Reputation: 63
Handshake failure / no cipher suites in common - SymmetricDS 3.1.5
I am upgrading from SymmetricDS (SDS) 2.5.13 to 3.1.5. I have TLS/HTTPS configured and working as expected under SDS 2.5.13. However, using the exact same certificates, keystore/truststore files, and same JDK, I get the following error under SDS 3.1.5 in the service wrapper log (wrapper.log):
SEND TLSv1 ALERT: fatal, description = handshake_failure
WRITE: TLSv1 Alert, length = 2
called closeSocket()
handling exception: javax.net.ssl.SSLHandshakeException: no cipher suites in common
I have a two node configuration with one configured as a registration server (parent node). The child node is configured to push and pull changes. I am using the Sun (Oracle) JDK 7 update 5 with the appropriate JCE Unlimited Strength Jurisdiction Policy Files (to gain access to 256 bit ciphers).
I am running SDS in a standalone configuration as a windows service under Server 2008. Windows firewall is currently off.
I am passing the following TLS-related Java parameters to the service wrapper via the sym_service.conf file:
wrapper.java.additional.6=-Dsym.keystore.file=c:/java-keystore/bfvm01-w2ka.ks
wrapper.java.additional.7=-Djavax.net.ssl.keyStore=c:/java-keystore/bfvm01-w2ka.ks
wrapper.java.additional.8=-Djavax.net.ssl.trustStore=c:/java-keystore/bfvm01-w2ka.ks
wrapper.java.additional.9=-Djavax.net.ssl.keyStorePassword=letmein
wrapper.java.additional.10=-Djavax.net.ssl.trustStorePassword=letmein
wrapper.java.additional.11=-Dsun.net.client.defaultReadTimeout=1800000
wrapper.java.additional.12=-Dsun.net.client.defaultConnectTimeout=1800000
wrapper.java.additional.13=-Djavax.net.debug=ssl,handshake
Note: As is standard practice here for Java apps, we are using the same Java keystore file for both the keystore and the trustore.
This is how the service wrapper is configured to start SDS:
wrapper.app.parameter.1=org.jumpmind.symmetric.SymmetricLauncher
wrapper.app.parameter.2=--secure-server
wrapper.app.parameter.3=--secure-port
wrapper.app.parameter.4=25684
wrapper.app.parameter.5=--properties
wrapper.app.parameter.6=../conf/symmetric.properties
The entries in sym_node and symmetric.properties are properly configured to use HTTPS (instead of HTTP).
The child SDS node, which initiates communication with the parent reports this error:
WRITE: TLSv1 Handshake, length = 198
READ: TLSv1 Alert, length = 2
RECV TLSv1 ALERT: fatal, handshake_failure
called closeSocket()
handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
The parent node reports this error:
SEND TLSv1 ALERT: fatal, description = handshake_failure
WRITE: TLSv1 Alert, length = 2
called closeSocket()
handling exception: javax.net.ssl.SSLHandshakeException: no cipher suites in common
As I mentioned previously, the same configuration (servers, certificates, keystore/trustore files, JDK) works fine to achieve TLS/HTTPS security under SDS 2.5.13. The only delta is the switch to SDS 3.1.5. If I disable TLS/HTTPS configuration in SDS 3.1.5 and use HTTP instead, the parent and child nodes can communicate with one another.
As a desperate, sanity check, I coded a quick, "Hello World", client server app to create an SSLSocket on my child node machine and send a line of text to the server node machine (using the same TCP port I have been using for SDS). Compiled and ran program using same JDK and same keystore/truststore files. Worked like a champ.
I am totally stumped. Any help would be appreciated.
Upvotes: 2
Views: 1284
Answers (1)
Reputation: 63
Answered my own question. Apparently nobody uses TLS between SymmetricDS (SDS) nodes except me (from the total lack of responses). The original error message threw me off and had me looking in all the wrong places.
It appears that the 3.x version of SDS (3.1.5, at least), now requires that that you provide the "alias" of the certificate you are using in your keystore. That value is supplied as the Java run time parameter "sym.keystore.ssl.cert.alias". For Windows users, it would be placed in service wrapper config file (sym_service.conf):
wrapper.java.additional.XX=-Dsym.keystore.ssl.cert.alias=foo
This parameter doesn't appear to be needed or exist in the SDS 2.5.13 and isn't documented anywhere in SDS 3.1.5 (or beyond). It does not appear in any config files that are supplied with the binary download of SDS 3.1.5 (or SDS 3.2.0, I checked).
I was able to figure out my SDS TLS problem by looking at how the SDS source code sets up a secure connection.
org.jumpmind.symmetric.SymmetricWebServer uses the certficate alias as follows:
sslConnectorFactory.setCertAlias(System.getProperty(SystemConstants.SYSPROP_KEYSTORE_CERT_ALIAS, "sym"));
SystemConstants.SYSPROP_KEYSTORE_CERT_ALIAS is set to "sym.keystore.ssl.cert.alias".
Once I provided the correct alias in sym_service.conf, I was good to go.
- Bruce
Upvotes: 2
Related Questions
- Handshake Failure with TLS 1.3 under JDK 11
- Java SSL: client handshake failure and server no cipher suites in common
- Java SSLHandshakeException "no cipher suites in common"
- SSL Handshake failure with Java version "1.7.0_79"
- How to solve "no cipher suites in common" during SSL Handshake?
- Java SSLHandshakeException: no cipher suites in common
- javax.net.ssl.SSLHandshakeException: no cipher suites in common no cipher suites in common
- Java 7 (acting as client) SSL handshake failure with keystore and truststore that worked in Java 6
- ssl handshake exception due to keystore file
- Java "no cipher suites in common" issue when trying to securely connect to server