-
1. Re: Wildfly 9.0.2 Cipher Suite Issue
ctomc Jan 21, 2016 11:26 AM (in response to sanmo)It could be related to your OS setup and JVM.
if you use JDK8 as runtime do you see any difference?
-
2. Re: Wildfly 9.0.2 Cipher Suite Issue
mchoma Jan 22, 2016 1:21 AM (in response to sanmo)Also use -Djavax.net.debug=all system property. It is very usefull, it will show you SSL handshake details, which cipher suite was choosed and probably SSL error details.
Really, java version is important in these cases - please provide exact java versions you use. On AIX do you use IBM java? On Windows do you use oracle/openjdk java?
Also can be caused by https://issues.jboss.org/browse/JBEAP-2070. Do you use self signed certificate?
I don't understand last paragraph about TLS_* cipher suite, can you rewrite from " I have also noticed that ...", please?
-
3. Re: Wildfly 9.0.2 Cipher Suite Issue
sanmo Jan 25, 2016 11:12 PM (in response to mchoma)Yes I use IBM JDK 7 on AIX. On my PC is use Oracle JDK 7 on windows 7. I installed JDK 8 and I am still getting the same SSL Error. I am using a Private CA to sign the certificate.
there was a glitch when I was typing it, thought it took everything. However, using the -D property mentioned above, I see the following.
INFO [stdout] (default I/O-1) IBMJSSE2 will enable CBC protection
INFO [stdout] (default I/O-1) Using SSLEngineImpl.
INFO [stdout] (default I/O-1) IBMJSSE2 will NOT allow renegotiation per com.ibm.jsse2.renegotiate set to disabled
INFO [stdout] (default I/O-1) IBMJSSE2 will not require renegotiation indicator during initial handshake per com.ibm.jsse2.renegotiation.indicator set to OPTIONAL or default taken
INFO [stdout] (default I/O-1) IBMJSSE2 will not perform identity checking against the peer cert check during renegotiation per com.ibm.jsse2.renegotiation.peer.cert.check set to OFF or default
INFO [stdout] (default I/O-1) IBMJSSE2 will allow client initiated renegotiation per jdk.tls.rejectClientInitiatedRenegotiation set to FALSE or default
INFO [stdout] (default I/O-1)
INFO [stdout] (default I/O-1) Is initial handshake: true
INFO [stdout] (default I/O-1) No available cipher suite for TLSv1.2
INFO [stdout] (default I/O-1) default I/O-1, fatal error: 80: problem unwrapping net record
INFO [stdout] (default I/O-1) javax.net.ssl.SSLHandshakeException: No appropriate protocol, may be no appropriate cipher suite specified or protocols are deactivated
INFO [stdout] (default I/O-1) default I/O-1, SEND TLSv1.2 ALERT: fatal, description = internal_error
INFO [stdout] (default I/O-1) default I/O-1, WRITE: TLSv1.2 Alert, length = 2
INFO [stdout] (default I/O-1) [Raw write]: length = 7
INFO [stdout] (default I/O-1) 0000: 15 03 03 00 02 02 50 ......P
INFO [stdout] (default I/O-1)
INFO [stdout] (default I/O-1) default I/O-1, called closeOutbound()
INFO [stdout] (default I/O-1) default I/O-1, closeOutboundInternal()
INFO [stdout] (default I/O-1) Using SSLEngineImpl.
INFO [stdout] (default I/O-1)
INFO [stdout] (default I/O-1) Is initial handshake: true
INFO [stdout] (default I/O-1) No available cipher suite for TLSv1.2
INFO [stdout] (default I/O-1) default I/O-1, fatal error: 80: problem unwrapping net record
INFO [stdout] (default I/O-1) javax.net.ssl.SSLHandshakeException: No appropriate protocol, may be no appropriate cipher suite specified or protocols are deactivated
INFO [stdout] (default I/O-1) default I/O-1, SEND TLSv1.2 ALERT: fatal, description = internal_error
INFO [stdout] (default I/O-1) default I/O-1, WRITE: TLSv1.2 Alert, length = 2
INFO [stdout] (default I/O-1) [Raw write]: length = 7
INFO [stdout] (default I/O-1) 0000: 15 03 03 00 02 02 50 ......P
INFO [stdout] (default I/O-1)
INFO [stdout] (default I/O-1) default I/O-1, called closeOutbound()
INFO [stdout] (default I/O-1) default I/O-1, closeOutboundInternal()
INFO [stdout] (default I/O-2) Using SSLEngineImpl.
INFO [stdout] (default I/O-2)
INFO [stdout] (default I/O-2) Is initial handshake: true
INFO [stdout] (default I/O-2) No available cipher suite for TLSv1.2
INFO [stdout] (default I/O-2) default I/O-2, fatal error: 80: problem unwrapping net record
INFO [stdout] (default I/O-2) javax.net.ssl.SSLHandshakeException: No appropriate protocol, may be no appropriate cipher suite specified or protocols are deactivated
INFO [stdout] (default I/O-2) default I/O-2, SEND TLSv1.2 ALERT: fatal, description = internal_error
INFO [stdout] (default I/O-2) default I/O-2, WRITE: TLSv1.2 Alert, length = 2
INFO [stdout] (default I/O-2) [Raw write]: length = 7
INFO [stdout] (default I/O-2) 0000: 15 03 03 00 02 02 50 ......P
INFO [stdout] (default I/O-2)
INFO [stdout] (default I/O-2) default I/O-2, called closeOutbound()
INFO [stdout] (default I/O-2) default I/O-2, closeOutboundInternal()
INFO [stdout] (default I/O-2) Using SSLEngineImpl.
INFO [stdout] (default I/O-2)
INFO [stdout] (default I/O-2) Is initial handshake: true
INFO [stdout] (default I/O-2) No available cipher suite for TLSv1.2
INFO [stdout] (default I/O-2) default I/O-2, fatal error: 80: problem unwrapping net record
INFO [stdout] (default I/O-2) javax.net.ssl.SSLHandshakeException: No appropriate protocol, may be no appropriate cipher suite specified or protocols are deactivated
INFO [stdout] (default I/O-2) default I/O-2, SEND TLSv1.2 ALERT: fatal, description = internal_error
INFO [stdout] (default I/O-2) default I/O-2, WRITE: TLSv1.2 Alert, length = 2
INFO [stdout] (default I/O-2) [Raw write]: length = 7
INFO [stdout] (default I/O-2) 0000: 15 03 03 00 02 02 50 ......P
INFO [stdout] (default I/O-2)
INFO [stdout] (default I/O-2) default I/O-2, called closeOutbound()
INFO [stdout] (default I/O-2) default I/O-2, closeOutboundInternal()
INFO [stdout] (default I/O-3) Using SSLEngineImpl.
INFO [stdout] (default I/O-3)
INFO [stdout] (default I/O-3) Is initial handshake: true
INFO [stdout] (default I/O-3) No available cipher suite for TLSv1.2
INFO [stdout] (default I/O-3) default I/O-3, fatal error: 80: problem unwrapping net record
INFO [stdout] (default I/O-3) javax.net.ssl.SSLHandshakeException: No appropriate protocol, may be no appropriate cipher suite specified or protocols are deactivated
INFO [stdout] (default I/O-3) default I/O-3, SEND TLSv1.2 ALERT: fatal, description = internal_error
INFO [stdout] (default I/O-3) default I/O-3, WRITE: TLSv1.2 Alert, length = 2
INFO [stdout] (default I/O-3) [Raw write]: length = 7
INFO [stdout] (default I/O-3) 0000: 15 03 03 00 02 02 50 ......P
INFO [stdout] (default I/O-3)
INFO [stdout] (default I/O-3) default I/O-3, called closeOutbound()
INFO [stdout] (default I/O-3) default I/O-3, closeOutboundInternal()
I am enabling the following ciphers..
enabled-cipher-suites="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256"
thanks
-
4. Re: Wildfly 9.0.2 Cipher Suite Issue
mchoma Jan 26, 2016 1:18 AM (in response to sanmo)Which cipher suite is used on oracle for handshake? Try to set wildfly only with that one cipher suite for testing with IBM java.
Also try running openssl s_client or TestSSLServer to "scan" the connection. It will try different cipher suites and provide report.
-
5. Re: Wildfly 9.0.2 Cipher Suite Issue
ctomc Jan 26, 2016 5:48 AM (in response to sanmo)1 of 1 people found this helpfulyou get
INFO [stdout] (default I/O-2) No available cipher suite for TLSv1.2
which would mean JDK/JVM doesn't have support to TLSv1.2
i would recommend reading https://www-01.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com.ibm.java.security.component.71.doc/security-component/jsse2Docs/ciphersuites.html
which has lots of info about combination of chipers suites and protocols and what works together and what not.
-
6. Re: Wildfly 9.0.2 Cipher Suite Issue
sanmo Jan 26, 2016 11:27 AM (in response to ctomc)Tomaz
This link helped out. I had to use a different cipher suite enumeration than what I used before. I had to change TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA to a SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA. Even though their website specified that TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA will be recognized, it was not.
This worked with Java 7 as well.
Thanks
-
7. Re: Wildfly 9.0.2 Cipher Suite Issue
mchoma Jan 26, 2016 11:44 AM (in response to sanmo)Happy to hear you get over this issue. Just to make it clear. In your original post you was using SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, why it works now?
-
8. Re: Wildfly 9.0.2 Cipher Suite Issue
sanmo Jan 26, 2016 1:37 PM (in response to mchoma)Martin
I was using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, according to IBM they supported it (mentioned in that link as well). I have used this with Wildfly 8.1. I had changed the enumerations around several times when trying to make it work. When I used SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA I was teaming it up with the AES 256 encryption type which on AIX requires a special package for JCE, which is not installed by default. So when there was an unsupported cipher in the list along with a supported one, it used to fail.
I probed it with sslyze app while I had the -Djavax.net.debug=all turned on. The server was spitting out supported cipher list at that point.
Cipher Suites: [SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ECDH_RSA_WITH_RC4_128_SHA, SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Did not find any AES 256 in the list which made me look further down in the link provided by Tomaz. I wonder if Wildfly 8.1 was using the JVM for protocols and ciphers. Never ran into this issue before with Java 7 and Wildfly 8.1. Running sslyze would show that AES256 ciphers was supported with TLSv1.2.