10 Replies Latest reply on Jul 22, 2010 9:35 AM by gunnarbos

    Problem with SSL when using FireFox and Opera

    gunnarbos
    gunnarbos Jun 28, 2010 10:15 AM

      Hi,

      We use JBoss 5.1.0.GA on Solaris 10 with JDK 1.6 64 bits.

      The application use HTTP SSL

      It works fine when we access the application with InernetExplorer or Chome but fails when using latest versions of Opera or Firefox.

      Firefox error is  "ssl_error_internal_error_alert"

      Opera error is "Secure connection: fatal error (80) from server."

      I've listened on the communication line with wireshark and the server responds with the following message

      TLSv1 Record Layer: alert (Level: Fatal, Description: Internal Error)

      Content Type Alert (21)

      Alert Message

      Level Fatal(2)

      Description Internal Error (80)

       

      What is wrong? What can we do about it?

       

      Regards

      /Gunnar

       

        • 1. Re: Problem with SSL when using FireFox and Opera
          jfclere
          jfclere Jun 30, 2010 3:04 AM (in response to gunnarbos)

          Can't tell without information of what SSL was doing before the error. May be it is related with renegociations.

          Try allowUnsafeLegacyRenegotiation="true in <Connector/> and/or -Dsun.security.ssl.allowUnsafeRenegotiation=true in the java options.

            • Actions
          • 2. Re: Problem with SSL when using FireFox and Opera
            gunnarbos
            gunnarbos Jun 30, 2010 9:49 AM (in response to jfclere)

            Hi Jean-Frederic,

            I've tried both your suggestions but the result is the same.

            I'm attaching a wireshark file if that is of any help.

            Regards

            /Gunnar

              • Actions
            • 3. Re: Problem with SSL when using FireFox and Opera
              jfclere
              jfclere Jun 30, 2010 10:54 AM (in response to gunnarbos)

              Are you sure IE also uses SSLv3?

               

              Are there any error messages on the server side?

               

              Try  to add java -Djavax.net.debug=ssl to the java option.

               

              Make sure you use the latest version of the JVM.
                • Actions
              • 4. Re: Problem with SSL when using FireFox and Opera
                gunnarbos
                gunnarbos Jul 1, 2010 4:33 AM (in response to jfclere)

                Hi Jean-Frederic,

                 

                I've tested with a lot of combinations on the sslProtocol in JBoss and SSLv3 and TLS on Firefox.


                I've now added the debug ssl as you proposed.

                The difference I can see between the browers is the cipher suites. There are unknown ciphers from Opera and Firefox but not from IE and Chrome that both works fine.

                Can this be the problem and what can be done?


                We use the latest JDK from SUN on both Ubuntu and Solaris 10 and have the same problem.


                The following log is for Opera

                 

                Cipher Suites: [Unknown 0x0:0xff, Unknown 0x0:0x6b, Unknown 0x0:0x6a, Unknown 0x0:0x69, Unknown 0x0:0x68, Unknown 0x0:0x3d, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, Unknown 0x0:0x37, Unknown 0x0:0x36, TLS_RSA_WITH_AES_256_CBC_SHA, Unknown 0x0:0x67, Unknown 0x0:0x40, Unknown 0x0:0x3f, Unknown 0x0:0x3e, Unknown 0x0:0x3c, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, Unknown 0x0:0x31, Unknown 0x0:0x30, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]

                 

                The following log is for IE

                 

                Cipher Suites: [TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5]

                Regards

                /Gunnar

                  • Actions
                • 5. Re: Problem with SSL when using FireFox and Opera
                  gunnarbos
                  gunnarbos Jul 1, 2010 4:41 AM (in response to gunnarbos)

                  Hi,

                  The error in the log is "handling exception: java.lang.RuntimeException: Parameter generation failed!"

                   

                  The connector is defined as:

                   

                  <Connector protocol="HTTP/1.1" SSLEnabled="true"
                             port="8443" address="${jboss.bind.address}"
                             minSpareThreads="5" maxSpareThreads="75"
                             enableLookups="true" disableUploadTimeout="true"
                             acceptCount="200"  maxThreads="400"
                             scheme="https" secure="true"
                             keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
                             keystorePass="XXX" sslProtocol="TLS" />

                   

                   

                  Regards

                  /Gunnar

                    • Actions
                  • 6. Re: Problem with SSL when using FireFox and Opera
                    jfclere
                    jfclere Jul 2, 2010 5:22 AM (in response to gunnarbos)

                    Cipher Suites: [Unknown 0x0:0xff, Unknown  0x0:0x6b, Unknown 0x0:0x6a, Unknown 0x0:0x69, Unknown 0x0:0x68, Unknown  0x0:0x3d, TLS_DHE_RSA_WITH_AES_256_CBC_SHA,  TLS_DHE_DSS_WITH_AES_256_CBC_SHA, Unknown 0x0:0x37, Unknown 0x0:0x36,  TLS_RSA_WITH_AES_256_CBC_SHA, Unknown 0x0:0x67, Unknown 0x0:0x40,  Unknown 0x0:0x3f, Unknown 0x0:0x3e, Unknown 0x0:0x3c,  TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA,  Unknown 0x0:0x31, Unknown 0x0:0x30, TLS_RSA_WITH_AES_128_CBC_SHA,  SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5,  SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA,  SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA,  SSL_RSA_WITH_3DES_EDE_CBC_SHA]

                    It seems the browser is using Cipher Suites JSSE don't support.

                    using about:config in FireFox and looking for ssl could give a hint of what is not supported.

                     

                    The error in the log is "handling exception: java.lang.RuntimeException:  Parameter generation failed!"

                    Is there a stack trace with it?

                    1 of 1 people found this helpful
                      • Actions
                    • 7. Re: Problem with SSL when using FireFox and Opera
                      gunnarbos
                      gunnarbos Jul 2, 2010 9:38 AM (in response to jfclere)

                      Hi,

                      There is no stack trace.

                       

                      But there is definitly one or more problem with cipher suites.

                      I disabled the security.ssl3.dhe_rsa_aes_128_sha cipher in firefox and now it works!

                       

                      Can the problem be solved on the server side?

                      We can't tell all our customers to change this in there browsers!

                       

                      Regards

                      Gunnar

                        • Actions
                      • 8. Re: Problem with SSL when using FireFox and Opera
                        jfclere
                        jfclere Jul 2, 2010 10:01 AM (in response to gunnarbos)

                        Probably a bug in the JVM. The next version will fix it if enough complain...

                        1 of 1 people found this helpful
                          • Actions
                        • 9. Re: Problem with SSL when using FireFox and Opera
                          gunnarbos
                          gunnarbos Jul 6, 2010 7:33 AM (in response to jfclere)

                          Hi,

                          How can I be sure that the problem is within the JVM?

                          I can't find anything about it on the net and I would assume many more people should run in to this problem if it is in the JVM

                          Is there any configuration that can be done for JSSE?

                           

                          Regards

                          /Gunnar

                            • Actions
                          • 10. Re: Problem with SSL when using FireFox and Opera
                            gunnarbos
                            gunnarbos Jul 22, 2010 9:35 AM (in response to gunnarbos)

                            Hi!

                            I've finally managed to solve this problem, by defining the ciphers used in the Connection-tag for SSL in JBoss server.xml.

                            I removed all ciphers with DHE (Diffie Hellman) in the name and now it works.

                            I still don't know the root cause of the problem.

                            Thanks!

                            Gunnar

                              • Actions