write to -0x7ffa64c0 [-0x7ff895d5] (226 bytes => 226 (0xE2)) > > 0000 - 16 03 01 00 dd 01 00 00-d9 03 01 57 a3 d7 19 74 ...........W...t > > 0010 - bb ff 0d a2 e5 42 cb 17-69 f1 c2 b3 b9 77 0a 3c .....B..i....w.< > > 0020 - e4 5a dd c6 88 9b 4f 83-9c b5 0e 00 00 66 c0 14 .Z....O......f.. > > 0030 - c0 0a c0 22 c0 21 00 39-00 38 00 88 00 87 c0 0f ...".!.9.8...... > > 0040 - c0 05 00 35 00 84 c0 12-c0 08 c0 1c c0 1b 00 16 ...5............ > > 0050 - 00 13 c0 0d c0 03 00 0a-c0 13 c0 09 c0 1f c0 1e ................ > > 0060 - 00 33 00 32 00 9a 00 99-00 45 00 44 c0 0e c0 04 .3.2.....E.D.... > > 0070 - 00 2f 00 96 00 41 c0 11-c0 07 c0 0c c0 02 00 05 ./...A.......... > > 0080 - 00 04 00 15 00 12 00 09-00 14 00 11 00 08 00 06 ................ > > 0090 - 00 03 00 ff 02 01 00 00-49 00 0b 00 04 03 00 01 ........I....... > > 00a0 - 02 00 0a 00 34 00 32 00-0e 00 0d 00 19 00 0b 00 ....4.2......... > > 00b0 - 0c 00 18 00 09 00 0a 00-16 00 17 00 08 00 06 00 ................ > > 00c0 - 07 00 14 00 15 00 04 00-05 00 12 00 13 00 01 00 ................ > > 00d0 - 02 00 03 00 0f 00 10 00-11 00 23 00 00 00 0f 00 ..........#..... > > 00e0 - 01 01 .. > > read from -0x7ffa64c0 [-0x7ffa6465] (5 bytes => 5 (0x5)) > > 0000 - 15 03 01 00 02 ..... > > read from -0x7ffa64c0 [-0x7ffa6460] (2 bytes => 2 (0x2)) > > 0000 - 02 28 .( > > 2675740:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake > failure:s3_pkt.c:1256:SSL alert number 40 > > 2675740:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake > failure:s3_pkt.c:596: > > --- > > no peer certificate available > > --- > > No client certificate CA names sent > > --- > > SSL handshake has read 7 bytes and written 0 bytes > > --- > > New, (NONE), Cipher is (NONE) > > Secure Renegotiation IS NOT supported > > Compression: NONE > > Expansion: NONE > > SSL-Session: > > Protocol : TLSv1 > > Cipher : 0000 > > Session-ID: > > Session-ID-ctx: > > Master-Key: > > Key-Arg : None > > PSK identity: None > > PSK identity hint: None > > SRP username: None > > Start Time: 1470355225 > > Timeout : 7200 (sec) > > Verify return code: 0 (ok) > > --- > > > > After this , I added code to set system properties like this to use my own > keystore. > > System.*setProperty*("javax.net.ssl.keyStore", keystoreLocation); > > System.*setProperty*("javax.net.ssl.keyStorePassword", keystorePassword); > > System.*setProperty*("javax.net.ssl.trustStore", truststoreLocation); > > System.*setProperty*("javax.net.ssl.trustStorePassword", > truststorePassword); > > System.*setProperty*("javax.net.ssl.keyStoreType", "JKS"); > > System.*setProperty*("javax.net.ssl.trustStoreType", "JKS"); > > System.*setProperty*("h2.enableAnonymousTLS", "false"); > h2Server = Server.*createTcpServer*(svrArgs).start(); > > But I still don't see any certificates/keystore if I run openssl s_client > -debug -connect localhost:<portnum> -tls1 command. > > > > I know keystore/password is good as I am using it in same java processes > to enable SSL for other embedded servers. > > > > Any idea if it is known issue or what am I doing wrong? > > > > Thanks > > Subhash Agrawal. > > > -- > Regards, > > Subhash Agrawal > -- You received this message because you are subscribed to the Google Groups "H2 Database" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/h2-database. For more options, visit https://groups.google.com/d/optout.
