4 Replies Latest reply on Oct 30, 2017 2:54 AM by yair.shkedi

    SSLPeerUnverifiedException when upgrading to wildfly 10

    yair.shkedi
    yair.shkedi Oct 26, 2017 7:28 AM

      Hi,

      Actually I am not sure that it directly related to wildfly.

      Currently, I am upgrading jboss 4.03 to wildfly 10.

      When I am trying to login to my app, I am sending get request to another server (ldap).

      Inside http-client jar, when the sslSocket trying to do get a session, I got ssl_null_with_null_null, that shows that there is an issue with the create session.

      In jboss 4.03 I do get the session correctly (SSL_RSA_WITH_RC4_128_SHA).

       

      Later on, I got javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated,

      but I convinced that it's because I don't get the session object as well.

       

      Hope it was clear, anybody can help?

        • 1. Re: SSLPeerUnverifiedException when upgrading to wildfly 10
          paramjindal
          paramjindal Oct 27, 2017 11:24 AM (in response to yair.shkedi)

          This error message ssl_null_with_null_null indicates that something went wrong during SSL handshaking, however, the cause is not specified and there can be multiple reasons (like certificate expired) for "SSLPeerUnverifiedException: peer not authenticated".

          To find out the root cause, enable SSL dubbing using the java option below :

           

          -Djavax.net.debug=ssl,handshake

            • Actions
          • 2. Re: SSLPeerUnverifiedException when upgrading to wildfly 10
            yair.shkedi
            yair.shkedi Oct 29, 2017 6:01 AM (in response to paramjindal)

            Thanks for your reply, but I still have an issue.

            After setting the debug variable, I discovered that the cipher that the handshake looking for is SSL_RSA_WITH_RC4_128_MD5 and it does not exist in my cipher list.

            I upgraded to Java 8, and I read that java8's security disables this cipher because it is not strong enough.

            I am working on legacy server thus I should stay with this cipher.

             

            To adding this cipher, I changed my java.securty file to support the cipher.

            I removing RC4, ssl3v from jdk.tls.disabledAlgorithms property and jdk.certpath.disabledAlgorithms property. Also, I added SSL_RSA_WITH_RC4_128_MD5. to JDK.tls.legacyAlgorithms property.

             

            Although my changes, the cipher list stay equal as earlier and I have the same exception.

             

            Should I configure it in wildfly level (in enable-ciper-suits) or it should be just in java configuration level?

             

            What should do I do more to add this cipher and to overcome this issue?

              • Actions
            • 3. Re: SSLPeerUnverifiedException when upgrading to wildfly 10
              mchoma
              mchoma Oct 30, 2017 2:13 AM (in response to yair.shkedi)

              Sure, try to tweak enable-cipher-suits and enabled-protocols , probably wildfly defaults does not contain SSL_RSA_WITH_RC4_128_MD5

                • Actions
              • 4. Re: SSLPeerUnverifiedException when upgrading to wildfly 10
                yair.shkedi
                yair.shkedi Oct 30, 2017 2:54 AM (in response to yair.shkedi)

                Thanks to both of you, really appreciate that.

                Actually, I solved the issue.

                I upgraded my server to Java 8 and the remote server is still on Java 6.

                because of the security improvement on Java 8 (and 7), there wasn't overlapping between the ciphers.

                I tried to added the old ciphers to my server without success, as I wrote in the previous reply, but becuase the remote server is our server as well, and we thought that it is better to improve the remote server rather than to decrease the security on the wildfly server, I added the new ciphers to the remote server and the handshake can be done.

                Thanks again!

                  • Actions