Version 1
Created by apocalyptech on Feb 22, 2013 5:49 PM. Last modified by apocalyptech on Feb 22, 2013 6:07 PM.

    Hello all.

     

    I'm running into a problem which is nearly identical to the one detailed here: http://stackoverflow.com/questions/14167508/intermittent-sslv3-alert-handshake-failure-under-python

     

    Basically, I've got JBoss AS 7.1.1, running Oracle Java 1.7, and it's got an SSL-enabled <connector> section on port 8443.  The stackoverflow page was about a Python app; this occasionally-failing client is actually a PHP app.  The issue is that intermittently, the SSL connection will error out with a "SSL3_READ_BYTES:sslv3 alert handshake failure" error.

     

    That thread had recommended that one possible workaround would be to disable DH-based ciphers, but it looks like JBoss is only allowing the following ciphers (as sniffed via "sslsniff") -

     

    Accepted  SSLv3  128 bits  DHE-DSS-AES128-SHA
Accepted  SSLv3  168 bits  EDH-DSS-DES-CBC3-SHA
Accepted  TLSv1  128 bits  DHE-DSS-AES128-SHA
Accepted  TLSv1  168 bits  EDH-DSS-DES-CBC3-SHA

     

    One thing I tried was adding in the JCE Unlimited Strength Jurisdiction policy files, which then expanded that list to also include:

     

    Accepted  SSLv3  256 bits  DHE-DSS-AES256-SHA
Accepted  TLSv1  256 bits  DHE-DSS-AES256-SHA

     

    But the clients still occasionally fail with that "sslv3 alert handshake failure" message, regardless.

     

    The original connector definition itself was pretty basic:

     

    <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl name="ssl" password="webservice-dev" certificate-key-file="${jboss.server.config.dir}/webservice-dev.keystore"/>
</connector>

     

    This definition is functionally identical:

     

    <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl name="ssl" password="webservice-dev" certificate-key-file="${jboss.server.config.dir}/webservice-dev.keystore" cipher-suite="TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" />
</connector>

     

    ... I've tried adding in extra ciphers which http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider seems to claim should be available, such as:

     

    <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl name="ssl" password="webservice-dev" certificate-key-file="${jboss.server.config.dir}/webservice-dev.keystore" cipher-suite="TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_RSA_WITH_RC4_128_SHA" />
</connector>

     

    But none of the extra ciphers actually show up as possibilities.  I know that this is probably a Java-specific configuration issue, but I haven't had much luck Googling around, and I'm not entirely sure how I'd reproduce the issue using just Java

    1609 Views Categories: Tags: