Welcome Guest! You need to login or register to make posts.

Notification

Icon
Error

Options
Go to last post Go to first unread
mmount  
#1 Posted : Thursday, July 16, 2015 11:14:29 AM(UTC)
mmount

Rank: Advanced Member

Groups: Member
Joined: 11/30/2012(UTC)
Posts: 61

Thanks: 6 times
Some of our users are reporting an error today while trying to upload images to our Amazon S3 account. The error says that the certificate is not trusted because we are going to https://54.231.18.248:443 and the certificate is for *.s3.amazonaws.com

I don't see the place where I tell the AmazonS3Extender what address to use. How do I make it connect to the DNS instead of the IP?

Note: I am using v8.0.98 of the upload suite

Also, I can't seem to post into the Java Uploader forum.

Thanks,

Mike
Dmitri  
#2 Posted : Friday, July 17, 2015 4:20:39 AM(UTC)
Dmitri

Rank: Advanced Member

Groups: Member
Joined: 6/10/2013(UTC)
Posts: 34

Was thanked: 1 time(s) in 1 post(s)
AmazonS3Extender always sends a request to http://<bucket name>.s3.amazonaws.com. The bucket name is specified among its properties. I am not sure why it tries to send files to the IP address. Maybe you have actionUrl in the uploader?

Please send a Java console log.

BTW, I would recommend updating the uploader to the latest version. There is an improvement of S3 support in the recent releases of Java uploader. Also, in the nearest time there will be the Amazon S3 support in HTML5 uploader.
Best regards,
Dmitri Vorobyov
mmount  
#3 Posted : Friday, July 17, 2015 5:45:03 AM(UTC)
mmount

Rank: Advanced Member

Groups: Member
Joined: 11/30/2012(UTC)
Posts: 61

Thanks: 6 times
Thanks. Maybe I'm reading the message wrong:

screenshot of error

Here is the Java Console text:
Quote:
Java Plug-in 11.51.2.16
Using JRE version 1.8.0_51-b16 Java HotSpot(TM) 64-Bit Server VM
User home directory = /Users/michaelmount

c: clear console window
f: finalize objects on finalization queue
g: garbage collect
h: display this help message
l: dump classloader list
m: print memory usage
o: trigger logging
q: hide console
r: reload policy configuration
s: dump system and deployment properties
t: dump thread list
v: dump thread stack
x: clear classloader cache
0-5: set trace level to <n>

Aurigma Upload Suite: version: 8.0.98.0
Aurigma Upload Suite: build date: 2014/07/04
Aurigma Upload Suite: current document URL: https://portal.nfronline...le=W&tableID=1889655
Aurigma Upload Suite: reading cookies...
Aurigma Upload Suite: read document cookies: _ga=GA1.2.2045677477.1407592781; __utma=128752595.2045677477.1407592781.1435263959.1435692144.61; __utmz=128752595.1407592781.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SnapABugRef=https%3A%2F%2Fportal.nfronline.com%2F%20; SnapABugHistory=71#; __utmt=1; nfrid=NFR; nfrtype=employee; __utma=268533616.2087686980.1399025863.1437071715.1437139150.67; __utmb=268533616.23.10.1437139150; __utmc=268533616; __utmz=268533616.1399025863.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); SnapABugVisit=23#1437139149
Aurigma Upload Suite: chunk upload: off
Aurigma Upload Suite: uploading to https://nfr.photos.s3.amazonaws.com
Aurigma Upload Suite: using proxy: null
Aurigma Upload Suite: request cookies: [_ga=GA1.2.2045677477.1407592781;__utma=128752595.2045677477.1407592781.1435263959.1435692144.61;__utmz=128752595.1407592781.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);SnapABugRef=https%3A%2F%2Fportal.nfronline.com%2F%20;SnapABugHistory=71#;__utmt=1;ASP.NET_SessionId=jjugv0o3tx1ctpf2dzgpknuv;nfrid=NFR;nfrtype=employee;.ASPXAUTH=CEDE123199DB929FA53375177DA0475603D3B91BA6F98BF30A40839E22087EC4E8AA124AA1F443CCDCD25331F4F5CE0211E3342DB7232C15989B29FA9E28BA6FFFAC41A51AA104EE9C6F1A4D9B834CE1E836A2A4;__utmb=268533616.23.10.1437139150;__utmc=268533616;SnapABugVisit=23#1437139149]
Aurigma Upload Suite: error: PackageUploader.upload() faced with unexpected exception.
exception javax.net.ssl.SSLPeerUnverifiedException thrown.
<<<<<<<<<<<<<<<<
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:431)
at org.apache.http.conn.d.a.a(Unknown Source)
at org.apache.http.conn.d.d.a(Unknown Source)
at org.apache.http.impl.a.e.a(Unknown Source)
at org.apache.http.impl.a.b.a(Unknown Source)
at org.apache.http.impl.a.c.a(Unknown Source)
at org.apache.http.impl.client.i.a(Unknown Source)
at org.apache.http.impl.client.b.a(Unknown Source)
at org.apache.http.impl.client.b.a(Unknown Source)
at com.aurigma.uploader.upload.x.a(Unknown Source)
at com.aurigma.uploader.upload.m.a(Unknown Source)
at com.aurigma.uploader.upload.n.run(Unknown Source)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
>>>>>>>>>>>>>>>>

Aurigma Upload Suite: error: exception com.aurigma.uploader.upload.UploadException thrown.
<<<<<<<<<<<<<<<<
com.aurigma.uploader.upload.UploadException
at com.aurigma.uploader.upload.m.a(Unknown Source)
at com.aurigma.uploader.upload.n.run(Unknown Source)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
>>>>>>>>>>>>>>>>

Aurigma Upload Suite: upload failed! Error code = 0, responsePage:
peer not authenticated


I had been looking at the change logs and had not noticed any changes to the Java uploader. Every time I update it takes hours so I try to only do it when there is a benefit. I will look again. Thanks,

Mike
Dmitri  
#4 Posted : Monday, July 20, 2015 4:27:24 AM(UTC)
Dmitri

Rank: Advanced Member

Groups: Member
Joined: 6/10/2013(UTC)
Posts: 34

Was thanked: 1 time(s) in 1 post(s)
What is specified in the Java applet's codebase? It does not look like it loads the .jar file from portal.nfronline.com.
Best regards,
Dmitri Vorobyov
mmount  
#5 Posted : Friday, August 7, 2015 7:52:31 AM(UTC)
mmount

Rank: Advanced Member

Groups: Member
Joined: 11/30/2012(UTC)
Posts: 61

Thanks: 6 times
Originally Posted by: Dmitri Go to Quoted Post
What is specified in the Java applet's codebase? It does not look like it loads the .jar file from portal.nfronline.com.


Sorry, I don't know. I wanted to try updating to the current version. Which I have and there is no change.

The problem, I think is that our bucket name has a dot in it. Is there a way to tell Aurigma to use the s3.amazonaws.com/bucket.name format instead of the bucket.name.s3.amazonaws.com format?

I'm not sure what is involved in changing our bucket name now.

Thanks,

Mike
Andrew  
#6 Posted : Sunday, August 9, 2015 8:59:42 PM(UTC)
Andrew

Rank: Advanced Member

Groups: Member, Administration
Joined: 8/2/2003(UTC)
Posts: 870

Thanks: 2 times
Was thanked: 26 time(s) in 26 post(s)
Hi Mike,

Recently we had a similar issue with another website using Java uploader through SSL caused by the recent Java update 8u51. Two changes may be relevant.

1. Reverse DNS lookup issue (IP instead of domain)

https://www.java.com/en/download/faq/release_changes.xml wrote:
Bug Fix: Improved certification checking

With this fix, JSSE endpoint identification does not perform reverse name lookup for IP addresses by default in JDK. If an application does need to perform reverse name lookup for raw IP addresses in SSL/TLS connections, and encounter endpoint identification compatibility issue, System property "jdk.tls.trustNameService" can be used to switch on reverse name lookup. Note that if the name service is not trustworthy, enabling reverse name lookup may be susceptible to MITM attacks. See JDK-8067695 (not public).


Perhaps it is a reason why you see the IP address instead of the domain name on the error message. I am still not sure why Java replaces the domain name by IP, but one of the ideas was to check the revese DNS lookup settings on a DNS server (it was not configured in this customer's case). However the customer decided to switch to HTML5 uploader, so we did not have an opportunity to check this idea.

To make sure whether this "improvement" is related to your problem, you can try the "jdk.tls.trustNameService" solution. Since you have to do it on a client machine, it is not a solution (or you have to instruct to do it for each of your users), but at least you will make sure that this update is a culprit. Follow these instructions:

1. Go to C:\Program Files (x86)\Java\jre1.8.0_51\lib\security folder (if you have other Java installation location, modify this path accordingly)
2. Run any text editor, e.g. Notepad, as administrator (right click an appropriate icon and choose Run As Administrator)
3. Open java.security file in this editor.
4. Add the following line to the end of the file and save it:

Code:
jdk.tls.trustNameService=true


5. Restart the browser. You may also need to clear Java applet cache in Java control panel (or by turning caching off in the uploader settings).

2. RC4 algorithm is banned (Peer Not Authenticated exception)

There is another "security improvement" which causes Peer Not Authenticated exception:

https://www.java.com/en/download/faq/release_changes.xml wrote:
Bug Fix: Deprecate RC4 in SunJSSE provider

RC4 is now considered as a weak cipher. Servers should not select RC4 unless there is no other stronger candidate in the client requested cipher suites. A new security property, jdk.tls.legacyAlgorithms, is added to define the legacy algorithms in Oracle JSSE implementation. RC4 related algorithms are added to the legacy algorithms list. See JDK-8074006 (not public).

Bug Fix: Prohibit RC4 cipher suites

RC4 is now considered as a compromised cipher. RC4 cipher suites have been removed from both client and server default enabled cipher suite list in Oracle JSSE implementation. These cipher suites can still be enabled by SSLEngine.setEnabledCipherSuites() and SSLSocket.setEnabledCipherSuites() methods. See JDK-8077109 (not public).


In other words, now if your server is configured to use RC4 cipher algorithm when establishing SSL connection, Java considers it as being unsafe (i.e. the same as wrong certificate). Although it is possible to turn off this behavior, the more correct way would be to fix your server settings to make it more secure.

There is a great website https://www.ssllabs.com/ which can help to troubleshoot the problem. You can go there, specify your website address and it will generate a report saying what you should fix in your SSL settings to make the website secure. If you notice something related to RC4, you may be sure that new Java runtime won't work with it.

Hope this helps.
mmount  
#7 Posted : Monday, August 10, 2015 6:26:51 AM(UTC)
mmount

Rank: Advanced Member

Groups: Member
Joined: 11/30/2012(UTC)
Posts: 61

Thanks: 6 times
With fix #1 I still get a message with a continue button but it allows upload without the Peer not Authenticated error. I will have my support team test with an actual client having the issue.

It is not a feasible solution in practice (too many clients).

Thanks,

Mike
Andrew  
#8 Posted : Tuesday, August 11, 2015 5:36:29 AM(UTC)
Andrew

Rank: Advanced Member

Groups: Member, Administration
Joined: 8/2/2003(UTC)
Posts: 870

Thanks: 2 times
Was thanked: 26 time(s) in 26 post(s)
Michael,

We are working on a new release which will include Amazon S3 upload in HTML5 uploader. So hopefully you will be able to get rid of Java uploader soon.
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.