Issue with TLS/SSL Handshake with Jetty-9.4.12

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Issue with TLS/SSL Handshake with Jetty-9.4.12

Eze Ikonne

Hi all,

 

We have noticed an odd behavior when we upgraded from jetty-9.4.11 to jetty-9.4.12. The same cipher suites and private key that works with jetty-9.4.11 is failing with jetty-9.4.12. The browser clients are exactly the same, it fails with Chrome, FF, and IE. Here are the TLS/SSL debug info that we see when the browser client comes in. We would like to know if anyone has encountered the same issue:

 

Is initial handshake: true

qtp1065544782-23, READ: TLSv1 Handshake, length = 181

*** ClientHello, TLSv1.2

RandomCookie:  GMT: 2126030534 bytes = { 27, 197, 135, 255, 107, 39, 249, 101, 178, 205, 70, 191, 220, 146, 188, 170, 240, 23, 116, 17, 190, 32, 240, 102, 164,

Session ID:  {}

Cipher Suites: [Unknown 0xa:0xa, SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_EC

S_256_GCM_SHA384, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_128_GCM_SHA256,

ES_256_GCM_SHA384, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]

Compression Methods:  { 0 }

Unsupported extension type_51914, data:

Extension renegotiation_info, ri_length: 0, ri_connection_data: { null }

Extension extended_master_secret

Unsupported extension type_35, data:

Extension signature_algorithms, signature_algorithms: SHA256withECDSA, Unknown (hash:0x8, signature:0x4), SHA256withRSA, SHA384withECDSA, Unknown (hash:0x8, sig

A384withRSA, Unknown (hash:0x8, signature:0x6), SHA512withRSA, SHA1withRSA

Unsupported extension status_request, data: 01:00:00:00:00

Unsupported extension type_18, data:

Extension application_layer_protocol_negotiation, protocol names: [h2][http/1.1]

Unsupported extension type_30032, data:

Extension ec_point_formats, formats: [uncompressed]

Extension elliptic_curves, curve names: {unknown curve 35466, unknown curve 29, secp256r1, secp384r1}

Unsupported extension type_27, data: 02:00:02

Unsupported extension type_10794, data: 00

***

[read] MD5 and SHA1 hashes:  len = 181

0000: 01 00 00 b1 03 03 7f b9  a7 c6 1b c5 87 ff 6b 27  ..............k.

0010: f9 65 b2 cd 46 bf dc 92  bc aa f0 17 74 11 be 20  .e..F.......t...

0020: f0 66 a4 97 44 e7 00 00  1c 0a 0a c0 2b c0 2f c0  .f..D...........

0030: 2c c0 30 cc a9 cc a8 c0  13 c0 14 00 9c 00 9d 00  ..0.............

0040: 2f 00 35 00 0a 01 00 00  6c ca ca 00 00 ff 01 00  ..5.....l.......

0050: 01 00 00 17 00 00 00 23  00 00 00 0d 00 14 00 12  ................

0060: 04 03 08 04 04 01 05 03  08 05 05 01 08 06 06 01  ................

0070: 02 01 00 05 00 05 01 00  00 00 00 00 12 00 00 00  ................

0080: 10 00 0e 00 0c 02 68 32  08 68 74 74 70 2f 31 2e  ......h2.http.1.

0090: 31 75 50 00 00 00 0b 00  02 01 00 00 0a 00 0a 00  1uP.............

00a0: 08 8a 8a 00 1d 00 17 00  18 00 1b 00 03 02 00 02  ................

00b0: 2a 2a 00 01 00                                     .....

 

ALPNJSSEExt not initialized for Server

ALPN will not be negotiated2c04dae7[SSLEngine[hostname=10.120.136.135 port=60235] SSL_NULL_WITH_NULL_NULL]

%% Initialized:  [Session-6, SSL_NULL_WITH_NULL_NULL]

qtp1065544782-23, fatal error: 40: no cipher suites in common

javax.net.ssl.SSLHandshakeException: no cipher suites in common

%% Invalidated:  [Session-6, SSL_NULL_WITH_NULL_NULL]

qtp1065544782-23, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure

qtp1065544782-23, WRITE: TLSv1.2 Alert, length = 2

qtp1065544782-23, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common

qtp1065544782-23, called closeOutbound()

qtp1065544782-23, closeOutboundInternal()

Using SSLEngineImpl.

Using SSLEngineImpl.

=====================================================
Please refer to http://www.aricent.com/email-disclaimer
for important disclosures regarding this electronic communication.
=====================================================

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: Issue with TLS/SSL Handshake with Jetty-9.4.12

Joakim Erdfelt-8
> Cipher Suites: [Unknown 0xa:0xa, SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_EC

S_256_GCM_SHA384, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_128_GCM_SHA256,

ES_256_GCM_SHA384, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]


You seem to be using an IBM JVM with the non-RFC Cipher Suite names.


The updated default excludes are likely causing problems with your choice of JVM.


The updated Cipher Suites excludes issue: https://github.com/eclipse/jetty.project/issues/2807


See IBM j9 JVM specific issue: https://github.com/eclipse/jetty.project/issues/2921


Joakim Erdfelt / [hidden email]


On Tue, Oct 16, 2018 at 11:37 PM Eze Ikonne <[hidden email]> wrote:

Hi all,

 

We have noticed an odd behavior when we upgraded from jetty-9.4.11 to jetty-9.4.12. The same cipher suites and private key that works with jetty-9.4.11 is failing with jetty-9.4.12. The browser clients are exactly the same, it fails with Chrome, FF, and IE. Here are the TLS/SSL debug info that we see when the browser client comes in. We would like to know if anyone has encountered the same issue:

 

Is initial handshake: true

qtp1065544782-23, READ: TLSv1 Handshake, length = 181

*** ClientHello, TLSv1.2

RandomCookie:  GMT: 2126030534 bytes = { 27, 197, 135, 255, 107, 39, 249, 101, 178, 205, 70, 191, 220, 146, 188, 170, 240, 23, 116, 17, 190, 32, 240, 102, 164,

Session ID:  {}

Cipher Suites: [Unknown 0xa:0xa, SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_EC

S_256_GCM_SHA384, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_128_GCM_SHA256,

ES_256_GCM_SHA384, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]

Compression Methods:  { 0 }

Unsupported extension type_51914, data:

Extension renegotiation_info, ri_length: 0, ri_connection_data: { null }

Extension extended_master_secret

Unsupported extension type_35, data:

Extension signature_algorithms, signature_algorithms: SHA256withECDSA, Unknown (hash:0x8, signature:0x4), SHA256withRSA, SHA384withECDSA, Unknown (hash:0x8, sig

A384withRSA, Unknown (hash:0x8, signature:0x6), SHA512withRSA, SHA1withRSA

Unsupported extension status_request, data: 01:00:00:00:00

Unsupported extension type_18, data:

Extension application_layer_protocol_negotiation, protocol names: [h2][http/1.1]

Unsupported extension type_30032, data:

Extension ec_point_formats, formats: [uncompressed]

Extension elliptic_curves, curve names: {unknown curve 35466, unknown curve 29, secp256r1, secp384r1}

Unsupported extension type_27, data: 02:00:02

Unsupported extension type_10794, data: 00

***

[read] MD5 and SHA1 hashes:  len = 181

0000: 01 00 00 b1 03 03 7f b9  a7 c6 1b c5 87 ff 6b 27  ..............k.

0010: f9 65 b2 cd 46 bf dc 92  bc aa f0 17 74 11 be 20  .e..F.......t...

0020: f0 66 a4 97 44 e7 00 00  1c 0a 0a c0 2b c0 2f c0  .f..D...........

0030: 2c c0 30 cc a9 cc a8 c0  13 c0 14 00 9c 00 9d 00  ..0.............

0040: 2f 00 35 00 0a 01 00 00  6c ca ca 00 00 ff 01 00  ..5.....l.......

0050: 01 00 00 17 00 00 00 23  00 00 00 0d 00 14 00 12  ................

0060: 04 03 08 04 04 01 05 03  08 05 05 01 08 06 06 01  ................

0070: 02 01 00 05 00 05 01 00  00 00 00 00 12 00 00 00  ................

0080: 10 00 0e 00 0c 02 68 32  08 68 74 74 70 2f 31 2e  ......h2.http.1.

0090: 31 75 50 00 00 00 0b 00  02 01 00 00 0a 00 0a 00  1uP.............

00a0: 08 8a 8a 00 1d 00 17 00  18 00 1b 00 03 02 00 02  ................

00b0: 2a 2a 00 01 00                                     .....

 

ALPNJSSEExt not initialized for Server

ALPN will not be negotiated2c04dae7[SSLEngine[hostname=10.120.136.135 port=60235] SSL_NULL_WITH_NULL_NULL]

%% Initialized:  [Session-6, SSL_NULL_WITH_NULL_NULL]

qtp1065544782-23, fatal error: 40: no cipher suites in common

javax.net.ssl.SSLHandshakeException: no cipher suites in common

%% Invalidated:  [Session-6, SSL_NULL_WITH_NULL_NULL]

qtp1065544782-23, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure

qtp1065544782-23, WRITE: TLSv1.2 Alert, length = 2

qtp1065544782-23, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common

qtp1065544782-23, called closeOutbound()

qtp1065544782-23, closeOutboundInternal()

Using SSLEngineImpl.

Using SSLEngineImpl.

=====================================================
Please refer to http://www.aricent.com/email-disclaimer
for important disclosures regarding this electronic communication.
=====================================================
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users