Hello all.
I'm running into a problem which is nearly identical to the one detailed here: http://stackoverflow.com/questions/14167508/intermittent-sslv3-alert-handshake-failure-under-python
Basically, I've got JBoss AS 7.1.1, running Oracle Java 1.7, and it's got an SSL-enabled <connector> section on port 8443. The stackoverflow page was about a Python app; this occasionally-failing client is actually a PHP app. The issue is that intermittently, the SSL connection will error out with a "SSL3_READ_BYTES:sslv3 alert handshake failure" error.
That thread had recommended that one possible workaround would be to disable DH-based ciphers, but it looks like JBoss is only allowing the following ciphers (as sniffed via "sslsniff") -
Accepted SSLv3 128 bits DHE-DSS-AES128-SHA Accepted SSLv3 168 bits EDH-DSS-DES-CBC3-SHA Accepted TLSv1 128 bits DHE-DSS-AES128-SHA Accepted TLSv1 168 bits EDH-DSS-DES-CBC3-SHA
One thing I tried was adding in the JCE Unlimited Strength Jurisdiction policy files, which then expanded that list to also include:
Accepted SSLv3 256 bits DHE-DSS-AES256-SHA Accepted TLSv1 256 bits DHE-DSS-AES256-SHA
But the clients still occasionally fail with that "sslv3 alert handshake failure" message, regardless.
The original connector definition itself was pretty basic:
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true"> <ssl name="ssl" password="webservice-dev" certificate-key-file="${jboss.server.config.dir}/webservice-dev.keystore"/> </connector>
This definition is functionally identical:
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true"> <ssl name="ssl" password="webservice-dev" certificate-key-file="${jboss.server.config.dir}/webservice-dev.keystore" cipher-suite="TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" /> </connector>
... I've tried adding in extra ciphers which http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider seems to claim should be available, such as:
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true"> <ssl name="ssl" password="webservice-dev" certificate-key-file="${jboss.server.config.dir}/webservice-dev.keystore" cipher-suite="TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, SSL_RSA_WITH_RC4_128_SHA" /> </connector>
But none of the extra ciphers actually show up as possibilities. I know that this is probably a Java-specific configuration issue, but I haven't had much luck Googling around, and I'm not entirely sure how I'd reproduce the issue using just Java
Comments