Topic
  • No replies
Rajskanna
Rajskanna
1 Post

Pinned topic vax.net.ssl.SSLException: Received fatal alert: illegal_parameter on IBM JVM

‏2014-05-22T10:28:26Z |

To avoid  ecliptic curves and sever name SNI extension with https server, I am using -Dcom.sun.net.ssl.enableECC=false -Djsse.enableSNIExtension=false in sun JDK on Linux system and it worked fine.

-Dcom.sun.net.ssl.enableECC=false -Djsse.enableSNIExtension=false

But, the same not working with IBM AIX which has IBM JVM.  Getting the below error,

------------------------------------------------------------

HTTPS: TRUE

IBMJSSEProvider2 Build-Level: -20130515
keyStore is: /scratch/aime1/adestore/views/aime1_stuyd13/jdk7/jre/lib/security/cacerts
keyStore type is: jks
keyStore provider is: 
init keystore
SSLContextImpl:  Using X509ExtendedKeyManager com.ibm.jsse2.uc
SSLContextImpl:  Using X509TrustManager oracle.sysman.asreplay.replayAgent.asyncSocketIO.HttpsSocket$1
trigger seeding of SecureRandom
done seeding SecureRandom
Connecting to rws3220102.us.oracle.com:4492
2014-05-22 09:26:29,416 [Worker-1] WARN  replayAgent.asyncSocketIO.HttpsSocket[712] - Socket[1] HTTPS Connecting rws3220102.us.oracle.com:4492
2014-05-22 09:26:29,548 [Worker-1] WARN  replayAgent.asyncSocketIO.HttpsSocket[1106] - Socket[1] Internal connectStart
1400750789548: connectStart
2014-05-22 09:26:29,609 [Select-0] WARN  replayAgent.asyncSocketIO.HttpsSocket[1119] - Socket[1] Internal ConnectDone
IBMJSSE2 will not enable CBC protection
Using SSLEngineImpl.
Installed Providers = 
        IBMJSSE2
        IBMJCE
        IBMJGSSProvider
        IBMCertPath
        IBMSASL
        IBMXMLCRYPTO
        IBMXMLEnc
        IBMSPNEGO
        SUN
JsseJCE:  Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.7
JsseJCE:  Using KeyAgreement ECDH from provider IBMJCE version 1.7
JsseJCE:  Using signature SHA1withECDSA from provider TBD via init 
JsseJCE:  Using signature NONEwithECDSA from provider TBD via init 
JsseJCE:  Using KeyFactory EC from provider IBMJCE version 1.7
JsseJCE:  Using KeyPairGenerator EC from provider TBD via init 
JsseJce:  EC is available
JsseJCE:  Using cipher AES/CBC/NoPadding from provider TBD via init 
CipherBox:  Using cipher AES/CBC/NoPadding from provider from init IBMJCE version 1.7
2014-05-22 09:26:31,144 [Select-0] WARN  replayAgent.asyncSocketIO.HttpsSocket[369] - Socket[1] Starting initial Handshake
IBMJSSE2 will allow RFC 5746 renegotiation per com.ibm.jsse2.renegotiate set to none or default
IBMJSSE2 will not require renegotiation indicator during initial handshake per com.ibm.jsse2.renegotiation.indicator set to OPTIONAL or default taken
IBMJSSE2 will not perform identity checking against the peer cert check during renegotiation per com.ibm.jsse2.renegotiation.peer.cert.check set to OFF or default
 
Is initial handshake: true
Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
%% No cached client session
*** ClientHello, TLSv1
RandomCookie:  GMT: 1400684999 bytes = { 225, 183, 142, 214, 82, 24, 47, 199, 163, 147, 216, 86, 148, 205, 67, 186, 88, 87, 167, 139, 110, 45, 79, 233, 155, 239, 59, 202 }
Session ID:  {}
Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ECDH_RSA_WITH_RC4_128_SHA, SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp192r1, secp224r1, secp384r1, secp521r1, secp160k1, secp160r1, secp160r2, secp192k1, secp224k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
***
[write] MD5 and SHA1 hashes:  len = 135
0000: 01 00 00 83 03 01 53 7d  c2 c7 e1 b7 8e d6 52 18  ......S.......R.
0010: 2f c7 a3 93 d8 56 94 cd  43 ba 58 57 a7 8b 6e 2d  .....V..C.XW..n.
0020: 4f e9 9b ef 3b ca 00 00  38 00 ff c0 0a c0 14 00  O.......8.......
0030: 35 c0 05 c0 0f 00 39 00  38 c0 09 c0 13 00 2f c0  5.....9.8.......
0040: 04 c0 0e 00 33 00 32 c0  07 c0 11 00 05 c0 02 c0  ....3.2.........
0050: 0c c0 08 c0 12 00 0a c0  03 c0 0d 00 16 00 13 00  ................
0060: 04 01 00 00 22 00 0a 00  18 00 16 00 17 00 13 00  ................
0070: 15 00 18 00 19 00 0f 00  10 00 11 00 12 00 14 00  ................
0080: 16 00 0b 00 02 01 00                               .......
 
Select-0, WRITE: TLSv1 Handshake, length = 135
2014-05-22 09:26:31,327 [Select-0] WARN  replayAgent.asyncSocketIO.HttpsSocket[409] - Socket[1] Handshake Status in doHandshake: NEED_WRAP
[Raw write]: length = 140
0000: 16 03 01 00 87 01 00 00  83 03 01 53 7d c2 c7 e1  ...........S....
0010: b7 8e d6 52 18 2f c7 a3  93 d8 56 94 cd 43 ba 58  ...R......V..C.X
0020: 57 a7 8b 6e 2d 4f e9 9b  ef 3b ca 00 00 38 00 ff  W..n.O.......8..
0030: c0 0a c0 14 00 35 c0 05  c0 0f 00 39 00 38 c0 09  .....5.....9.8..
0040: c0 13 00 2f c0 04 c0 0e  00 33 00 32 c0 07 c0 11  .........3.2....
0050: 00 05 c0 02 c0 0c c0 08  c0 12 00 0a c0 03 c0 0d  ................
0060: 00 16 00 13 00 04 01 00  00 22 00 0a 00 18 00 16  ................
0070: 00 17 00 13 00 15 00 18  00 19 00 0f 00 10 00 11  ................
0080: 00 12 00 14 00 16 00 0b  00 02 01 00              ............
 
2014-05-22 09:26:31,344 [Select-0] WARN  replayAgent.asyncSocketIO.HttpsSocket[464] - Socket[1] SSLEngineResult Status of wrap in doHandshake: OK
2014-05-22 09:26:31,347 [Select-0] WARN  replayAgent.asyncSocketIO.HttpsSocket[1142] - Socket[1] Internal sendingStart
2014-05-22 09:26:31,353 [Select-0] WARN  replayAgent.asyncSocketIO.HttpsSocket[1157] - Socket[1] Internal sendingDone
2014-05-22 09:26:31,355 [Select-0] WARN  replayAgent.asyncSocketIO.HttpsSocket[409] - Socket[1] Handshake Status in doHandshake: NEED_UNWRAP
2014-05-22 09:26:31,399 [Select-0] WARN  replayAgent.asyncSocketIO.HttpsSocket[949] - Socket[1] SSL Read from socket: 7
[Raw read]: length = 5
0000: 15 03 01 00 02                                     .....
 
[Raw read]: length = 2
0000: 02 2f                                              ..
 
Select-0, READ: TLSv1 Alert, length = 2
Select-0, RECV TLSv1 ALERT:  fatal, illegal_parameter
Select-0, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Received fatal alert: illegal_parameter
Select-0, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Received fatal alert: illegal_parameter
Select-0, called closeOutbound()
Select-0, closeOutboundInternal()
Select-0, SEND TLSv1 ALERT:  warning, description = close_notify
Select-0, WRITE: TLSv1 Alert, length = 2
Select-0, called closeInbound()
Select-0, closeInboundInternal()
Select-0, closeOutboundInternal()
errorCallBack: HTTPS Socket[1] javax.net.ssl.SSLException: Received fatal alert: illegal_parameter
-------------------------------------------------------------

Is there equivalent of "-Dcom.sun.net.ssl.enableECC=false" arg in IBM JVM  ?