-
1. Re: Problem with SSL when using FireFox and Opera
jfclere Jun 30, 2010 3:04 AM (in response to gunnarbos)Can't tell without information of what SSL was doing before the error. May be it is related with renegociations.
Try allowUnsafeLegacyRenegotiation="true in <Connector/> and/or -Dsun.security.ssl.allowUnsafeRenegotiation=true in the java options.
-
2. Re: Problem with SSL when using FireFox and Opera
gunnarbos Jun 30, 2010 9:49 AM (in response to jfclere)Hi Jean-Frederic,
I've tried both your suggestions but the result is the same.
I'm attaching a wireshark file if that is of any help.
Regards
/Gunnar
-
FireFox.pcap.zip 589 bytes
-
-
3. Re: Problem with SSL when using FireFox and Opera
jfclere Jun 30, 2010 10:54 AM (in response to gunnarbos)Are you sure IE also uses SSLv3?
Are there any error messages on the server side?
Try to add java -Djavax.net.debug=ssl to the java option.
Make sure you use the latest version of the JVM.
-
4. Re: Problem with SSL when using FireFox and Opera
gunnarbos Jul 1, 2010 4:33 AM (in response to jfclere)Hi Jean-Frederic,
I've tested with a lot of combinations on the sslProtocol in JBoss and SSLv3 and TLS on Firefox.
I've now added the debug ssl as you proposed.
The difference I can see between the browers is the cipher suites. There are unknown ciphers from Opera and Firefox but not from IE and Chrome that both works fine.
Can this be the problem and what can be done?
We use the latest JDK from SUN on both Ubuntu and Solaris 10 and have the same problem.
The following log is for Opera
Cipher Suites: [Unknown 0x0:0xff, Unknown 0x0:0x6b, Unknown 0x0:0x6a, Unknown 0x0:0x69, Unknown 0x0:0x68, Unknown 0x0:0x3d, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, Unknown 0x0:0x37, Unknown 0x0:0x36, TLS_RSA_WITH_AES_256_CBC_SHA, Unknown 0x0:0x67, Unknown 0x0:0x40, Unknown 0x0:0x3f, Unknown 0x0:0x3e, Unknown 0x0:0x3c, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, Unknown 0x0:0x31, Unknown 0x0:0x30, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]The following log is for IE
Cipher Suites: [TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5]
Regards
/Gunnar
-
5. Re: Problem with SSL when using FireFox and Opera
gunnarbos Jul 1, 2010 4:41 AM (in response to gunnarbos)Hi,
The error in the log is "handling exception: java.lang.RuntimeException: Parameter generation failed!"
The connector is defined as:
<Connector protocol="HTTP/1.1" SSLEnabled="true"port="8443" address="${jboss.bind.address}"minSpareThreads="5" maxSpareThreads="75"enableLookups="true" disableUploadTimeout="true"acceptCount="200" maxThreads="400"scheme="https" secure="true"keystoreFile="${jboss.server.home.dir}/conf/server.keystore"keystorePass="XXX" sslProtocol="TLS" />Regards
/Gunnar
-
6. Re: Problem with SSL when using FireFox and Opera
jfclere Jul 2, 2010 5:22 AM (in response to gunnarbos)1 of 1 people found this helpfulCipher Suites: [Unknown 0x0:0xff, Unknown 0x0:0x6b, Unknown 0x0:0x6a, Unknown 0x0:0x69, Unknown 0x0:0x68, Unknown 0x0:0x3d, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, Unknown 0x0:0x37, Unknown 0x0:0x36, TLS_RSA_WITH_AES_256_CBC_SHA, Unknown 0x0:0x67, Unknown 0x0:0x40, Unknown 0x0:0x3f, Unknown 0x0:0x3e, Unknown 0x0:0x3c, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, Unknown 0x0:0x31, Unknown 0x0:0x30, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
It seems the browser is using Cipher Suites JSSE don't support.
using about:config in FireFox and looking for ssl could give a hint of what is not supported.
The error in the log is "handling exception: java.lang.RuntimeException: Parameter generation failed!"
Is there a stack trace with it?
-
7. Re: Problem with SSL when using FireFox and Opera
gunnarbos Jul 2, 2010 9:38 AM (in response to jfclere)Hi,
There is no stack trace.
But there is definitly one or more problem with cipher suites.
I disabled the security.ssl3.dhe_rsa_aes_128_sha cipher in firefox and now it works!
Can the problem be solved on the server side?
We can't tell all our customers to change this in there browsers!
Regards
Gunnar
-
8. Re: Problem with SSL when using FireFox and Opera
jfclere Jul 2, 2010 10:01 AM (in response to gunnarbos)1 of 1 people found this helpfulProbably a bug in the JVM. The next version will fix it if enough complain...
-
9. Re: Problem with SSL when using FireFox and Opera
gunnarbos Jul 6, 2010 7:33 AM (in response to jfclere)Hi,
How can I be sure that the problem is within the JVM?
I can't find anything about it on the net and I would assume many more people should run in to this problem if it is in the JVM
Is there any configuration that can be done for JSSE?
Regards
/Gunnar
-
10. Re: Problem with SSL when using FireFox and Opera
gunnarbos Jul 22, 2010 9:35 AM (in response to gunnarbos)Hi!
I've finally managed to solve this problem, by defining the ciphers used in the Connection-tag for SSL in JBoss server.xml.
I removed all ciphers with DHE (Diffie Hellman) in the name and now it works.
I still don't know the root cause of the problem.
Thanks!
Gunnar