sslyumjavasslexception

Java SSL: Invalid service principal name


On my game's Java server I ran 'sudo yum update' and now I am getting the following error when trying to connect via my game client:

[2015-07-26 01:58:12] [Thread-2] INFO - Socket class: class sun.security.ssl.SSLSocketImpl
[2015-07-26 01:58:12] [Thread-2] INFO -    Remote address = /54.165.60.189
[2015-07-26 01:58:12] [Thread-2] INFO -    Remote port = 34215
[2015-07-26 01:58:12] [Thread-2] INFO -    Local socket address = /192.168.1.4:59805
[2015-07-26 01:58:12] [Thread-2] INFO -    Local address = /192.168.1.4
[2015-07-26 01:58:12] [Thread-2] INFO -    Local port = 59805
[2015-07-26 01:58:12] [Thread-2] INFO -    Need client authentication = false
[2015-07-26 01:58:17] [Thread-2] INFO -    Cipher suite = SSL_NULL_WITH_NULL_NULL
[2015-07-26 01:58:17] [Thread-2] INFO -    Protocol = NONE
[2015-07-26 01:58:17] [Thread-2] FATAL - (SSLSocket) factory.createSocket
javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException: java.io.IOException: Invalid service principal name: host/54.165.60.189
    at sun.security.ssl.SSLSocketImpl.checkEOF(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.checkWrite(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at com.jayavon.game.client.an.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLException: java.io.IOException: Invalid service principal name: host/54.165.60.189
    at sun.security.ssl.Alerts.getSSLException(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.handleException(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.getSession(Unknown Source)
    at com.jayavon.game.client.KisnardOnline.a(Unknown Source)
    ... 2 more
Caused by: java.io.IOException: Invalid service principal name: host/54.165.60.189
    at sun.security.ssl.krb5.KerberosClientKeyExchangeImpl.getServiceTicket(Unknown Source)
    at sun.security.ssl.krb5.KerberosClientKeyExchangeImpl.init(Unknown Source)
    at sun.security.ssl.KerberosClientKeyExchange.init(Unknown Source)
    at sun.security.ssl.KerberosClientKeyExchange.<init>(Unknown Source)
    at sun.security.ssl.ClientHandshaker.serverHelloDone(Unknown Source)
    at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
    at sun.security.ssl.Handshaker.processLoop(Unknown Source)
    at sun.security.ssl.Handshaker.process_record(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
    ... 5 more
Caused by: KrbException: KrbException: Cannot locate default realm
    at sun.security.krb5.Realm.getDefault(Unknown Source)
    at sun.security.krb5.PrincipalName.<init>(Unknown Source)
    at sun.security.krb5.PrincipalName.<init>(Unknown Source)
    ... 15 more
Caused by: KrbException: Cannot locate default realm
    at sun.security.krb5.Config.getDefaultRealm(Unknown Source)
    ... 18 more
Caused by: KrbException: Generic error (description in e-text) (60) - Unable to locate Kerberos realm
    at sun.security.krb5.Config.getRealmFromDNS(Unknown Source)
    ... 19 more

5 days ago this is what I saw when connecting to my game server from my client:

[2015-07-21 00:07:34] [Thread-2] INFO - Socket class: class sun.security.ssl.SSLSocketImpl
[2015-07-21 00:07:34] [Thread-2] INFO -    Remote address = /54.165.60.189
[2015-07-21 00:07:34] [Thread-2] INFO -    Remote port = 34215
[2015-07-21 00:07:34] [Thread-2] INFO -    Local socket address = /192.168.1.4:61480
[2015-07-21 00:07:34] [Thread-2] INFO -    Local address = /192.168.1.4
[2015-07-21 00:07:34] [Thread-2] INFO -    Local port = 61480
[2015-07-21 00:07:34] [Thread-2] INFO -    Need client authentication = false
[2015-07-21 00:07:34] [Thread-2] INFO -    Cipher suite = TLS_DH_anon_WITH_AES_128_CBC_SHA256
[2015-07-21 00:07:34] [Thread-2] INFO -    Protocol = TLSv1.2

I thought it was that my keystore.jks file's certificate had expired, but I even tried to update with the certificate I just updated with startssl to no avail. Any help would be so appreciated.

Ideally I would like to fix this (so I can continue to update my EC2 server).

EDIT

I found the following java update in the list of my last updates with the following command: rpm -qa --last

java-1.7.0-openjdk-1.7.0.85-2.6.1.3.61.amzn1.x86_64 Sun 26 Jul 2015 12:23:17 AM EDT

EDIT2

Client:

[2015-08-04 08:32:16] 15 [main] INFO - java.version: 1.8.0_20
[2015-08-04 08:32:17] 1028 [AWT-EventQueue-0] DEBUG - conf/
[2015-08-04 08:32:17] 1185 [main] INFO - Contacting Download Server...
...
[2015-08-04 08:32:57] 40786 [main] INFO - Finished updating game files!
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_WITH_RC4_128_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_RSA_WITH_RC4_128_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_RSA_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_WITH_RC4_128_MD5
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DH_anon_WITH_AES_128_GCM_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_anon_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_anon_WITH_RC4_128_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DH_anon_WITH_RC4_128_MD5
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_RSA_WITH_NULL_SHA256
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_ECDSA_WITH_NULL_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDHE_RSA_WITH_NULL_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_WITH_NULL_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_ECDSA_WITH_NULL_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_RSA_WITH_NULL_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: TLS_ECDH_anon_WITH_NULL_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_WITH_NULL_MD5
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_WITH_DES_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DHE_RSA_WITH_DES_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DHE_DSS_WITH_DES_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DH_anon_WITH_DES_CBC_SHA
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
[2015-08-04 08:33:06] 50087 [Thread-2] INFO - suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_WITH_RC4_128_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_WITH_RC4_128_MD5
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_MD5
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_WITH_DES_CBC_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_WITH_DES_CBC_MD5
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_MD5
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
[2015-08-04 08:33:06] 50102 [Thread-2] INFO - Socket class: class sun.security.ssl.SSLSocketImpl
[2015-08-04 08:33:06] 50102 [Thread-2] INFO -    Remote address = /54.165.60.189
[2015-08-04 08:33:06] 50102 [Thread-2] INFO -    Remote port = 34215
[2015-08-04 08:33:06] 50102 [Thread-2] INFO -    Local socket address = /192.168.1.8:56729
[2015-08-04 08:33:06] 50102 [Thread-2] INFO -    Local address = /192.168.1.8
[2015-08-04 08:33:06] 50102 [Thread-2] INFO -    Local port = 56729
[2015-08-04 08:33:06] 50102 [Thread-2] INFO -    Need client authentication = false
[2015-08-04 08:33:12] 55873 [Thread-2] INFO -    Cipher suite = SSL_NULL_WITH_NULL_NULL
[2015-08-04 08:33:12] 55873 [Thread-2] INFO -    Protocol = NONE
[2015-08-04 08:33:12] 55889 [Thread-2] FATAL - (SSLSocket) factory.createSocket
javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException: java.io.IOException: Invalid service principal name: host/54.165.60.189
    at sun.security.ssl.SSLSocketImpl.checkEOF(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.checkWrite(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at com.jayavon.game.client.an.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLException: java.io.IOException: Invalid service principal name: host/54.165.60.189
    at sun.security.ssl.Alerts.getSSLException(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.handleException(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.getSession(Unknown Source)
    at com.jayavon.game.client.KisnardOnline.a(Unknown Source)
    ... 2 more
Caused by: java.io.IOException: Invalid service principal name: host/54.165.60.189
    at sun.security.ssl.krb5.KerberosClientKeyExchangeImpl.getServiceTicket(Unknown Source)
    at sun.security.ssl.krb5.KerberosClientKeyExchangeImpl.init(Unknown Source)
    at sun.security.ssl.KerberosClientKeyExchange.init(Unknown Source)
    at sun.security.ssl.KerberosClientKeyExchange.<init>(Unknown Source)
    at sun.security.ssl.ClientHandshaker.serverHelloDone(Unknown Source)
    at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
    at sun.security.ssl.Handshaker.processLoop(Unknown Source)
    at sun.security.ssl.Handshaker.process_record(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
    ... 5 more
Caused by: KrbException: KrbException: Cannot locate default realm
    at sun.security.krb5.Realm.getDefault(Unknown Source)
    at sun.security.krb5.PrincipalName.<init>(Unknown Source)
    at sun.security.krb5.PrincipalName.<init>(Unknown Source)
    ... 15 more
Caused by: KrbException: Cannot locate default realm
    at sun.security.krb5.Config.getDefaultRealm(Unknown Source)
    ... 18 more
Caused by: KrbException: Generic error (description in e-text) (60) - Unable to locate Kerberos realm
    at sun.security.krb5.Config.getRealmFromDNS(Unknown Source)
    ... 19 more

Server:

65795 [main] DEBUG - handleConnections thread started
65795 [main] DEBUG - Server is running on port 34215
124540 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_256_CBC_SHA256
124541 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
124541 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
124541 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_256_CBC_SHA
124541 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
124541 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
124541 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA256
124541 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
124541 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
124542 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA
124542 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
124542 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
124542 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
124542 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
124542 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
124542 [connectionHandlerThread] INFO - suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
124542 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256
124542 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_256_CBC_SHA
124542 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA256
124543 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA
124543 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
124543 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_RC4_128_SHA
124543 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_RC4_128_MD5
124543 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_RC4_128_MD5
124543 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_DES_CBC_SHA
124543 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_WITH_DES_CBC_SHA
124543 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_WITH_DES_CBC_SHA
124543 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_DES_CBC_SHA
124543 [connectionHandlerThread] INFO - suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
124544 [connectionHandlerThread] INFO - suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
124544 [connectionHandlerThread] INFO - suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
124544 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
124544 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
124545 [connectionHandlerThread] INFO - suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
124545 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_NULL_SHA256
124545 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_NULL_SHA
124545 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_NULL_MD5
124545 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_SHA
124545 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_MD5
124545 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_RC4_128_SHA
124548 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_RC4_128_MD5
124548 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_DES_CBC_SHA
124548 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_DES_CBC_MD5
124549 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
124549 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
124549 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_SHA
124549 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_MD5
125142 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_256_CBC_SHA256
125152 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
125153 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
125153 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_256_CBC_SHA
125153 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
125153 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
125153 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA256
125153 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
125153 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
125153 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA
125153 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
125154 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
125154 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
125154 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
125154 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
125154 [connectionHandlerThread] INFO - suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
125154 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256
125154 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_256_CBC_SHA
125154 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA256
125154 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA
125154 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
125155 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_RC4_128_SHA
125155 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_RC4_128_MD5
125155 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_RC4_128_MD5
125155 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_DES_CBC_SHA
125155 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_WITH_DES_CBC_SHA
125155 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_WITH_DES_CBC_SHA
125155 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_DES_CBC_SHA
125155 [connectionHandlerThread] INFO - suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
125155 [connectionHandlerThread] INFO - suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
125155 [connectionHandlerThread] INFO - suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
125155 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
125156 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
125156 [connectionHandlerThread] INFO - suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
125156 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_NULL_SHA256
125156 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_NULL_SHA
125156 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_NULL_MD5
125156 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_SHA
125156 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_MD5
125156 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_RC4_128_SHA
125156 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_RC4_128_MD5
125156 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_DES_CBC_SHA
125157 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_DES_CBC_MD5
125157 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
125157 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
125157 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_SHA
125157 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_MD5
126102 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_256_CBC_SHA256
126103 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
126103 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
126103 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_256_CBC_SHA
126103 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
126103 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
126103 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA256
126103 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
126103 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
126104 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_AES_128_CBC_SHA
126104 [connectionHandlerThread] INFO - suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
126104 [connectionHandlerThread] INFO - suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA
126104 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
126104 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
126104 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
126104 [connectionHandlerThread] INFO - suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV
126104 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_256_CBC_SHA256
126104 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_256_CBC_SHA
126104 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA256
126105 [connectionHandlerThread] INFO - suite: TLS_DH_anon_WITH_AES_128_CBC_SHA
126105 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
126105 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_RC4_128_SHA
126105 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_RC4_128_MD5
126105 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_RC4_128_MD5
126105 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_DES_CBC_SHA
126105 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_WITH_DES_CBC_SHA
126105 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_WITH_DES_CBC_SHA
126105 [connectionHandlerThread] INFO - suite: SSL_DH_anon_WITH_DES_CBC_SHA
126105 [connectionHandlerThread] INFO - suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
126106 [connectionHandlerThread] INFO - suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
126106 [connectionHandlerThread] INFO - suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
126106 [connectionHandlerThread] INFO - suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
126106 [connectionHandlerThread] INFO - suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
126106 [connectionHandlerThread] INFO - suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
126106 [connectionHandlerThread] INFO - suite: TLS_RSA_WITH_NULL_SHA256
126106 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_NULL_SHA
126106 [connectionHandlerThread] INFO - suite: SSL_RSA_WITH_NULL_MD5
126106 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_SHA
126106 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_3DES_EDE_CBC_MD5
126106 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_RC4_128_SHA
126107 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_RC4_128_MD5
126107 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_DES_CBC_SHA
126107 [connectionHandlerThread] INFO - suite: TLS_KRB5_WITH_DES_CBC_MD5
126107 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
126107 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
126107 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_SHA
126107 [connectionHandlerThread] INFO - suite: TLS_KRB5_EXPORT_WITH_RC4_40_MD5
126107 [connectionHandlerThread] INFO - Server socket class: class sun.security.ssl.SSLServerSocketImpl
126107 [connectionHandlerThread] INFO -    Socket address = 0.0.0.0/0.0.0.0
126107 [connectionHandlerThread] INFO -    Socket port = 34215
126108 [connectionHandlerThread] INFO -    Need client authentication = false
126108 [connectionHandlerThread] INFO -    Want client authentication = false
126108 [connectionHandlerThread] INFO -    Use client mode = false
126108 [connectionHandlerThread] INFO - Socket class: class sun.security.ssl.SSLSocketImpl
126108 [connectionHandlerThread] INFO -    Remote address = /173.54.54.76
126108 [connectionHandlerThread] INFO -    Remote port = 56729
126108 [connectionHandlerThread] INFO -    Local socket address = /172.31.25.254:34215
126108 [connectionHandlerThread] INFO -    Local address = /172.31.25.254
126108 [connectionHandlerThread] INFO -    Local port = 34215
126109 [connectionHandlerThread] INFO -    Need client authentication = false
131889 [connectionHandlerThread] INFO -    Cipher suite = SSL_NULL_WITH_NULL_NULL
131889 [connectionHandlerThread] INFO -    Protocol = NONE
131890 [connectionHandlerThread] FATAL - Socket connection could not be made!!
131890 [connectionHandlerThread] ERROR - client bad connection
javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
        at sun.security.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1508)
        at sun.security.ssl.SSLSocketImpl.checkWrite(SSLSocketImpl.java:1520)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1367)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355)
        at com.jayavon.game.server.MyServer.handleConnections(MyServer.java:4770)
        at com.jayavon.game.server.MyServer.access$0(MyServer.java:4739)
        at com.jayavon.game.server.MyServer$1.run(MyServer.java:435)
        at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
        at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1991)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1098)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1344)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1371)
        at sun.security.ssl.SSLSocketImpl.getSession(SSLSocketImpl.java:2233)
        at com.jayavon.game.server.MyServer.printSocketInfo(MyServer.java:4725)
        at com.jayavon.game.server.MyServer.handleConnections(MyServer.java:4758)
        ... 3 more

Solution

  • Originally (i.e. before you updated your system via rpm), you used the Cipher suite TLS_DH_anon_WITH_AES_128_CBC_SHA256 which has no Diffie-Hellman Key-Exchange authentication in place. (Note: A protocol that is susceptible to Man-in-the-Middle attacks)

    According to the Red Hat Customer Portal and to Amazon Linux AMI Security Center) a critical java-1.7.0-openjdk security update was released recently. You most certainly are experiencing the above problems due to this issue, described here:

    A flaw was found in the way the TLS protocol composed the Diffie-Hellman (DH) key exchange. A man-in-the-middle attacker could use this flaw to force the use of weak 512 bit export-grade keys during the key exchange, allowing them do decrypt all traffic. (CVE-2015-4000)

    Note: This update forces the TLS/SSL client implementation in OpenJDK to reject DH key sizes below 768 bits, which prevents sessions to be downgraded to export-grade keys. Refer to Red Hat Bugzilla bug 1223211, linked to in the References section, for additional details about this change.

    This explains - at least to some extent - why you're now getting Cipher suite = SSL_NULL_WITH_NULL_NULL since it seems that the original cipher suite is no longer available on your system (or it has been disabled now). This is also supported by: Protocol = NONE in the output you provided.

    The 'Java Cryptography Architecture Oracle Providers Documentation for Java Platform Standard Edition 7' overview document has your original cipher suite also in the Default Disabled Cipher Suites list. So I think that the OpenJDK implementation did fix this security issue accordingly (see above URL references).

    In general, this security fix for Java relates to the so called Logjam attack and the recommendation is:

    Make sure any TLS libraries you use are up-to-date, that servers you maintain use 2048-bit or larger primes, and that clients you maintain reject Diffie-Hellman primes smaller than 1024-bit

    As a solution idea, maybe you could just change the SSL/Encryption settings of your Game-application (client and/or server) to use a non-DH-anon cipher suite?

    Have a look at the Default Enabled Cipher Suites in the documentation provided by Oracle or have a look at the simple yet effective tool to detect Enabled ciphers on Ubuntu OpenJDK 7 provided by @dolmen.

    Edit 1:

    Have a look at this StackOverflow post and the answer by @EJP It looks very similar to your StackTrace (*hooray!). It seems that you better...

    Don't mess with the enabled cipher suites. Take that code out and retest. You've enabled the anonymous suites, via which there is no authentication at all in either direction.

    So you might change your code to not use setEnabledCipherSuites(..) explicitly as it enables cipher-suites not enabled by default ("DH-anon"...). Try to check what is the result if you take out these lines of code, as described.

    Maybe go for TLS_ECDH_anon_WITH_AES_128_CBC_SHA as cipher suite (no classic DH parameters here). But, therefore you should update to OpenJDK 8 or Oracle JRE/JDK 8 on your server side, as this is not available in OpenJDK 7 (see your server debug log output).

    Hope, it helps.