Thanks Thomas. I found issue in my code. It works for me now. On Fri, Aug 12, 2016 at 12:09 PM, Tomas Pospichal <[email protected]> wrote:
> For looking at possible causes of SSL handshake failures, start your H2 > server with > > java -Djavax.net.debug=ssl:handshake:verbose [other needed arguments] > > and capture the output. There is going to be a lot about trust store > certificates in the beginning; the details of SSL negotiation exchange are > going to be much later. Look at https://blogs.oracle.com/java- > platform-group/entry/diagnosing_tls_ssl_and_https to get some idea of > what to expect. > > You can try to connect to the server with your normal H2 client, or with > the openssl as you tried before (but the reasons for failure may not be the > same). > > Regards, > Tomas > > > On Friday, August 5, 2016 at 1:22:25 PM UTC-4, Subhash Agrawal wrote: >> >> Hi All, >> >> >> >> We are embedding H2 in java process. We use h2 1.4.192 version. We use >> jdk1_8_0_u91. We are using it in SSL mode. >> >> We start H2 like this in the code >> >> >> >> svrArgs = *new* String[] { "-tcpSSL", "-tcpPort", portNum, >> "-tcpAllowOthers" }; >> >> Server.*createTcpServer*(svrArgs).start(); >> >> >> >> When we use jdbc:h2:ssl://localhost:<portnum>/mem: >> LogDB;DB_CLOSE_DELAY=-1; as jdbc url, we can see the data. If we try to >> use >> >> jdbc:h2:tcp://localhost:<portnum>/mem: LogDB;DB_CLOSE_DELAY=-1; it does >> not get the data. This is expected behavior. >> >> >> >> Now my problem is that If I run following commands to see port status, it >> does not find any keystore/certificates. It seems like it is runningas >> non-ssl port. Even QA folks used wireshark and they found that data between >> client and H2 server is not encrypted even though we use SSL in jdbc url. >> >> . >> >> openssl s_client -debug -connect localhost:<portnum> -tls1 >> >> >> >> I get this response >> >> CONNECTED(00000003) >> >> write to -0x7ffa64c0 [-0x7ff895d5] (226 bytes => 226 (0xE2)) >> >> 0000 - 16 03 01 00 dd 01 00 00-d9 03 01 57 a3 d7 19 74 ...........W...t >> >> 0010 - bb ff 0d a2 e5 42 cb 17-69 f1 c2 b3 b9 77 0a 3c .....B..i....w.< >> >> 0020 - e4 5a dd c6 88 9b 4f 83-9c b5 0e 00 00 66 c0 14 .Z....O......f.. >> >> 0030 - c0 0a c0 22 c0 21 00 39-00 38 00 88 00 87 c0 0f ...".!.9.8...... >> >> 0040 - c0 05 00 35 00 84 c0 12-c0 08 c0 1c c0 1b 00 16 ...5............ >> >> 0050 - 00 13 c0 0d c0 03 00 0a-c0 13 c0 09 c0 1f c0 1e ................ >> >> 0060 - 00 33 00 32 00 9a 00 99-00 45 00 44 c0 0e c0 04 .3.2.....E.D.... >> >> 0070 - 00 2f 00 96 00 41 c0 11-c0 07 c0 0c c0 02 00 05 ./...A.......... >> >> 0080 - 00 04 00 15 00 12 00 09-00 14 00 11 00 08 00 06 ................ >> >> 0090 - 00 03 00 ff 02 01 00 00-49 00 0b 00 04 03 00 01 ........I....... >> >> 00a0 - 02 00 0a 00 34 00 32 00-0e 00 0d 00 19 00 0b 00 ....4.2......... >> >> 00b0 - 0c 00 18 00 09 00 0a 00-16 00 17 00 08 00 06 00 ................ >> >> 00c0 - 07 00 14 00 15 00 04 00-05 00 12 00 13 00 01 00 ................ >> >> 00d0 - 02 00 03 00 0f 00 10 00-11 00 23 00 00 00 0f 00 ..........#..... >> >> 00e0 - 01 01 .. >> >> read from -0x7ffa64c0 [-0x7ffa6465] (5 bytes => 5 (0x5)) >> >> 0000 - 15 03 01 00 02 ..... >> >> read from -0x7ffa64c0 [-0x7ffa6460] (2 bytes => 2 (0x2)) >> >> 0000 - 02 28 .( >> >> 2675740:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake >> failure:s3_pkt.c:1256:SSL alert number 40 >> >> 2675740:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake >> failure:s3_pkt.c:596: >> >> --- >> >> no peer certificate available >> >> --- >> >> No client certificate CA names sent >> >> --- >> >> SSL handshake has read 7 bytes and written 0 bytes >> >> --- >> >> New, (NONE), Cipher is (NONE) >> >> Secure Renegotiation IS NOT supported >> >> Compression: NONE >> >> Expansion: NONE >> >> SSL-Session: >> >> Protocol : TLSv1 >> >> Cipher : 0000 >> >> Session-ID: >> >> Session-ID-ctx: >> >> Master-Key: >> >> Key-Arg : None >> >> PSK identity: None >> >> PSK identity hint: None >> >> SRP username: None >> >> Start Time: 1470355225 >> >> Timeout : 7200 (sec) >> >> Verify return code: 0 (ok) >> >> --- >> >> >> >> After this , I added code to set system properties like this to use my >> own keystore. >> >> System.*setProperty*("javax.net.ssl.keyStore", keystoreLocation); >> >> System.*setProperty*("javax.net.ssl.keyStorePassword", keystorePassword); >> >> System.*setProperty*("javax.net.ssl.trustStore", truststoreLocation); >> >> System.*setProperty*("javax.net.ssl.trustStorePassword", >> truststorePassword); >> >> System.*setProperty*("javax.net.ssl.keyStoreType", "JKS"); >> >> System.*setProperty*("javax.net.ssl.trustStoreType", "JKS"); >> >> System.*setProperty*("h2.enableAnonymousTLS", "false"); >> h2Server = Server.*createTcpServer*(svrArgs).start(); >> >> But I still don't see any certificates/keystore if I run openssl >> s_client -debug -connect localhost:<portnum> -tls1 command. >> >> >> >> I know keystore/password is good as I am using it in same java processes >> to enable SSL for other embedded servers. >> >> >> >> Any idea if it is known issue or what am I doing wrong? >> >> >> >> Thanks >> >> Subhash Agrawal. >> >> >> -- >> Regards, >> >> Subhash Agrawal >> > -- > You received this message because you are subscribed to the Google Groups > "H2 Database" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at https://groups.google.com/group/h2-database. > For more options, visit https://groups.google.com/d/optout. > -- Regards, Subhash Agrawal -- You received this message because you are subscribed to the Google Groups "H2 Database" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/h2-database. For more options, visit https://groups.google.com/d/optout.
