-
1. Re: SSLPeerUnverifiedException when upgrading to wildfly 10
paramjindal Oct 27, 2017 11:24 AM (in response to yair.shkedi)This error message ssl_null_with_null_null indicates that something went wrong during SSL handshaking, however, the cause is not specified and there can be multiple reasons (like certificate expired) for "SSLPeerUnverifiedException: peer not authenticated".
To find out the root cause, enable SSL dubbing using the java option below :
-Djavax.net.debug=ssl,handshake
-
2. Re: SSLPeerUnverifiedException when upgrading to wildfly 10
yair.shkedi Oct 29, 2017 6:01 AM (in response to paramjindal)Thanks for your reply, but I still have an issue.
After setting the debug variable, I discovered that the cipher that the handshake looking for is SSL_RSA_WITH_RC4_128_MD5 and it does not exist in my cipher list.
I upgraded to Java 8, and I read that java8's security disables this cipher because it is not strong enough.
I am working on legacy server thus I should stay with this cipher.
To adding this cipher, I changed my java.securty file to support the cipher.
I removing RC4, ssl3v from jdk.tls.disabledAlgorithms property and jdk.certpath.disabledAlgorithms property. Also, I added SSL_RSA_WITH_RC4_128_MD5. to JDK.tls.legacyAlgorithms property.
Although my changes, the cipher list stay equal as earlier and I have the same exception.
Should I configure it in wildfly level (in enable-ciper-suits) or it should be just in java configuration level?
What should do I do more to add this cipher and to overcome this issue?
-
3. Re: SSLPeerUnverifiedException when upgrading to wildfly 10
mchoma Oct 30, 2017 2:13 AM (in response to yair.shkedi)Sure, try to tweak enable-cipher-suits and enabled-protocols , probably wildfly defaults does not contain SSL_RSA_WITH_RC4_128_MD5
-
4. Re: SSLPeerUnverifiedException when upgrading to wildfly 10
yair.shkedi Oct 30, 2017 2:54 AM (in response to yair.shkedi)Thanks to both of you, really appreciate that.
Actually, I solved the issue.
I upgraded my server to Java 8 and the remote server is still on Java 6.
because of the security improvement on Java 8 (and 7), there wasn't overlapping between the ciphers.
I tried to added the old ciphers to my server without success, as I wrote in the previous reply, but becuase the remote server is our server as well, and we thought that it is better to improve the remote server rather than to decrease the security on the wildfly server, I added the new ciphers to the remote server and the handshake can be done.
Thanks again!