Reputation: 7802
Java "no cipher suites in common" issue when trying to securely connect to server
I have an issue when a client (not mine) connects to my server securely.
It seems that the connection is being refused on the basis of mismatching ciphers, but I have verified that the server indeed shares some of the ciphers with the client.
Could it be an issue with the unknown cipher (Unknown 0x0:0x60)? If so, what must I do to fix it?
Java SSL logs are shown below:
Listener-https, setSoTimeout(30000) called
Worker-30, READ: SSLv3 Handshake, length = 63
*** ClientHello, SSLv3
RandomCookie: GMT: 1267050437 bytes = { 23, 244, 228, 68, 161, 225, 218, 222, 207, 128, 228, 138, 127, 141, 159, 63, 232, 48, 242, 240, 26, 76, 58, 158, 179, 0, 192, 140 }
Session ID: {}
Cipher Suites: [TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_IDEA_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_EXPORT1024_WITH_RC4_56_SHA, Unknown 0x0:0x60, SSL_RSA_EXPORT_WITH_RC4_40_MD5]
Compression Methods: { 0 }
***
Worker-30, SEND SSLv3 ALERT: fatal, description = handshake_failure
Worker-30, WRITE: SSLv3 Alert, length = 2
Worker-30, called closeSocket()
Worker-30, handling exception: javax.net.ssl.SSLHandshakeException: no cipher suites in common
Worker-30, called close()
Worker-30, called closeInternal(true)
Worker-30, called close()
Worker-30, called closeInternal(true)
Thanks, -Ben
Upvotes: 5
Views: 13433
Answers (2)
Reputation: 76709
Adding to erickson's answer, if your certificate does not use a RSA key-pair, and instead turns out to use a DSA key-pair, then no amount of RSA cipher suite "stuffing" will aid in resolving this issue. You'll need to enable the DSA related cipher suites (they're usually indicated by the DSS keyword in them), and also have the client utilize the same cipher suites.
The reason this edge case might turn out to be your problem is due to the default behavior of the keytool utility when generating secret keypairs - DSA and not RSA is the default algorithm.
Upvotes: 11
Reputation: 269697
You say that some of the client's requested ciphers are enabled on your server. Have you successfully connected with one of them? For example, try OpenSSL's s_client utility with the -cipher option specifying only that cipher suite.
Perhaps the provider doesn't support all the ciphers you think you have enabled, or perhaps the unlimited strength jurisdiction files are not correctly installed on your server.
Upvotes: 5
Related Questions
- Java SSL: client handshake failure and server no cipher suites in common
- Java SSLHandshakeException "no cipher suites in common"
- SSLHandshakeException: no cipher suites in common
- How to solve "no cipher suites in common" during SSL Handshake?
- Java SSLHandshakeException: no cipher suites in common
- Java - no cipher suites in common
- javax.net.ssl.SSLHandshakeException: no cipher suites in common no cipher suites in common
- C client with OpenSSL + Java server : javax.net.ssl.SSLHandshakeException: no cipher suites in common
- HTTPS Socket "javax.net.ssl.SSLHandshakeException: no cipher suites in common"
- unsupported SSL ciphersuite