SSL error trying to connect to updated server

Hi,

i’m trying to set up omero server 5.6.3 but i’m getting an error:

WARNING:omero.client:…Ignoring error in client.del:<class ‘Ice.ProtocolException’>
InternalException: Failed to connect: exception ::Ice::ProtocolException
{
reason = SSL error occurred for new outgoing connection:
remote address = ::1:4064
sslv3 alert handshake failure
}

This is using the command line on the same VM as the server is running on. I tried installing omero-certificates and running ‘omero certificates’ and now I get a slightly different error:

WARNING:omero.client:…Ignoring error in client.del:<class ‘Ice.ProtocolException’>
InternalException: Failed to connect: exception ::Ice::ProtocolException
{
reason = SSL error occurred for new outgoing connection:
remote address =
sslv3 alert handshake failure: SSL alert number 40
}

Running ‘omero diagnostics’ gives:

================================================================================ OMERO Diagnostics (admin) 5.9.1 ================================================================================ Commands: java -version 11.0.10 (/bin/java) Commands: python -V 3.6.8 (/opt/omero/env/bin/python – 2 others) Commands: icegridnode --version 3.6.5 (/bin/icegridnode) Commands: icegridadmin --version 3.6.5 (/bin/icegridadmin) Commands: psql --version 11.11 (/bin/psql) Commands: openssl version 1.0.2 (/bin/openssl) Server: icegridnode running Server: Blitz-0 active (pid = 21122, enabled) Server: DropBox inactive (disabled) Server: FileServer inactive (disabled) Server: Indexer-0 active (pid = 21136, enabled) Server: MonitorServer inactive (disabled) Server: OMERO.Glacier2 active (pid = 21139, enabled) Server: OMERO.IceStorm active (pid = 21154, enabled) Server: PixelData-0 active (pid = 21156, enabled) Server: Processor-0 active (pid = 21148, enabled) Server: Tables-0 active (pid = 21172, enabled) Server: TestDropBox inactive (enabled) Log dir: /opt/omero/OMERO.server/var/log exists Log files: Blitz-0.log 842.9 KB errors=38 warnings=11 Log files: DropBox.log n/a Log files: FileServer.log n/a Log files: Indexer-0.log 31.4 KB errors=1 warnings=8 Log files: MonitorServer.log n/a Log files: PixelData-0.log 31.4 KB errors=1 warnings=6 Log files: Processor-0.log 40.9 KB errors=0 warnings=38 Log files: Tables-0.log 3.0 KB errors=0 warnings=2 Log files: TestDropBox.log n/a Log files: master.err 10.6 KB errors=0 warnings=6 Log files: master.out empty Log files: Total size 0.96 MB Environment:OMERO_HOME=(unset) Environment:OMERODIR=/opt/omero/OMERO.server Environment:OMERO_NODE=(unset) Environment:OMERO_MASTER=(unset) Environment:OMERO_USERDIR=(unset)
Environment:OMERO_TMPDIR=(unset)
Environment:PATH=/opt/omero/env/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/lib/jvm/jre/bin:/usr/share/Ice-3.6.5:/usr/bin:/opt/omero/OMERO.server/bin
Environment:PYTHONPATH=(unset)
Environment:ICE_HOME=/usr/share/Ice-3.6.5
Environment:LD_LIBRARY_PATH=/usr/share/java:/usr/lib:/usr/local/lib
Environment:DYLD_LIBRARY_PATH=(unset)

OMERO SSL port:4064
OMERO TCP port:4063
OMERO data dir:’/omero_data/localhost/OMERO’ Exists? True Is writable? True
OMERO temp dir:’/home/omero/omero/tmp’ Exists? True Is writable? True (Size: 0)

JVM settings: Blitz-{index} -Xmx512m -XX:MaxPermSize=256m -XX:+IgnoreUnrecognizedVMOptions JVM settings: Indexer-{index} -Xmx341m -XX:MaxPermSize=256m -XX:+IgnoreUnrecognizedVMOptions
JVM settings: PixelData-{index} -Xmx512m -XX:MaxPermSize=256m -XX:+IgnoreUnrecognizedVMOptions JVM settings: Repository-{index} -Xmx341m -XX:MaxPermSize=256m -XX:+IgnoreUnrecognizedVMOptions

Jar: lib/server/formats-api.jar Bio-Formats API 6.5.1 7 July 2020 6f50e4d52c9d96112635fd8b2dde737f31041cf0
Jar: lib/server/formats-bsd.jar BSD Bio-Formats readers and writers 6.5.1 7 July 2020 6f50e4d52c9d96112635fd8b2dde737f31041cf0
Jar: lib/server/formats-gpl.jar Bio-Formats library 6.5.1 7 July 2020 6f50e4d52c9d96112635fd8b2dde737f31041cf0
Jar: lib/server/ome-codecs.jar OME Codecs 0.3.0 3 March 2020 8287f33d3bff3d08a9925fa45e0b225e27d71fe0
Jar: lib/server/ome-common.jar OME Common Java 6.0.4 21 October 2019 650939cfa026e33d2f38c1f56c74715dfb44b974
Jar: lib/server/ome-jai.jar OME JAI 0.1.0 28 June 2017 96ed34bf59f5ba3b51e3d60e342f30962a46c292
Jar: lib/server/ome-mdbtools.jar MDB Tools (Java port) 5.3.2 7 August 2018 68ffca2a95750cbb96f0d11785851aa4a554c0a4
Jar: lib/server/ome-poi.jar OME POI 5.3.3 6 August 2018 3887f4b2b21e195fa76ec4378858f6278aed5dcd
Jar: lib/server/ome-xml.jar OME XML library 6.1.0 7 April 2020 8f490f5987062978fafe77a3e35f7bd24d211281
Jar: lib/server/omero-blitz.jar jar 5.5.8
Jar: lib/server/omero-common.jar jar 5.5.7
Jar: lib/server/omero-gateway.jar jar 5.6.5
Jar: lib/server/omero-model.jar jar 5.6.2
Jar: lib/server/omero-renderer.jar jar 5.5.7
Jar: lib/server/omero-romio.jar jar 5.6.2
Jar: lib/server/omero-server.jar jar 5.6.1

/var/log/master.err includes this:

WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by javassist.util.proxy.SecurityActions (file:/opt/omero/OMERO.server-5.6.3-ice36-b228/lib/server/javassist.jar) to method java.lang.ClassLoader.defineClass(java.lang.String,byte,int,int,java.security.ProtectionDomain)
WARNING: Please consider reporting this to the maintainers of javassist.util.proxy.SecurityActions
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
-! 03/30/21 17:05:35.218 OMERO.Glacier2: warning: unable to contact permissions verifier BlitzVerifier@BlitzAdapters' Reference.cpp:1637: Ice::NoEndpointException: no suitable endpoint available for proxy BlitzVerifier -t -e 1.1 @ BlitzAdapters’
-! 03/30/21 17:05:35.220 OMERO.Glacier2: warning: unable to contact session manager BlitzManager@BlitzAdapters' Reference.cpp:1637: Ice::NoEndpointException: no suitable endpoint available for proxy BlitzManager -t -e 1.1 @ BlitzAdapters’
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by javassist.util.proxy.SecurityActions (file:/opt/omero/OMERO.server-5.6.3-ice36-b228/lib/server/javassist.jar) to method java.lang.ClassLoader.defineClass(java.lang.String,byte,int,int,java.security.ProtectionDomain)
WARNING: Please consider reporting this to the maintainers of javassist.util.proxy.SecurityActions
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by javassist.util.proxy.SecurityActions (file:/opt/omero/OMERO.server-5.6.3-ice36-b228/lib/server/javassist.jar) to method java.lang.ClassLoader.defineClass(java.lang.String,byte,int,int,java.security.ProtectionDomain)
WARNING: Please consider reporting this to the maintainers of javassist.util.proxy.SecurityActions
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
-! 03/30/21 17:10:15.504 icegridnode: warning: exception occurred while deactivating OMERO.Glacier2' using process proxy: Network.cpp:2357: Ice::ConnectionRefusedException: connection refused: Connection refused -! 03/30/21 17:10:15.504 icegridnode: warning: exception occurred while deactivating OMERO.IceStorm’
using process proxy:
Network.cpp:2357: Ice::ConnectionRefusedException:
connection refused: Connection refused

Could someone advise what the illegal reflective access operation is please? Should I turn myself in to the police?

Thanks,

Matt.

Hi Matt.
What OS are you using? And what’s the openssl version?
Kind Regards,
Dominik

Hi Dominik,

we’re using Centos 7 and openssl 1.0.2k-fips.

All the best,

Matt.

Unfortunately I can’t replicate this issue. Tried with a fresh Centos 7 installation in a VirtualBox machine (CentOS Linux release 7.9.2009 (Core)), which had the same OpenSSL (OpenSSL 1.0.2k-fips 26 Jan 2017) version. For a quick default installation I just ran the script from omero-install.
omero admin diagnostics doesn’t report any errors and I can connect with Insight without problems.

Note: In order to run omero commands I su’d to the omero-server user, although this shouldn’t be strictly necessary and activated the virtualenv source /opt/omero/server/venv3/bin/activate. And for some reason I had to export OMERODIR=/opt/omero/server/OMERO.server before being able to run omero admin ... .

If it’s possible can you just start from scratch again and use the omero-install scripts as guidance, or the installation documentation (which is generated from these scripts)? It’s easy to miss a step or make a typo when copy/pasting from the installation docs, so I often rather use the scripts directly.

Kind Regards,
Dominik