6 Replies Latest reply on Mar 6, 2017 5:34 PM by milspec

wildfly 10.1 ssl misconfigured: browser handshake error. Where the error?

milspec Feb 28, 2017 5:08 PM

Hi all,

I likely have missed an obvious setting here, so I apologize in advance

Context

I've tried to set up wildfly 10.1 to terminate SSL per the configuration below

Result

Wildfly starts up ok, however my browser cannot connect. Firefox shows "The connection to localhost was interrupted while the page was loading.". Openssl shows a handshake failure. [I associate a 'handshake error' with this scenario: browser tries to connect w/ SSL, but the server sends back 'plain http']

Open ssl output:

$ openssl s_client -connect ${HOST}:${PORT} -showcerts </dev/null

140074818008736:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:

Questions

-I've pasted my configuraiton below: security-realm, socket-binding, listener. What am I missing?

-what formats does wildfly support for public cert files (jks/x509/pkcs7/pkcs12)

thanks in advance

Configurations

Security Realm

<security-realm name="SslRealm">

<server-identities>

<ssl>

<keystore path="/home/joedeveloper/ssl_files/learn.better.jks"

keystore-password="learn.better.password"

key-password="learn.better.password"

alias="learn.better.alias"

</ssl>

</server-identities>

Https Listener

<buffer-cache name="default"/>

<https-listener name="default-ssl" socket-binding="https" security-realm="SslRealm"/>

<http-listener name="default" socket-binding="http" redirect-socket="https" worker="http-worker"

socket binding

<socket-binding name="https" port="${jboss.https.port:443}"/>

Certificate Generation

SSL_KEY_ALIAS=learn.better.alias

SSL_KEY_PASSWORD=learn.better.password

SSL_KEYSTORE_PASSWORD=learn.better.password

SSL_KEYSTORE_FILE=learn.better.jks

keytool \

-alias ${SSL_KEY_ALIAS} \

-genkey \

-keyalg RSA \

-keypass ${SSL_KEY_PASSWORD} \

-keystore ${SSL_KEYSTORE_FILE} \

-sigalg MD5withRSA \

-storepass ${SSL_KEYSTORE_PASSWORD} \

-validity 9999

Reference

SSL setup guide - WildFly 8 - Project Documentation Editor

Wildfly 9 http to https - Stack Overflow

Configuring SSL in Wildfly 8/9/10 | Real Life Java

Setting up SSL/TLS with Wildfly 10

thanks in advance

1. Re: wildfly 10.1 ssl misconfigured: browser handshake error. Where the error?

milspec Feb 28, 2017 10:10 PM (in response to milspec)

tldr;
It turns out the problem lies with the JDK. Specifically IBM's jdk. (I should have mentioned: we're using IBM's jdk).

More information:
I turned ssl handshake debugging and found this error:

2017-02-28 20:18:12,463 [INFO ] stdout ( 936) - default task-1, fatal error: 40: javax.net.ssl.SSLHandshakeException: no cipher suites in common

I tried tweaking the listener configiration, specifically adding the bold below....but 'no dice.' [I don't know the crypto cipher stuff details well]

<https-listener name="default-ssl" socket-binding="https" security-realm="SslRealm"
   enabled-protocols="TLSv1.2"
   enabled-cipher-suites="
            TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
               TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                   TLS_RSA_WITH_AES_128_GCM_SHA256"
/>

On a whim I tried switching to Oracle JDK 8: and it worked

Summary

Wildfly 10.1 SSL worked "out of the box" (i.e. no cipher tweaking) with Oracle JDK (1.8.0_45 ), but failed with IBM JDK (ibm-java-sdk-8.0-1.1 build pxa6480sr1fp1-20150603_01(SR1 FP1))
Actions
2. Re: wildfly 10.1 ssl misconfigured: browser handshake error. Where the error?

mchoma Mar 1, 2017 2:12 AM (in response to milspec)

Your problem may relates to [ELY-438] There is not possibility to use alternative JSSE Cipher Suite Names for IBM JDK - JBoss Issue Tracker

* Try to specify enabled-cipher-suites without whitespaces
enabled-cipher-suites="TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256"
* look into ssl handshake debugging and see what which cipher suites is your browser requesting
* Try to specify SSL_ variants [1] of cipher suites (probably won't work because of aforementioned issue)
enabled-cipher-suites="SSL_DHE_RSA_WITH_AES_128_GCM_SHA256,SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256,SSL_RSA_WITH_AES_128_GCM_SHA256"

[1] IBM Knowledge Center
Actions
3. Re: wildfly 10.1 ssl misconfigured: browser handshake error. Where the error?

mchoma Mar 1, 2017 2:45 AM (in response to mchoma)

But probably problem will be that you are using MD5withRSA during your key generating. I think IBM java restrict that. Omit specifying this or use SHA256withRSA for example.
Actions
4. Re: wildfly 10.1 ssl misconfigured: browser handshake error. Where the error?

milspec Mar 1, 2017 2:49 PM (in response to mchoma)

Hi Martin,

Thanks for your response.

I tried both these but they didn't work. Actually, I had to cut out "TLS_RSA_WITH_AES_128_GCM_SHA256" as server.log complained abou tit.
Token \"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256\" not allowed at offset 36 of mechanism selection string

* Try to specify enabled-cipher-suites without whitespaces
enabled-cipher-suites="TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256"
* look into ssl handshake debugging and see what which cipher suites is your browser requesting
* Try to specify SSL_ variants [1] of cipher suites (probably won't work because of aforementioned issue)
enabled-cipher-suites="SSL_DHE_RSA_WITH_AES_128_GCM_SHA256,SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256,SSL_RSA_WITH_AES_128_GCM_SHA256"

SSL Handshake debugging shows these messages (I've reformatted for easier viewing here):
[Note that the entries and order appears to match the list on the imb jsse page here IBM Knowledge Center ]

Ignoring unsupported cipher suite :

SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384
SSL_RSA_WITH_AES_256_CBC_SHA256
SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384
SSL_DHE_RSA_WITH_AES_256_CBC_SHA256
SSL_DHE_DSS_WITH_AES_256_CBC_SHA256
SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
SSL_RSA_WITH_AES_128_CBC_SHA256
SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
SSL_DHE_RSA_WITH_AES_128_CBC_SHA256
SSL_DHE_DSS_WITH_AES_128_CBC_SHA256
SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
SSL_RSA_WITH_AES_256_GCM_SHA384
SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384
SSL_DHE_DSS_WITH_AES_256_GCM_SHA384
SSL_DHE_RSA_WITH_AES_256_GCM_SHA384
SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
SSL_RSA_WITH_AES_128_GCM_SHA256
SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256
SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
SSL_DHE_DSS_WITH_AES_128_GCM_SHA256

Questions
The [ELY-438] IBM JSSE bug is old, a blocker and still open.

Can you (or anyone) suggest a workaround?

thanks in advance
Actions
5. Re: wildfly 10.1 ssl misconfigured: browser handshake error. Where the error?

mchoma Mar 6, 2017 2:20 AM (in response to milspec)

Did you try to regenerate keystore without -sigalg MD5withRSA. On recent IBM javas MD5withRSA is disabled in java.security file.
Actions
6. Re: wildfly 10.1 ssl misconfigured: browser handshake error. Where the error?

milspec Mar 6, 2017 5:34 PM (in response to mchoma)

I tried that..and got same error:

2017-03-06 16:30:35,651 [INFO ] stdout                                    ( 936) - default task-2, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common

Here is command I used to generate the keystore:

#!/bin/bash

STORETYPE=JKS
SSL_KEY_ALIAS=learn.best.alias
SSL_KEY_PASSWORD=learn.best.password
SSL_KEYSTORE_PASSWORD=learn.best.password

keytool \
    -genkey \
    -storetype ${STORETYPE} \
    -keyalg RSA \
    -keysize 2048 \
    -validity 3650 \
    -keystore ${SSL_KEYSTORE_FILE} \
    -alias ${SSL_KEY_ALIAS} \
    -dname "CN=Milspec, OU=my.learn, ST=IL, C=USA" \
    -keypass ${SSL_KEY_PASSWORD} \
    -storepass ${SSL_KEYSTORE_PASSWORD}
Actions

Go to original post