Remote host closed connection during handshake

[Paul Csiki]

EDIT: This problem is cause if you install java to that machine. Just run yum remove java* and restart your services and the error will go away.

Hello,

I just installed ZCS open source 7.2.0 to a phisical machine, problem is that after I enabled ssl on it mailbox.log is being spammed with java ssl exceptions.

Is there anything I did wrong, and is there anything I can do to fix them?

Code:

2012-04-27 11:38:39,818 ERROR [ImapSSLServer-4] [ip=censored;] ProtocolHandler - Exception occurred while handling connection
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:849)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1170)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1197)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1181)
        at com.zimbra.cs.tcpserver.ProtocolHandler.startHandshake(ProtocolHandler.java:187)
        at com.zimbra.cs.tcpserver.ProtocolHandler.run(ProtocolHandler.java:135)
        at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
        at java.lang.Thread.run(Thread.java:662)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
        at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:333)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:830)
        ... 8 more
2012-04-27 11:38:39,819 INFO  [ImapSSLServer-1] [] ProtocolHandler - Handler exiting normally

Code:

2012-04-27 11:38:39,825 ERROR [Pop3SSLServer-1] [ip=censored;] ProtocolHandler - Exception occurred while handling connection
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:849)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1170)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1197)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1181)
        at com.zimbra.cs.tcpserver.ProtocolHandler.startHandshake(ProtocolHandler.java:187)
        at com.zimbra.cs.tcpserver.ProtocolHandler.run(ProtocolHandler.java:135)
        at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
        at java.lang.Thread.run(Thread.java:662)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
        at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:333)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:830)
        ... 8 more
2012-04-27 11:38:39,825 INFO  [ImapSSLServer-3] [] ProtocolHandler - Handler exiting normally

These keep going on forever. I have a comericial ssl certificate installed and I can load the web ui using https with no certificate errors.

I tried disabling the firewall, fixing permissions, rebooting.

Any help please?

Thank You,
Paul Csiki.

[liverpoolfcfan]

You could try to verify your certificate chain is complete using openssl

on the zimbra box, as root

Code:

 openssl s_client -showcerts  -connect your.server.name:25 -starttls smtp

It should list out your complete certificate chain, and tell you what encryption levels you have.

If it errors out - then there is likely a problem with your certificate trust chain.

Note that when you connect from a browser - the Windows stored Root Certificates are used to validate the security chain. Quite often on linux distributions the pre-installed set of Root certificates is out of date. So your Certificate Authority root might be missing. When you try to validate from the linux command line - it has to use the locally available certificates to do the validation.

[Paul Csiki]

Hello,

Thank you for your reply. I executed the command and it printed out my certificate, the intermediary CA and the root CA certificates, the certificate chain is correct and the server certificate details match the ones I installed. No errors at all.

I also tried checking if the ca-certificate package is installed and it already has the newest version.

Also the date and time of the computer are correct so there shoudn't be any certificate problem at all. As I said I can browse to https://myserver.name with no certificate errors at all.

Do you want me to copy and paste here the output of that command?

Any other ideas?

Thanks so much,
Paul Csiki.

EDIT: I can confirm that this happens with a self-signed certificate too. What am I doing wrong?

[Paul Csiki]

As much as I hate bumping threads I really feel that this information changes the context of the question and may raise ideas.

I disabled the ssl for both pop and imap and now I'm getting these errors:

2012-04-30 11:07:26,555 INFO [ImapServer-1] [ip=censored;] ProtocolHandler - I/O error while processing connection: java.net.SocketException: Connection reset
2012-04-30 11:07:26,555 INFO [ImapServer-1] [] ProtocolHandler - Handler exiting normally
2012-04-30 11:07:26,569 INFO [LmtpServer-1] [ip=censored;] lmtp - disconnected without quit
2012-04-30 11:07:26,569 INFO [LmtpServer-1] [] ProtocolHandler - Handler exiting normally
2012-04-30 11:07:31,555 INFO [Pop3Server-1] [ip=censored;] pop - connected
2012-04-30 11:07:31,555 INFO [Pop3Server-1] [ip=censored;] pop - disconnected without quit
2012-04-30 11:07:31,556 INFO [Pop3Server-1] [] ProtocolHandler - Handler exiting normally
2012-04-30 11:07:31,557 INFO [ImapServer-1] [] imap - [censored] connected
2012-04-30 11:07:31,560 INFO [ImapServer-1] [] ProtocolHandler - Handler exiting normally
2012-04-30 11:07:31,573 INFO [LmtpServer-1] [ip=censored;] lmtp - disconnected without quit
2012-04-30 11:07:31,573 INFO [LmtpServer-1] [] ProtocolHandler - Handler exiting normally
2012-04-30 11:07:36,552 INFO [Pop3Server-1] [ip=censored;] pop - connected
2012-04-30 11:07:36,554 INFO [ImapServer-1] [] imap - [censored] connected
2012-04-30 11:07:36,555 INFO [Pop3Server-1] [ip=censored;] ProtocolHandler - I/O error while processing connection: java.net.SocketException: Connection reset

Edit: problem got fixed after a complete os reinstall. weird.

Edit2: Problem keeps coming back and crashes ldap too. This is annoying.