Java applet giving Cert error on upload to S3

Options

Previous Topic Next Topic

mmount User Profile View All Posts by User View Thanks		#1 Posted : Thursday, July 16, 2015 11:14:29 AM(UTC)
Rank: Advanced Member Groups: Member Joined: 11/30/2012(UTC) Posts: 61 Thanks: 6 times		Some of our users are reporting an error today while trying to upload images to our Amazon S3 account. The error says that the certificate is not trusted because we are going to https://54.231.18.248:443 and the certificate is for *.s3.amazonaws.com I don't see the place where I tell the AmazonS3Extender what address to use. How do I make it connect to the DNS instead of the IP? Note: I am using v8.0.98 of the upload suite Also, I can't seem to post into the Java Uploader forum. Thanks, Mike

Dmitri User Profile View All Posts by User View Thanks		#2 Posted : Friday, July 17, 2015 4:20:39 AM(UTC)
Rank: Advanced Member Groups: Joined: 6/10/2013(UTC) Posts: 34 Was thanked: 1 time(s) in 1 post(s)		AmazonS3Extender always sends a request to http://<bucket name>.s3.amazonaws.com. The bucket name is specified among its properties. I am not sure why it tries to send files to the IP address. Maybe you have actionUrl in the uploader? Please send a Java console log. BTW, I would recommend updating the uploader to the latest version. There is an improvement of S3 support in the recent releases of Java uploader. Also, in the nearest time there will be the Amazon S3 support in HTML5 uploader.
		Best regards, Dmitri Vorobyov

mmount User Profile View All Posts by User View Thanks		#3 Posted : Friday, July 17, 2015 5:45:03 AM(UTC)
Rank: Advanced Member Groups: Member Joined: 11/30/2012(UTC) Posts: 61 Thanks: 6 times		Thanks. Maybe I'm reading the message wrong: Here is the Java Console text: Quote: Java Plug-in 11.51.2.16 Using JRE version 1.8.0_51-b16 Java HotSpot(TM) 64-Bit Server VM User home directory = /Users/michaelmount ---------------------------------------------------- c: clear console window f: finalize objects on finalization queue g: garbage collect h: display this help message l: dump classloader list m: print memory usage o: trigger logging q: hide console r: reload policy configuration s: dump system and deployment properties t: dump thread list v: dump thread stack x: clear classloader cache 0-5: set trace level to <n> ---------------------------------------------------- Aurigma Upload Suite: version: 8.0.98.0 Aurigma Upload Suite: build date: 2014/07/04 Aurigma Upload Suite: current document URL: https://portal.nfronline...le=W&tableID=1889655 Aurigma Upload Suite: reading cookies... Aurigma Upload Suite: read document cookies: _ga=GA1.2.2045677477.1407592781; __utma=128752595.2045677477.1407592781.1435263959.1435692144.61; __utmz=128752595.1407592781.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none); SnapABugRef=https%3A%2F%2Fportal.nfronline.com%2F%20; SnapABugHistory=71#; __utmt=1; nfrid=NFR; nfrtype=employee; __utma=268533616.2087686980.1399025863.1437071715.1437139150.67; __utmb=268533616.23.10.1437139150; __utmc=268533616; __utmz=268533616.1399025863.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none); SnapABugVisit=23#1437139149 Aurigma Upload Suite: chunk upload: off Aurigma Upload Suite: uploading to https://nfr.photos.s3.amazonaws.com Aurigma Upload Suite: using proxy: null Aurigma Upload Suite: request cookies: [_ga=GA1.2.2045677477.1407592781;__utma=128752595.2045677477.1407592781.1435263959.1435692144.61;__utmz=128752595.1407592781.1.1.utmcsr=(direct)\|utmccn=(direct)\|utmcmd=(none);SnapABugRef=https%3A%2F%2Fportal.nfronline.com%2F%20;SnapABugHistory=71#;__utmt=1;ASP.NET_SessionId=jjugv0o3tx1ctpf2dzgpknuv;nfrid=NFR;nfrtype=employee;.ASPXAUTH=CEDE123199DB929FA53375177DA0475603D3B91BA6F98BF30A40839E22087EC4E8AA124AA1F443CCDCD25331F4F5CE0211E3342DB7232C15989B29FA9E28BA6FFFAC41A51AA104EE9C6F1A4D9B834CE1E836A2A4;__utmb=268533616.23.10.1437139150;__utmc=268533616;SnapABugVisit=23#1437139149] Aurigma Upload Suite: error: PackageUploader.upload() faced with unexpected exception. exception javax.net.ssl.SSLPeerUnverifiedException thrown. <<<<<<<<<<<<<<<< javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:431) at org.apache.http.conn.d.a.a(Unknown Source) at org.apache.http.conn.d.d.a(Unknown Source) at org.apache.http.impl.a.e.a(Unknown Source) at org.apache.http.impl.a.b.a(Unknown Source) at org.apache.http.impl.a.c.a(Unknown Source) at org.apache.http.impl.client.i.a(Unknown Source) at org.apache.http.impl.client.b.a(Unknown Source) at org.apache.http.impl.client.b.a(Unknown Source) at com.aurigma.uploader.upload.x.a(Unknown Source) at com.aurigma.uploader.upload.m.a(Unknown Source) at com.aurigma.uploader.upload.n.run(Unknown Source) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) >>>>>>>>>>>>>>>> Aurigma Upload Suite: error: exception com.aurigma.uploader.upload.UploadException thrown. <<<<<<<<<<<<<<<< com.aurigma.uploader.upload.UploadException at com.aurigma.uploader.upload.m.a(Unknown Source) at com.aurigma.uploader.upload.n.run(Unknown Source) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) >>>>>>>>>>>>>>>> Aurigma Upload Suite: upload failed! Error code = 0, responsePage: peer not authenticated I had been looking at the change logs and had not noticed any changes to the Java uploader. Every time I update it takes hours so I try to only do it when there is a benefit. I will look again. Thanks, Mike

Dmitri User Profile View All Posts by User View Thanks		#4 Posted : Monday, July 20, 2015 4:27:24 AM(UTC)
Rank: Advanced Member Groups: Joined: 6/10/2013(UTC) Posts: 34 Was thanked: 1 time(s) in 1 post(s)		What is specified in the Java applet's codebase? It does not look like it loads the .jar file from portal.nfronline.com.
		Best regards, Dmitri Vorobyov

mmount User Profile View All Posts by User View Thanks		#5 Posted : Friday, August 7, 2015 7:52:31 AM(UTC)
Rank: Advanced Member Groups: Member Joined: 11/30/2012(UTC) Posts: 61 Thanks: 6 times		Originally Posted by: Dmitri What is specified in the Java applet's codebase? It does not look like it loads the .jar file from portal.nfronline.com. Sorry, I don't know. I wanted to try updating to the current version. Which I have and there is no change. The problem, I think is that our bucket name has a dot in it. Is there a way to tell Aurigma to use the s3.amazonaws.com/bucket.name format instead of the bucket.name.s3.amazonaws.com format? I'm not sure what is involved in changing our bucket name now. Thanks, Mike

Andrew User Profile View All Posts by User View Thanks		#6 Posted : Sunday, August 9, 2015 8:59:42 PM(UTC)
Rank: Advanced Member Groups: Member, Administration Joined: 8/2/2003(UTC) Posts: 876 Thanks: 2 times Was thanked: 27 time(s) in 27 post(s)		Hi Mike, Recently we had a similar issue with another website using Java uploader through SSL caused by the recent Java update 8u51. Two changes may be relevant. 1. Reverse DNS lookup issue (IP instead of domain) https://www.java.com/en/download/faq/release_changes.xml wrote: Bug Fix: Improved certification checking With this fix, JSSE endpoint identification does not perform reverse name lookup for IP addresses by default in JDK. If an application does need to perform reverse name lookup for raw IP addresses in SSL/TLS connections, and encounter endpoint identification compatibility issue, System property "jdk.tls.trustNameService" can be used to switch on reverse name lookup. Note that if the name service is not trustworthy, enabling reverse name lookup may be susceptible to MITM attacks. See JDK-8067695 (not public). Perhaps it is a reason why you see the IP address instead of the domain name on the error message. I am still not sure why Java replaces the domain name by IP, but one of the ideas was to check the revese DNS lookup settings on a DNS server (it was not configured in this customer's case). However the customer decided to switch to HTML5 uploader, so we did not have an opportunity to check this idea. To make sure whether this "improvement" is related to your problem, you can try the "jdk.tls.trustNameService" solution. Since you have to do it on a client machine, it is not a solution (or you have to instruct to do it for each of your users), but at least you will make sure that this update is a culprit. Follow these instructions: 1. Go to C:\Program Files (x86)\Java\jre1.8.0_51\lib\security folder (if you have other Java installation location, modify this path accordingly) 2. Run any text editor, e.g. Notepad, as administrator (right click an appropriate icon and choose Run As Administrator) 3. Open java.security file in this editor. 4. Add the following line to the end of the file and save it: Code: `jdk.tls.trustNameService=true` 5. Restart the browser. You may also need to clear Java applet cache in Java control panel (or by turning caching off in the uploader settings). 2. RC4 algorithm is banned (Peer Not Authenticated exception) There is another "security improvement" which causes Peer Not Authenticated exception: https://www.java.com/en/download/faq/release_changes.xml wrote: Bug Fix: Deprecate RC4 in SunJSSE provider RC4 is now considered as a weak cipher. Servers should not select RC4 unless there is no other stronger candidate in the client requested cipher suites. A new security property, jdk.tls.legacyAlgorithms, is added to define the legacy algorithms in Oracle JSSE implementation. RC4 related algorithms are added to the legacy algorithms list. See JDK-8074006 (not public). Bug Fix: Prohibit RC4 cipher suites RC4 is now considered as a compromised cipher. RC4 cipher suites have been removed from both client and server default enabled cipher suite list in Oracle JSSE implementation. These cipher suites can still be enabled by SSLEngine.setEnabledCipherSuites() and SSLSocket.setEnabledCipherSuites() methods. See JDK-8077109 (not public). In other words, now if your server is configured to use RC4 cipher algorithm when establishing SSL connection, Java considers it as being unsafe (i.e. the same as wrong certificate). Although it is possible to turn off this behavior, the more correct way would be to fix your server settings to make it more secure. There is a great website https://www.ssllabs.com/ which can help to troubleshoot the problem. You can go there, specify your website address and it will generate a report saying what you should fix in your SSL settings to make the website secure. If you notice something related to RC4, you may be sure that new Java runtime won't work with it. Hope this helps.

mmount User Profile View All Posts by User View Thanks		#7 Posted : Monday, August 10, 2015 6:26:51 AM(UTC)
Rank: Advanced Member Groups: Member Joined: 11/30/2012(UTC) Posts: 61 Thanks: 6 times		With fix #1 I still get a message with a continue button but it allows upload without the Peer not Authenticated error. I will have my support team test with an actual client having the issue. It is not a feasible solution in practice (too many clients). Thanks, Mike

Andrew User Profile View All Posts by User View Thanks		#8 Posted : Tuesday, August 11, 2015 5:36:29 AM(UTC)
Rank: Advanced Member Groups: Member, Administration Joined: 8/2/2003(UTC) Posts: 876 Thanks: 2 times Was thanked: 27 time(s) in 27 post(s)		Michael, We are working on a new release which will include Amazon S3 upload in HTML5 uploader. So hopefully you will be able to get rid of Java uploader soon.

Users browsing this topic
Guest

Forum Jump

You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.