Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] SSLHandshakeException: no cipher suites in common for all connections 
On 16 August 2013 18:22, Lothar Kimmeringer <job@xxxxxxxxxxxxxx> wrote:
> How do you try to connect to the server? What Java version do you use
> (JDK or JRE) and have you installed the unlimited strength cryptography
> extension on server- and - if you access the server with java code -
> client-side?
On the server-side, the JDK. I didn't have the unlimited strength jurisdiction
policy files installed initially, but after installing them, no improvement is
observed.

On the client side, I've tried Firefox 23, Chrome canary 31, IE 9,
(all on Windows) and openssl s_client 0.9.8e-fips-rhel5 (on Linux).
Given such a variety of clients have the same problem, I don't
think it is the client's fault.

> Can you have a look at a Wireshark-trace what SSL-packets are
> actually exchanged and what cipher-suites are offered and supported?
Here is what OpenSSL sends to the server per Wireshark:
Secure Sockets Layer
    SSLv2 Record Layer: Client Hello
        [Version: SSL 2.0 (0x0002)]
        Length: 119
        Handshake Message Type: Client Hello (1)
        Version: TLS 1.0 (0x0301)
        Cipher Spec Length: 78
        Session ID Length: 0
        Challenge Length: 32
        Cipher Specs (26 specs)
            Cipher Spec: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x000039)
            Cipher Spec: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x000038)
            Cipher Spec: TLS_RSA_WITH_AES_256_CBC_SHA (0x000035)
            Cipher Spec: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x000016)
            Cipher Spec: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x000013)
            Cipher Spec: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x00000a)
            Cipher Spec: SSL2_DES_192_EDE3_CBC_WITH_MD5 (0x0700c0)
            Cipher Spec: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x000033)
            Cipher Spec: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x000032)
            Cipher Spec: TLS_RSA_WITH_AES_128_CBC_SHA (0x00002f)
            Cipher Spec: SSL2_RC2_CBC_128_CBC_WITH_MD5 (0x030080)
            Cipher Spec: TLS_RSA_WITH_RC4_128_SHA (0x000005)
            Cipher Spec: TLS_RSA_WITH_RC4_128_MD5 (0x000004)
            Cipher Spec: SSL2_RC4_128_WITH_MD5 (0x010080)
            Cipher Spec: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x000015)
            Cipher Spec: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x000012)
            Cipher Spec: TLS_RSA_WITH_DES_CBC_SHA (0x000009)
            Cipher Spec: SSL2_DES_64_CBC_WITH_MD5 (0x060040)
            Cipher Spec: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x000014)
            Cipher Spec: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x000011)
            Cipher Spec: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x000008)
            Cipher Spec: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x000006)
            Cipher Spec: SSL2_RC2_CBC_128_CBC_WITH_MD5 (0x040080)
            Cipher Spec: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x000003)
            Cipher Spec: SSL2_RC4_128_EXPORT40_WITH_MD5 (0x020080)
            Cipher Spec: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x0000ff)
        Challenge

Jetty never responds. Full trace here:
https://sites.google.com/site/skissane/files/jettyssl.pcap

>> Also, I think there is a
>> bug here - the SSLEngine generates an SSL error response, which I can
>> see from the  -Djavax.net.debug=all output, but Jetty never passes
>> that back to the client.
>
> Not news anymore, see <51E3F397.6030607@xxxxxxxxxxxxxx> and
> https://bugs.eclipse.org/bugs/show_bug.cgi?id=412983
I will follow that bug.

Thanks for your help
Simon

Back to the top