Java – JBWEB003006: Handshake failed: java.io.IOException: JBWEB002042: SSL handshake failed, cipher suite in SSL Session is SSL_NULL_WITH_NULL_NULL

httpsjavajbosssingle-sign-onssl

I have an issue with SSL configuration, while doing an installation for our in-house product. The installation is on jboss-eap-6.1., using java-1.7.0-openjdk-1.7.0.85.x86_64

The log sais:

16:28:11,685 DEBUG [org.apache.tomcat.util] (http-/0.0.0.0:8443-1)
JBWEB003006: Handshake failed: java.io.IOException: JBWEB002042: SSL
handshake failed, cipher suite in SSL Session is
SSL_NULL_WITH_NULL_NULL
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFactory.java:185)
[jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]

I have the following configuration in the standalone-full.xml for https:

connector name="https" protocol="HTTP/1.1" scheme="https"
socket-binding="https" secure="true">

ssl name="tomcat-ssl" key-alias="ssocertificate" password="changeit"
certificate-key-file="/etc/cas/certificate/portal.keystore"
protocol="TLSv1"

cipher-suite= "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"/>

/connector>

The key was generated like this:

keytool -genkey -dname "CN=sem-core, OU=HOME, O=Company,
L=Timisoara, ST=Timis, C=RO" -alias "alu" -keyalg RSA -keypass
changeit -keystore /etc/cas/certificate/portal.keystore -storepass
changeit -keyalg RSA -ext SAN=dns:sem-core,ip:135.247.150.77

Also imported in $JAVA_HOME/lib/security/cacerts

Any attempt to access https on the configured port is unsuccessful. Sometimes I get the error above, sometimes nothing.
Firefox returns:

An error occurred during a connection to 135.247.150.77:8443. Peer
reports it experienced an internal error. (Error code:
ssl_error_internal_error_alert)

Thanks for any ideas.

Best Answer

Please check $JAVA_HOME/lib/security/ and see if there is no jssecacerts file.

If the file exists, import the cert into this file. Java checks for this file first before cacerts (http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#X509TrustManager).

If that is not the issue, you may also have a look at the this issue, which might be the same: https://developer.jboss.org/thread/153637

Related Solutions

Disable TLS_RSA_WITH_3DES_EDE_CBC_SHA for Jetty server

Using a recent stable version of Jetty, you can ask for a server dump and see the list of enabled / disabled ciphers, along with (most importantly!) where they are disabled.

Example:

 $ cd /path/to/my/jettybase
 $ java -jar /path/to/jetty-dist/start.jar jetty.server.dumpAfterStart=true

 |   += SslConnectionFactory@cc285f4{SSL->http/1.1} - STARTED
 |   |   += SslContextFactory@77659b30(file:///path/to/my/jettybase/etc/keystore,file:///path/to/my/jettybase/etc/keystore) trustAll=false
 |   |       +- Protocol Selections
 |   |       |   +- Enabled (size=3)
 |   |       |   |   +- TLSv1
 |   |       |   |   +- TLSv1.1
 |   |       |   |   +- TLSv1.2
 |   |       |   +- Disabled (size=2)
 |   |       |       +- SSLv2Hello - ConfigExcluded:'SSLv2Hello'
 |   |       |       +- SSLv3 - JreDisabled:java.security, ConfigExcluded:'SSLv3'
 |   |       +- Cipher Suite Selections
 |   |           +- Enabled (size=29)
 |   |           |   +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
 |   |           |   +- TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
 |   |           |   +- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
 |   |           |   +- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
 |   |           |   +- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
 |   |           |   +- TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
 |   |           |   +- TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
 |   |           |   +- TLS_EMPTY_RENEGOTIATION_INFO_SCSV
 |   |           |   +- TLS_RSA_WITH_AES_128_CBC_SHA256
 |   |           |   +- TLS_RSA_WITH_AES_128_GCM_SHA256
 |   |           |   +- TLS_RSA_WITH_AES_256_CBC_SHA256
 |   |           |   +- TLS_RSA_WITH_AES_256_GCM_SHA384
 |   |           +- Disabled (size=53)
 |   |               +- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_DSS_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DHE_RSA_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DH_anon_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_DH_anon_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_NULL_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- SSL_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DHE_DSS_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DHE_DSS_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DHE_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DH_anon_WITH_AES_128_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DH_anon_WITH_AES_128_CBC_SHA256 - JreDisabled:java.security
 |   |               +- TLS_DH_anon_WITH_AES_128_GCM_SHA256 - JreDisabled:java.security
 |   |               +- TLS_DH_anon_WITH_AES_256_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_DH_anon_WITH_AES_256_CBC_SHA256 - JreDisabled:java.security
 |   |               +- TLS_DH_anon_WITH_AES_256_GCM_SHA384 - JreDisabled:java.security
 |   |               +- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_ECDSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDHE_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_ECDSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_RSA_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_anon_WITH_AES_128_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_anon_WITH_AES_256_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_ECDH_anon_WITH_NULL_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_WITH_3DES_EDE_CBC_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_WITH_3DES_EDE_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_WITH_DES_CBC_MD5 - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_KRB5_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_RSA_WITH_AES_128_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_RSA_WITH_AES_256_CBC_SHA - ConfigExcluded:'^.*_(MD5|SHA|SHA1)$'
 |   |               +- TLS_RSA_WITH_NULL_SHA256 - JreDisabled:java.security

You'll quickly see that the ciphers you specifically are calling out are already disabled by default in the Jetty configuration, with others being disabled by the running JRE.

As for configuring the list of Ciphers, you would configure the SslContextFactory to have the excludes you need. There are many ways to configure it, it would be best if you choose a technique that best fits your needs from the official documentation at ...

https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html#configuring-sslcontextfactory-cipherSuites

Best Answer

Related Solutions

Disable TLS_RSA_WITH_3DES_EDE_CBC_SHA for Jetty server

Related Topic