Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] ERR_SSL_VERSION_OR_CIPHER_MISMATCH
It probably should help, but didn't.

I've now switched to IBM JDK, for reasons of availability of security policies.

bash-4.1$ /users/degenaro/install/ibm-java-x86_64-80/bin/java -version
java version "1.8.0"
Java(TM) SE Runtime Environment (build pxa6480sr4fp1-20170215_01(SR4 FP1))
IBM J9 VM (build 2.8, JRE 1.8.0 Linux amd64-64 Compressed References 20170209_336038 (JIT enabled, AOT enabled)
J9VM - R28_20170209_0201_B336038
JIT  - tr.r14.java.green_20170125_131456
GC   - R28_20170209_0201_B336038_CMPRSS
J9CL - 20170209_336038)
JCL - 20170215_01 based on Oracle jdk8u121-b13

In /users/degenaro/install/ibm-java-x86_64-80/jre/lib/security I installed local_policy.jar and US_export_policy.jar comprising:

bash-4.1$ cat default_local.policy
// Country-specific policy file for countries with no limits on crypto strength.
grant é
    // There is no restriction to any algorithms.
    permission javax.crypto.CryptoAllPermission;
è;

bash-4.1$ cat default_US_export.policy
// Manufacturing policy file.
grant é
    // There is no restriction to any algorithms.
    permission javax.crypto.CryptoAllPermission;
è;

I launch the Jetty sever:

/users/degenaro/install/ibm-java-x86_64-80/bin/java -jar /users/degenaro/jetty/start.jar -Djavax.net.debug=all

I visit via https + 8443 using Chromium, and on the Jetty console I see:

2017-02-25 07:34:18.345:INFO:oejsh.ContextHandler:main: Started o.e.j.w.WebAppContextà-494073ddé/test,file:///users1/degenaro/install/sandbox/webapps/test/,AVAILABLEèé/testè
2017-02-25 07:34:18.375:INFO:oejs.AbstractConnector:main: Started ServerConnectorà4a3b91daéHTTP/1.1,°http/1.1§èé0.0.0.0:8080è
2017-02-25 07:34:18.407:INFO:oejus.SslContextFactory:main: x509=X509àdfac8979(jetty,h=°§,w=°§) for SslContextFactoryàfc940f90(file:///users1/degenaro/install/sandbox/etc/keystore,file:///users1/degenaro/install/sandbox/etc/keystore)
adding as trusted cert:
 <cert info>
  Algorithm: RSA; Serial number: 0x7866
  Valid from Thu Feb 18 00:00:00 EST 2016 until Sat Feb 16 23:59:59 EST 2019

Installed Providers =
    IBMJSSE2
    IBMJCE
    IBMJGSSProvider
    IBMCertPath
    IBMSASL
    IBMXMLCRYPTO
    IBMXMLEnc
    IBMSPNEGO
    SUN
SSLContextImpl:  Using X509ExtendedKeyManager com.ibm.jsse2.aw
SSLContextImpl:  Using X509TrustManager com.ibm.jsse2.aA
JsseJCE:  Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.8
trigger seeding of SecureRandom
done seeding SecureRandom
IBMJSSE2 will enable CBC protection
JsseJCE:  Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.8
JsseJCE:  Using KeyAgreement ECDH from provider IBMJCE version 1.8
JsseJCE:  Using signature SHA1withECDSA from provider TBD via init
JsseJCE:  Using signature NONEwithECDSA from provider TBD via init
JsseJCE:  Using KeyFactory EC from provider IBMJCE version 1.8
JsseJCE:  Using KeyPairGenerator EC from provider TBD via init
JsseJce:  EC is available
JsseJCE:  Using cipher AES/GCM/NoPadding from provider TBD via init
CipherBox:  Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8
JsseJCE:  Using cipher AES/CBC/NoPadding from provider TBD via init
CipherBox:  Using cipher AES/CBC/NoPadding from provider from init IBMJCE version 1.8
jdk.tls.client.protocols is defined as null
SSLv3 protocol was requested but was not enabled
SSLv3 protocol was requested but was not enabled
SUPPORTED: °TLSv1, TLSv1.1, TLSv1.2§
SERVER_DEFAULT: °TLSv1, TLSv1.1, TLSv1.2§
CLIENT_DEFAULT: °TLSv1, TLSv1.1, TLSv1.2§
IBMJSSE2 will enable CBC protection
Using SSLEngineImpl.
2017-02-25 07:34:19.273:INFO:oejs.AbstractConnector:main: Started ServerConnectorà4dcc4f21éSSL,°ssl, http/1.1§èé0.0.0.0:8443è
2017-02-25 07:34:19.276:INFO:oejs.Server:main: Started à3044ms
Finalizer thread, called close()
Finalizer thread, called closeInternal(true)
Using SSLEngineImpl.
Finalizer thread, called closeSocket(true)
Using SSLEngineImpl.
IBMJSSE2 will allow RFC 5746 renegotiation per com.ibm.jsse2.renegotiate set to none or default
IBMJSSE2 will not require renegotiation indicator during initial handshake per com.ibm.jsse2.renegotiation.indicator set to OPTIONAL or default taken
IBMJSSE2 will not perform identity checking against the peer cert check during renegotiation per com.ibm.jsse2.renegotiation.peer.cert.check set to OFF or default
IBMJSSE2 will allow client initiated renegotiation per jdk.tls.rejectClientInitiatedRenegotiation set to FALSE or default

Is initial handshake: true
Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
°Raw read§: length = 5
0000: 16 03 01 00 bc                                     .....

°Raw read§: length = 188
...



On Fri, Feb 24, 2017 at 5:58 PM, Simone Bordet <sbordet@xxxxxxxxxxx> wrote:
Hi,

On Fri, Feb 24, 2017 at 8:10 PM, Lou DeGenaro <lou.degenaro@xxxxxxxxx> wrote:
> This is the most current java I have access to:
>
> bash-4.1$ ./java -version
> java version "1.8.0_121"
> Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
> Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)
>
> No improvement.

Does this help ?
http://stackoverflow.com/questions/30758303/problems-connecting-via-https-ssl-through-own-java-client

--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

Back to the top