[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [jetty-users] ERR_SSL_VERSION_OR_CIPHER_MISMATCH
|
Hi,
On Sat, Feb 25, 2017 at 1:56 PM, Lou DeGenaro <lou.degenaro@xxxxxxxxx> wrote:
> It probably should help, but didn't.
>
> I've now switched to IBM JDK, for reasons of availability of security
> policies.
>
> bash-4.1$ /users/degenaro/install/ibm-java-x86_64-80/bin/java -version
> java version "1.8.0"
> Java(TM) SE Runtime Environment (build pxa6480sr4fp1-20170215_01(SR4 FP1))
> IBM J9 VM (build 2.8, JRE 1.8.0 Linux amd64-64 Compressed References
> 20170209_336038 (JIT enabled, AOT enabled)
> J9VM - R28_20170209_0201_B336038
> JIT - tr.r14.java.green_20170125_131456
> GC - R28_20170209_0201_B336038_CMPRSS
> J9CL - 20170209_336038)
> JCL - 20170215_01 based on Oracle jdk8u121-b13
>
> In /users/degenaro/install/ibm-java-x86_64-80/jre/lib/security I installed
> local_policy.jar and US_export_policy.jar comprising:
>
> bash-4.1$ cat default_local.policy
> // Country-specific policy file for countries with no limits on crypto
> strength.
> grant é
> // There is no restriction to any algorithms.
> permission javax.crypto.CryptoAllPermission;
> è;
>
> bash-4.1$ cat default_US_export.policy
> // Manufacturing policy file.
> grant é
> // There is no restriction to any algorithms.
> permission javax.crypto.CryptoAllPermission;
> è;
>
> I launch the Jetty sever:
>
> /users/degenaro/install/ibm-java-x86_64-80/bin/java -jar
> /users/degenaro/jetty/start.jar -Djavax.net.debug=all
>
> I visit via https + 8443 using Chromium, and on the Jetty console I see:
>
> 2017-02-25 07:34:18.345:INFO:oejsh.ContextHandler:main: Started
> o.e.j.w.WebAppContextà-494073ddé/test,file:///users1/degenaro/install/sandbox/webapps/test/,AVAILABLEèé/testè
> 2017-02-25 07:34:18.375:INFO:oejs.AbstractConnector:main: Started
> ServerConnectorà4a3b91daéHTTP/1.1,°http/1.1§èé0.0.0.0:8080è
> 2017-02-25 07:34:18.407:INFO:oejus.SslContextFactory:main:
> x509=X509àdfac8979(jetty,h=°§,w=°§) for
> SslContextFactoryàfc940f90(file:///users1/degenaro/install/sandbox/etc/keystore,file:///users1/degenaro/install/sandbox/etc/keystore)
> adding as trusted cert:
> <cert info>
> Algorithm: RSA; Serial number: 0x7866
> Valid from Thu Feb 18 00:00:00 EST 2016 until Sat Feb 16 23:59:59 EST 2019
>
> Installed Providers =
> IBMJSSE2
> IBMJCE
> IBMJGSSProvider
> IBMCertPath
> IBMSASL
> IBMXMLCRYPTO
> IBMXMLEnc
> IBMSPNEGO
> SUN
> SSLContextImpl: Using X509ExtendedKeyManager com.ibm.jsse2.aw
> SSLContextImpl: Using X509TrustManager com.ibm.jsse2.aA
> JsseJCE: Using SecureRandom IBMSecureRandom from provider IBMJCE version
> 1.8
> trigger seeding of SecureRandom
> done seeding SecureRandom
> IBMJSSE2 will enable CBC protection
> JsseJCE: Using SecureRandom IBMSecureRandom from provider IBMJCE version
> 1.8
> JsseJCE: Using KeyAgreement ECDH from provider IBMJCE version 1.8
> JsseJCE: Using signature SHA1withECDSA from provider TBD via init
> JsseJCE: Using signature NONEwithECDSA from provider TBD via init
> JsseJCE: Using KeyFactory EC from provider IBMJCE version 1.8
> JsseJCE: Using KeyPairGenerator EC from provider TBD via init
> JsseJce: EC is available
> JsseJCE: Using cipher AES/GCM/NoPadding from provider TBD via init
> CipherBox: Using cipher AES/GCM/NoPadding from provider from init IBMJCE
> version 1.8
> JsseJCE: Using cipher AES/CBC/NoPadding from provider TBD via init
> CipherBox: Using cipher AES/CBC/NoPadding from provider from init IBMJCE
> version 1.8
> jdk.tls.client.protocols is defined as null
> SSLv3 protocol was requested but was not enabled
> SSLv3 protocol was requested but was not enabled
> SUPPORTED: °TLSv1, TLSv1.1, TLSv1.2§
> SERVER_DEFAULT: °TLSv1, TLSv1.1, TLSv1.2§
> CLIENT_DEFAULT: °TLSv1, TLSv1.1, TLSv1.2§
> IBMJSSE2 will enable CBC protection
> Using SSLEngineImpl.
> 2017-02-25 07:34:19.273:INFO:oejs.AbstractConnector:main: Started
> ServerConnectorà4dcc4f21éSSL,°ssl, http/1.1§èé0.0.0.0:8443è
> 2017-02-25 07:34:19.276:INFO:oejs.Server:main: Started à3044ms
> Finalizer thread, called close()
> Finalizer thread, called closeInternal(true)
> Using SSLEngineImpl.
> Finalizer thread, called closeSocket(true)
> Using SSLEngineImpl.
> IBMJSSE2 will allow RFC 5746 renegotiation per com.ibm.jsse2.renegotiate set
> to none or default
> IBMJSSE2 will not require renegotiation indicator during initial handshake
> per com.ibm.jsse2.renegotiation.indicator set to OPTIONAL or default taken
> IBMJSSE2 will not perform identity checking against the peer cert check
> during renegotiation per com.ibm.jsse2.renegotiation.peer.cert.check set to
> OFF or default
> IBMJSSE2 will allow client initiated renegotiation per
> jdk.tls.rejectClientInitiatedRenegotiation set to FALSE or default
>
> Is initial handshake: true
> Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_256_CBC_SHA256
> Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
> Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384
> Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
> Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_256_CBC_SHA256
> Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
> Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
> Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_CBC_SHA256
> Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
> Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
> Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
> Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
> Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
> Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_256_GCM_SHA384
> Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
> Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384
> Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_256_GCM_SHA384
> Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_256_GCM_SHA384
> Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_GCM_SHA256
> Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
> Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256
> Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
> Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
> °Raw read§: length = 5
> 0000: 16 03 01 00 bc .....
>
> °Raw read§: length = 188
> ...
So.
A) you have weird logs of
"> JsseJCE: Using signature SHA1withECDSA from provider TBD via init"
The provider "TBD" looks weird, "To Be Defined" ?
B) the logs in the form of
> Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
mean that you don't have those ciphers available.
In fact, that is a non-standard name because it starts with "SSL_",
while it should start with "TLS_"
(https://www.ietf.org/rfc/rfc5289.txt).
You should ask IBM about those 2. It's a JVM configuration problem
more than a Jetty one.
--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.