Topic
  • 7 replies
  • Latest Post - ‏2017-06-28T15:01:18Z by DrStephenH
why-a-duck?
why-a-duck?
4 Posts

Pinned topic SSL & Jetty

‏2017-02-27T13:57:07Z |

For sure I'm doing something wrong but don't yet know what, is which is why I seek your help.

I'm running Jetty 9.4.2 with ibm-java-x86_64-80.  I created a minimal webapps/test/index.html comprising "Hello World".  Using http on port 8080 works beautifully.  But when I visit via https on port 8443 with FireFox or Chromium or Opera I see on my Jetty server console:

Using SSLEngineImpl.

Is initial handshake: true
Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_256_GCM_SHA384
Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_GCM_SHA256

The browser says: Advanced info: SSL_ERROR_NO_CYPHER_OVERLAP

I've been complaining on the Jetty mailing list here http://dev.eclipse.org/mhonarc/lists/jetty-users/msg07662.html

and am told this is a Java configuration issue.  Expected are cipher suites starting with TLS.

On the host where Jetty is installed, under ibm-java-x86_64-80/jre/lib/security I installed local_policy.jar and US_export_policy.jar comprising:

bash-4.1$ cat default_local.policy
// Country-specific policy file for countries with no limits on crypto strength.
grant é
    // There is no restriction to any algorithms.
    permission javax.crypto.CryptoAllPermission;

è;
bash-4.1$ cat default_US_export.policy
// Manufacturing policy file.
grant é
    // There is no restriction to any algorithms.
    permission javax.crypto. CryptoAllPermission;
è;

java -version yields:

java version "1.8.0"
Java(TM) SE Runtime Environment (build pxa6480sr4fp1-20170215_01(SR4 FP1))
IBM J9 VM (build 2.8, JRE 1.8.0 Linux amd64-64 Compressed References 20170209_336038 (JIT enabled, AOT enabled)
J9VM - R28_20170209_0201_B336038
JIT  - tr.r14.java.green_20170125_131456
GC   - R28_20170209_0201_B336038_CMPRSS
J9CL - 20170209_336038)
JCL - 20170215_01 based on Oracle jdk8u121-b13
 

Please advise.

  • Chandrakala
    Chandrakala
    3 Posts

    Re: SSL & Jetty

    ‏2017-02-27T22:19:35Z  

    Can you try by changing the TLS protocol to TLSv1.2 in the application?

  • why-a-duck?
    why-a-duck?
    4 Posts

    Re: SSL & Jetty

    ‏2017-02-28T14:35:53Z  

    Can you try by changing the TLS protocol to TLSv1.2 in the application?

    In the application...?  You mean the Jetty server?  Or the browser that is visiting the Jetty web site?  And how does one specify the protocol?

  • Chandrakala
    Chandrakala
    3 Posts

    Re: SSL & Jetty

    ‏2017-02-28T18:30:31Z  

    In the application...?  You mean the Jetty server?  Or the browser that is visiting the Jetty web site?  And how does one specify the protocol?

    One of these should fix the issue:

    1) Either start the jetty server by passing -Dcom.ibm.jsse2.overrideDefaultTLS=true system property to JVM or

    2) Change the SSL protocol on the jetty server to TLSv1.2

  • why-a-duck?
    why-a-duck?
    4 Posts

    Re: SSL & Jetty

    ‏2017-03-01T13:46:52Z  

    One of these should fix the issue:

    1) Either start the jetty server by passing -Dcom.ibm.jsse2.overrideDefaultTLS=true system property to JVM or

    2) Change the SSL protocol on the jetty server to TLSv1.2

    No improvement.

     

    Here's what I see on the Jetty console when booting:

    ==========

    /users/degenaro/install/ibm-java-x86_64-80/bin/java -jar /users/degenaro/jetty/start.jar -Djavax.net.debug=all -Dcom.ibm.jsse2.overrideDefaultTLS=true

    WARN  : System properties and/or JVM args set.  Consider using --dry-run or --exec/jetty/start.jar -Djavax.net.debug=all -Dcom.ibm.jsse2.overrideDefaultTLS=true
    IBMJSSE2 will not allow protocol SSLv3 per com.ibm.jsse2.disableSSLv3 set to TRUE or default
    IBMJSSEProvider2 Build-Level: -20170105
    2017-03-01 08:40:22.208:INFO::main: Logging initialized @1419ms to org.eclipse.jetty.util.log.StdErrLog
    2017-03-01 08:40:22.323:WARN:oejx.XmlConfiguration:main: Property 'threads.min' is deprecated, use 'jetty.threadPool.minThreads' instead
    2017-03-01 08:40:22.324:WARN:oejx.XmlConfiguration:main: Property 'threads.max' is deprecated, use 'jetty.threadPool.maxThreads' instead
    2017-03-01 08:40:22.324:WARN:oejx.XmlConfiguration:main: Property 'threads.timeout' is deprecated, use 'jetty.threadPool.idleTimeout' instead
    2017-03-01 08:40:22.343:WARN:oejx.XmlConfiguration:main: Property 'jetty.secure.port' is deprecated, use 'jetty.httpConfig.securePort' instead
    2017-03-01 08:40:22.359:WARN:oejx.XmlConfiguration:main: Property 'jetty.dump.start' is deprecated, use 'jetty.server.dumpAfterStart' instead
    2017-03-01 08:40:22.359:WARN:oejx.XmlConfiguration:main: Property 'jetty.dump.stop' is deprecated, use 'jetty.server.dumpBeforeStop' instead
    2017-03-01 08:40:22.557:WARN:oejx.XmlConfiguration:main: Property 'jetty.keystore' is deprecated, use 'jetty.sslContext.keyStorePath' instead
    2017-03-01 08:40:22.558:WARN:oejx.XmlConfiguration:main: Property 'jetty.keystore.password' is deprecated, use 'jetty.sslContext.keyStorePassword' instead
    2017-03-01 08:40:22.567:WARN:oejx.XmlConfiguration:main: Property 'jetty.keymanager.password' is deprecated, use 'jetty.sslContext.keyManagerPassword' instead
    2017-03-01 08:40:22.567:WARN:oejx.XmlConfiguration:main: Property 'jetty.truststore' is deprecated, use 'jetty.sslContext.trustStorePath' instead
    2017-03-01 08:40:22.568:WARN:oejx.XmlConfiguration:main: Property 'jetty.truststore.password' is deprecated, use 'jetty.sslContext.trustStorePassword' instead
    2017-03-01 08:40:22.587:INFO:oejs.Server:main: jetty-9.4.2.v20170220
    2017-03-01 08:40:22.618:INFO:oejdp.ScanningAppProvider:main: Deployment monitor [file:///users1/degenaro/install/sandbox/webapps/] at interval 1
    2017-03-01 08:40:22.742:INFO:oejw.StandardDescriptorProcessor:main: NO JSP Support for /test, did not find org.eclipse.jetty.jsp.JettyJspServlet
    2017-03-01 08:40:22.752:INFO:oejs.session:main: DefaultSessionIdManager workerName=node0
    2017-03-01 08:40:22.752:INFO:oejs.session:main: No SessionScavenger set, using defaults
    2017-03-01 08:40:22.753:INFO:oejs.session:main: Scavenging every 600000ms
    2017-03-01 08:40:22.785:INFO:oejsh.ContextHandler:main: Started o.e.j.w.WebAppContext@-e322100{/test,file:///users1/degenaro/install/sandbox/webapps/test/,AVAILABLE}{/test}
    2017-03-01 08:40:22.810:INFO:oejs.AbstractConnector:main: Started ServerConnector@97535497{HTTP/1.1,[http/1.1]}{0.0.0.0:8080}
    2017-03-01 08:40:22.839:INFO:oejus.SslContextFactory:main: x509=X509@f10b455e(jetty,h=[],w=[]) for SslContextFactory@4fd464ac(file:///users1/degenaro/install/sandbox/etc/keystore,file:///users1/degenaro/install/sandbox/etc/keystore)
    adding as trusted cert:
     <cert info>
      Algorithm: RSA; Serial number: 0x7866
      Valid from Thu Feb 18 00:00:00 EST 2016 until Sat Feb 16 23:59:59 EST 2019

    IBMJSSE2 will set SSLContext per com.ibm.jsse2.overrideDefaultTLS set to true
    Installed Providers =
        IBMJSSE2
        IBMJCE
        IBMJGSSProvider
        IBMCertPath
        IBMSASL
        IBMXMLCRYPTO
        IBMXMLEnc
        IBMSPNEGO
        SUN
    SSLContextImpl:  Using X509ExtendedKeyManager com.ibm.jsse2.aw
    SSLContextImpl:  Using X509TrustManager com.ibm.jsse2.aA
    JsseJCE:  Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.8
    trigger seeding of SecureRandom
    done seeding SecureRandom
    IBMJSSE2 will enable CBC protection
    JsseJCE:  Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.8
    JsseJCE:  Using KeyAgreement ECDH from provider IBMJCE version 1.8
    JsseJCE:  Using signature SHA1withECDSA from provider TBD via init
    JsseJCE:  Using signature NONEwithECDSA from provider TBD via init
    JsseJCE:  Using KeyFactory EC from provider IBMJCE version 1.8
    JsseJCE:  Using KeyPairGenerator EC from provider TBD via init
    JsseJce:  EC is available
    JsseJCE:  Using cipher AES/GCM/NoPadding from provider TBD via init
    CipherBox:  Using cipher AES/GCM/NoPadding from provider from init IBMJCE version 1.8
    JsseJCE:  Using cipher AES/CBC/NoPadding from provider TBD via init
    CipherBox:  Using cipher AES/CBC/NoPadding from provider from init IBMJCE version 1.8
    jdk.tls.client.protocols is defined as null
    SSLv3 protocol was requested but was not enabled
    SSLv3 protocol was requested but was not enabled
    SUPPORTED: [TLSv1, TLSv1.1, TLSv1.2]
    SERVER_DEFAULT: [TLSv1, TLSv1.1, TLSv1.2]
    CLIENT_DEFAULT: [TLSv1, TLSv1.1, TLSv1.2]
    IBMJSSE2 will enable CBC protection
    Using SSLEngineImpl.
    2017-03-01 08:40:23.722:INFO:oejs.AbstractConnector:main: Started ServerConnector@f0bacc0{SSL,[ssl, http/1.1]}{0.0.0.0:8443}
    2017-03-01 08:40:23.722:INFO:oejs.Server:main: Started @2934ms

    ==========

    Here's what I see on the Jetty console when attempting to visit with https & port 8443:

    ==========

    Using SSLEngineImpl.

    Is initial handshake: true
    Using SSLEngineImpl.

    Is initial handshake: true
    [Raw read]: length = 5
    0000: 16 03 01 00 bc                                     .....

    [Raw read]: length = 188
    [Raw read]: length = 5
    0000: 16 03 01 00 bc                                     .....

    [Raw read]: length = 188
    0000: 01 00 00 b8 03 03 a6 ca  d9 10 9a 89 51 d2 cc cd  ............Q...
    0010: e1 ce 24 3a 40 fe c1 c0  95 2c 67 7a 5e 72 67 57  ..........gz.rgW
    0020: 7f bd 3e 37 92 90 00 00  24 aa aa c0 2b c0 2f c0  ...7............
    0030: 2c c0 30 cc a9 cc a8 cc  14 cc 13 c0 09 c0 13 c0  ..0.............
    0040: 0a c0 14 00 9c 00 9d 00  2f 00 35 00 0a 01 00 00  ..........5.....
    0050: 6b da da 00 00 ff 01 00  01 00 00 17 00 00 00 23  k...............
    0060: 00 00 00 0d 00 12 00 10  06 01 06 03 05 01 05 03  ................
    0070: 04 01 04 03 02 01 02 03  00 05 00 05 01 00 00 00  ................
    0080: 00 00 12 00 00 00 10 00  0e 00 0c 02 68 32 08 68  ............h2.h
    0090: 74 74 70 2f 31 2e 31 75  50 00 00 00 0b 00 02 01  ttp.1.1uP.......
    00a0: 00 00 0a 00 0a 00 08 ca  ca 00 1d 00 17 00 18 00  ................
    00b0: 18 00 04 00 0a 01 02 1a  1a 00 01 00              ............

    qtp1720352223-38, READ: TLSv1 Handshake, length = 188
    0000: 01 00 00 b8 03 03 d2 9c  c7 1a 7f da b7 d2 c4 2c  ................
    0010: 6b 29 42 8d 69 6a b9 95  ff dd 70 4f 9e c9 49 28  k.B.ij....pO..I.
    0020: 17 7d 12 fe eb 1f 00 00  24 da da c0 2b c0 2f c0  ................
    0030: 2c c0 30 cc a9 cc a8 cc  14 cc 13 c0 09 c0 13 c0  ..0.............
    0040: 0a c0 14 00 9c 00 9d 00  2f 00 35 00 0a 01 00 00  ..........5.....
    0050: 6b ca ca 00 00 ff 01 00  01 00 00 17 00 00 00 23  k...............
    0060: 00 00 00 0d 00 12 00 10  06 01 06 03 05 01 05 03  ................
    0070: 04 01 04 03 02 01 02 03  00 05 00 05 01 00 00 00  ................
    0080: 00 00 12 00 00 00 10 00  0e 00 0c 02 68 32 08 68  ............h2.h
    0090: 74 74 70 2f 31 2e 31 75  50 00 00 00 0b 00 02 01  ttp.1.1uP.......
    00a0: 00 00 0a 00 0a 00 08 9a  9a 00 1d 00 17 00 18 00  ................
    00b0: 18 00 04 00 0a 01 02 1a  1a 00 01 00              ............

    qtp1720352223-26, READ: TLSv1 Handshake, length = 188
    *** ClientHello, TLSv1.2
    RandomCookie:  GMT: -778320102 bytes = { 127, 218*** ClientHello, TLSv1.2
    , 183, 210, 196, 44, 107, 41, 66, 141, 105, 106, 185, 149, 255, 221, 112, 79, 158, 201, 73, 40, 23, 125, 18, 254, 235, 31 }
    Session ID:  {}
    Cipher Suites: [Unknown 0xda:0xda, SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_256_GCM_SHA384, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
    Compression Methods:  { 0 }
    Unsupported extension type_51914, data:
    Extension renegotiation_info, ri_length: 0, ri_connection_data: { null }
    Unsupported extension type_23, data:
    Unsupported extension type_35, data:
    Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, SHA256withRSA, SHA256withECDSA, SHA1withRSA, SHA1withECDSA
    Unsupported extension status_request, data: 01:00:00:00:00
    Unsupported extension type_18, data:
    Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
    Unsupported extension type_30032, data:
    Extension ec_point_formats, formats: [uncompressed]
    Extension elliptic_curves, curve names: {unknown curve 39578, unknown curve 29, secp256r1, secp384r1}
    Unsupported extension type_24, data: 00:0a:01:02
    Unsupported extension type_6682, data: 00
    ***
    [read] MD5 and SHA1 hashes:  len = 188
    0000: 01 00 00 b8 03 03 d2 9c  c7 1a 7f da b7 d2 c4 2c  ................
    0010: 6b 29 42 8d 69 6a b9 95  ff dd 70 4f 9e c9 49 28  k.B.ij....pO..I.
    0020: 17 7d 12 fe eb 1f 00 00  24 da da c0 2b c0 2f c0  ................
    0030: 2c c0 30 cc a9 cc a8 cc  14 cc 13 c0 09 c0 13 c0  ..0.............
    0040: 0a c0 14 00 9c 00 9d 00  2f 00 35 00 0a 01 00 00  ..........5.....
    0050: 6b ca ca 00 00 ff 01 00  01 00 00 17 00 00 00 23  k...............
    0060: 00 00 00 0d 00 12 00 10  06 01 06 03 05 01 05 03  ................
    0070: 04 01 04 03 02 01 02 03  00 05 00 05 01 00 00 00  ................
    0080: 00 00 12 00 00 00 10 00  0e 00 0c 02 68 32 08 68  ............h2.h
    0090: 74 74 70 2f 31 2e 31 75  50 00 00 00 0b 00 02 01  ttp.1.1uP.......
    00a0: 00 00 0a 00 0a 00 08 9a  9a 00 1d 00 17 00 18 00  ................
    00b0: 18 00 04 00 0a 01 02 1a  1a 00 01 00              ............

    RandomCookie:  GMT: -1513498352 bytes = { 154, 137, 81, 210, 204, 205, 225, 206, 36, 58, 64, 254, 193, 192, 149, 44, 103, 122, 94, 114, 103, 87, 127, 189, 62, 55, 146, 144 }
    Session ID:  {}
    Cipher Suites: [Unknown 0xaa:0xaa, SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_256_GCM_SHA384, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
    Compression Methods:  { 0 }
    Unsupported extension type_56026, data:
    Extension renegotiation_info, ri_length: 0, ri_connection_data: { null }
    Unsupported extension type_23, data:
    Unsupported extension type_35, data:
    Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, SHA256withRSA, SHA256withECDSA, SHA1withRSA, SHA1withECDSA
    Unsupported extension status_request, data: 01:00:00:00:00
    Unsupported extension type_18, data:
    Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
    Unsupported extension type_30032, data:
    Extension ec_point_formats, formats: [uncompressed]
    Extension elliptic_curves, curve names: {unknown curve 51914, unknown curve 29, secp256r1, secp384r1}
    Unsupported extension type_24, data: 00:0a:01:02
    Unsupported extension type_6682, data: 00
    ***
    [read] MD5 and SHA1 hashes:  len = 188
    %% Initialized:  [Session-4, SSL_NULL_WITH_NULL_NULL]
    ssl: ServerHandshaker.setupPrivateKeyAndChain EC
    ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseEngineServerAlias null
    ssl: ServerHandshaker.setupPrivateKeyAndChain EC
    0000: 01 00 00 b8 03 03 a6 ca  d9 10 9a 89 51 d2 cc cd  ............Q...
    0010: e1 ce 24 3a 40 fe c1 c0  95 2c 67 7a 5e 72 67 57  ..........gz.rgW
    0020: 7f bd 3e 37 92 90 00 00  24 aa aa c0 2b c0 2f c0  ...7............
    0030: 2c c0 30 cc a9 cc a8 cc  14 cc 13 c0 09 c0 13 c0  ..0.............
    0040: 0a c0 14 00 9c 00 9d 00  2f 00 35 00 0a 01 00 00  ..........5.....
    0050: 6b da da 00 00 ff 01 00  01 00 00 17 00 00 00 23  k...............
    0060: 00 00 00 0d 00 12 00 10  06 01 06 03 05 01 05 03  ................
    0070: 04 01 04 03 02 01 02 03  00 05 00 05 01 00 00 00  ................
    0080: 00 00 12 00 00 00 10 00  0e 00 0c 02 68 32 08 68  ............h2.h
    0090: 74 74 70 2f 31 2e 31 75  50 00 00 00 0b 00 02 01  ttp.1.1uP.......
    00a0: 00 00 0a 00 0a 00 08 ca  ca 00 1d 00 17 00 18 00  ................
    00b0: 18 00 04 00 0a 01 02 1a  1a 00 01 00              ............

    ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseEngineServerAlias null
    ssl: ServerHandshaker.setupPrivateKeyAndChain RSA
    ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseEngineServerAlias null
    ssl: ServerHandshaker.setupPrivateKeyAndChain RSA
    ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseEngineServerAlias null
    ssl: ServerHandshaker.setupPrivateKeyAndChain RSA
    ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseEngineServerAlias null
    ssl: ServerHandshaker.setupPrivateKeyAndChain RSA
    ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseEngineServerAlias null
    qtp1720352223-26, fatal error: 40: no cipher suites in common
    javax.net.ssl.SSLHandshakeException: no cipher suites in common
    %% Invalidated:  [Session-4, SSL_NULL_WITH_NULL_NULL]
    qtp1720352223-26, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure
    qtp1720352223-26, WRITE: TLSv1.2 Alert, length = 2
    %% Initialized:  [Session-5, SSL_NULL_WITH_NULL_NULL]
    ssl: ServerHandshaker.setupPrivateKeyAndChain EC
    ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseEngineServerAlias null
    ssl: ServerHandshaker.setupPrivateKeyAndChain EC
    ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseEngineServerAlias null
    ssl: ServerHandshaker.setupPrivateKeyAndChain RSA
    ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseEngineServerAlias null
    ssl: ServerHandshaker.setupPrivateKeyAndChain RSA
    ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseEngineServerAlias null
    ssl: ServerHandshaker.setupPrivateKeyAndChain RSA
    ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseEngineServerAlias null
    ssl: ServerHandshaker.setupPrivateKeyAndChain RSA
    ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseEngineServerAlias null
    qtp1720352223-38, fatal error: 40: no cipher suites in common
    javax.net.ssl.SSLHandshakeException: no cipher suites in common
    %% Invalidated:  [Session-5, SSL_NULL_WITH_NULL_NULL]
    qtp1720352223-38, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure
    qtp1720352223-38, WRITE: TLSv1.2 Alert, length = 2
    qtp1720352223-38, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
    qtp1720352223-26, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
    qtp1720352223-26, called closeOutbound()
    qtp1720352223-26, closeOutboundInternal()
    [Raw write]: length = 7
    0000: 15 03 03 00 02 02 28                               .......

    qtp1720352223-38, called closeOutbound()
    qtp1720352223-38, closeOutboundInternal()
    [Raw write]: length = 7
    0000: 15 03 03 00 02 02 28                               .......

    Using SSLEngineImpl.

    Is initial handshake: true
    [Raw read]: length = 5
    0000: 16 03 01 00 c2                                     .....

    [Raw read]: length = 194
    0000: 01 00 00 be 03 03 12 15  71 34 02 1a 11 77 15 28  ........q4...w..
    0010: 11 01 4e 66 a7 07 46 ce  96 96 9c 3e ad aa d4 0d  ..Nf..F.........
    0020: bf c9 5a 1c 83 5b 00 00  2a 1a 1a c0 2b c0 2f 00  ..Z.............
    0030: 9e c0 2c c0 30 cc a9 cc  a8 cc 14 cc 13 c0 09 c0  ....0...........
    0040: 13 00 33 c0 0a c0 14 00  39 00 9c 00 9d 00 2f 00  ..3.....9.......
    0050: 35 00 0a 01 00 00 6b 7a  7a 00 00 ff 01 00 01 00  5.....kzz.......
    0060: 00 17 00 00 00 23 00 00  00 0d 00 12 00 10 06 01  ................
    0070: 06 03 05 01 05 03 04 01  04 03 02 01 02 03 00 05  ................
    0080: 00 05 01 00 00 00 00 00  12 00 00 00 10 00 0e 00  ................
    0090: 0c 02 68 32 08 68 74 74  70 2f 31 2e 31 75 50 00  ..h2.http.1.1uP.
    00a0: 00 00 0b 00 02 01 00 00  0a 00 0a 00 08 1a 1a 00  ................
    00b0: 1d 00 17 00 18 00 18 00  04 00 0a 01 02 3a 3a 00  ................
    00c0: 01 00                                              ..

    qtp1720352223-40, READ: TLSv1 Handshake, length = 194
    *** ClientHello, TLSv1.2
    RandomCookie:  GMT: 303395124 bytes = { 2, 26, 17, 119, 21, 40, 17, 1, 78, 102, 167, 7, 70, 206, 150, 150, 156, 62, 173, 170, 212, 13, 191, 201, 90, 28, 131, 91 }
    Session ID:  {}
    Cipher Suites: [Unknown 0x1a:0x1a, SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_256_GCM_SHA384, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
    Compression Methods:  { 0 }
    Unsupported extension type_31354, data:
    Extension renegotiation_info, ri_length: 0, ri_connection_data: { null }
    Unsupported extension type_23, data:
    Unsupported extension type_35, data:
    Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, SHA256withRSA, SHA256withECDSA, SHA1withRSA, SHA1withECDSA
    Unsupported extension status_request, data: 01:00:00:00:00
    Unsupported extension type_18, data:
    Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
    Unsupported extension type_30032, data:
    Extension ec_point_formats, formats: [uncompressed]
    Extension elliptic_curves, curve names: {unknown curve 6682, unknown curve 29, secp256r1, secp384r1}
    Unsupported extension type_24, data: 00:0a:01:02
    Unsupported extension type_14906, data: 00
    ***
    [read] MD5 and SHA1 hashes:  len = 194
    0000: 01 00 00 be 03 03 12 15  71 34 02 1a 11 77 15 28  ........q4...w..
    0010: 11 01 4e 66 a7 07 46 ce  96 96 9c 3e ad aa d4 0d  ..Nf..F.........
    0020: bf c9 5a 1c 83 5b 00 00  2a 1a 1a c0 2b c0 2f 00  ..Z.............
    0030: 9e c0 2c c0 30 cc a9 cc  a8 cc 14 cc 13 c0 09 c0  ....0...........
    0040: 13 00 33 c0 0a c0 14 00  39 00 9c 00 9d 00 2f 00  ..3.....9.......
    0050: 35 00 0a 01 00 00 6b 7a  7a 00 00 ff 01 00 01 00  5.....kzz.......
    0060: 00 17 00 00 00 23 00 00  00 0d 00 12 00 10 06 01  ................
    0070: 06 03 05 01 05 03 04 01  04 03 02 01 02 03 00 05  ................
    0080: 00 05 01 00 00 00 00 00  12 00 00 00 10 00 0e 00  ................
    0090: 0c 02 68 32 08 68 74 74  70 2f 31 2e 31 75 50 00  ..h2.http.1.1uP.
    00a0: 00 00 0b 00 02 01 00 00  0a 00 0a 00 08 1a 1a 00  ................
    00b0: 1d 00 17 00 18 00 18 00  04 00 0a 01 02 3a 3a 00  ................
    00c0: 01 00                                              ..

    %% Initialized:  [Session-6, SSL_NULL_WITH_NULL_NULL]
    ssl: ServerHandshaker.setupPrivateKeyAndChain EC
    ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseEngineServerAlias null
    ssl: ServerHandshaker.setupPrivateKeyAndChain EC
    ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseEngineServerAlias null
    ssl: ServerHandshaker.setupPrivateKeyAndChain RSA
    ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseEngineServerAlias null
    ssl: ServerHandshaker.setupPrivateKeyAndChain RSA
    ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseEngineServerAlias null
    ssl: ServerHandshaker.setupPrivateKeyAndChain RSA
    ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseEngineServerAlias null
    ssl: ServerHandshaker.setupPrivateKeyAndChain RSA
    ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseEngineServerAlias null
    ssl: ServerHandshaker.setupPrivateKeyAndChain RSA
    ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseEngineServerAlias null
    qtp1720352223-40, fatal error: 40: no cipher suites in common
    javax.net.ssl.SSLHandshakeException: no cipher suites in common
    %% Invalidated:  [Session-6, SSL_NULL_WITH_NULL_NULL]
    qtp1720352223-40, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure
    qtp1720352223-40, WRITE: TLSv1.2 Alert, length = 2
    qtp1720352223-40, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
    qtp1720352223-40, called closeOutbound()
    qtp1720352223-40, closeOutboundInternal()
    [Raw write]: length = 7
    0000: 15 03 03 00 02 02 28                               .......

    ==========

    From the browser side, both FF and Chromium give this reason:

    ERR_SSL_VERSION_OR_CIPHER_MISMATCH

     

     

  • Adam_Roberts
    Adam_Roberts
    2 Posts

    Re: SSL & Jetty

    ‏2017-05-22T16:03:42Z  

    I'm seeing the same issue after upgrading my jetty version (used in Apache Spark which I'm responsible for testing along with our JDK). Here is the jetty version change in the Apache Spark project: https://github.com/apache/spark/commit/5d71f3db83138bf50749dcd425ef7365c34bd799

     

    The cipher suite problem happens regardless of IBM JDK version. So I'll be looking into this and reporting back. There's a potentially related discussion going on at https://github.com/eclipse/jetty.project/issues/1547 as well which I've commented on.

     

  • BaruchOffer
    BaruchOffer
    1 Post

    Re: SSL & Jetty

    ‏2017-06-21T17:48:42Z  

    I have upgraded from jetty-server-9.3.2.v20150730 to jetty-server-9.4.4.v20170414 and the secure option stoped working.

    looks like i am getting the same errors from this post about "no cipher suites in common"

    i did not change my Java version which is 8.

    i did test with openjdk and oracle and they are both working fine. the problem is only with IBM java...

    did anyone had any progress with this?

     

    thanks!

    Offer Baruch

     

  • DrStephenH
    DrStephenH
    1 Post

    Re: SSL & Jetty

    ‏2017-06-28T15:01:18Z  

    I'm seeing the same issue after upgrading my jetty version (used in Apache Spark which I'm responsible for testing along with our JDK). Here is the jetty version change in the Apache Spark project: https://github.com/apache/spark/commit/5d71f3db83138bf50749dcd425ef7365c34bd799

     

    The cipher suite problem happens regardless of IBM JDK version. So I'll be looking into this and reporting back. There's a potentially related discussion going on at https://github.com/eclipse/jetty.project/issues/1547 as well which I've commented on.

     

    Having assisted Adam, the root cause of our ApacheSpark issue is addressed in using "-Dcom.ibm.jsse2.overrideDefaultTLS=true" at the command-line, and it arises because of the issue described here : https://www.ibm.com/support/knowledgecenter/en/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/jsse2Docs/matchsslcontext_tls.html
    Therefore, post IBM Java 8 SR3 FP10, you have the command-line option of working around the Jetty 9.3.x (and 9.4.x) use of SSLContext.getInstance("TLS").