Gregg Harrington
Reputation: 123
Can't connect to Jetty 9 server via SSL with Firefox 50
I am configuring a Jetty 9.3.x server with Java 8 and with my SSL cert from GoDaddy. After working through the documentation, I have got SSL working on my server and can connect via SSL in internet explorer and chrome. However, with firefox, I can't connect to the server.
I get the error SSL_ERROR_NO_CYPHER_OVERLAP
I have tried tweaking various settings, but nothing has been working for me.
After reading https://www.eclipse.org/jetty/documentation/9.4.x/configuring-ssl.html#configuring-sslcontextfactory-cipherSuites
I decided to enable the debugging they talk about and got the following supported ciphers:
02:17:06,989 [main] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - Selected Protocols [TLSv1, TLSv1.1, TLSv1.2] of [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]
02:17:06,989 [main] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - Selected Ciphers [TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256] of [TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_DH_anon_WITH_AES_256_GCM_SHA384, TLS_DH_anon_WITH_AES_128_GCM_SHA256, TLS_DH_anon_WITH_AES_256_CBC_SHA256, TLS_DH_anon_WITH_AES_256_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_DH_anon_WITH_AES_128_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_RSA_WITH_NULL_SHA256, SSL_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5]
Additionally, when connecting with Chrome (works)
02:41:43,503 [qtp451111351-19] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - Customize 13196d35[SSLEngine[hostname=24.205.233.242 port=54796] SSL_NULL_WITH_NULL_NULL]
02:41:43,518 [qtp451111351-19] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - Customize 1e9077dd[SSLEngine[hostname=24.205.233.242 port=54797] SSL_NULL_WITH_NULL_NULL]
02:41:43,525 [qtp451111351-17] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - Customize 3924a409[SSLEngine[hostname=24.205.233.242 port=54793] SSL_NULL_WITH_NULL_NULL]
02:41:43,525 [qtp451111351-17] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - Customize 31f0632a[SSLEngine[hostname=24.205.233.242 port=54795] SSL_NULL_WITH_NULL_NULL]
02:41:43,526 [qtp451111351-17] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - SNI matching for type=host_name (0), value=megabeeqa.carriersoft.com
02:41:43,526 [qtp451111351-17] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - SNI matched megabeeqa.carriersoft.com->X509@2970a5bc(carriersoft,h=[carriersoft.com],w=[carriersoft.com])
02:41:43,527 [qtp451111351-16] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - SNI matching for type=host_name (0), value=megabeeqa.carriersoft.com
02:41:43,527 [qtp451111351-16] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - SNI matched megabeeqa.carriersoft.com->X509@2970a5bc(carriersoft,h=[carriersoft.com],w=[carriersoft.com])
02:41:43,519 [qtp451111351-18] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - Customize 2520f47c[SSLEngine[hostname=24.205.233.242 port=54794] SSL_NULL_WITH_NULL_NULL]
02:41:43,528 [qtp451111351-10] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - SNI matching for type=host_name (0), value=megabeeqa.carriersoft.com
02:41:43,528 [qtp451111351-10] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - SNI matched megabeeqa.carriersoft.com->X509@2970a5bc(carriersoft,h=[carriersoft.com],w=[carriersoft.com])
02:41:43,519 [qtp451111351-14] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - SNI matching for type=host_name (0), value=megabeeqa.carriersoft.com
02:41:43,528 [qtp451111351-14] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - SNI matched megabeeqa.carriersoft.com->X509@2970a5bc(carriersoft,h=[carriersoft.com],w=[carriersoft.com])
02:41:43,529 [qtp451111351-17] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager - Matched megabeeqa.carriersoft.com with X509@2970a5bc(carriersoft,h=[carriersoft.com],w=[carriersoft.com]) from [carriersoft]
02:41:43,530 [qtp451111351-17] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager - Chose alias carriersoft/RSA on 3924a409[SSLEngine[hostname=24.205.233.242 port=54793] SSL_NULL_WITH_NULL_NULL]
02:41:43,529 [qtp451111351-15] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - SNI matching for type=host_name (0), value=megabeeqa.carriersoft.com
02:41:43,531 [qtp451111351-15] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - SNI matched megabeeqa.carriersoft.com->X509@2970a5bc(carriersoft,h=[carriersoft.com],w=[carriersoft.com])
02:41:43,530 [qtp451111351-10] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager - Matched megabeeqa.carriersoft.com with X509@2970a5bc(carriersoft,h=[carriersoft.com],w=[carriersoft.com]) from [carriersoft]
02:41:43,531 [qtp451111351-10] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager - Chose alias carriersoft/RSA on 2520f47c[SSLEngine[hostname=24.205.233.242 port=54794] SSL_NULL_WITH_NULL_NULL]
02:41:43,531 [qtp451111351-15] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager - Matched megabeeqa.carriersoft.com with X509@2970a5bc(carriersoft,h=[carriersoft.com],w=[carriersoft.com]) from [carriersoft]
02:41:43,531 [qtp451111351-15] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager - Chose alias carriersoft/RSA on 1e9077dd[SSLEngine[hostname=24.205.233.242 port=54797] SSL_NULL_WITH_NULL_NULL]
02:41:43,530 [qtp451111351-14] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager - Matched megabeeqa.carriersoft.com with X509@2970a5bc(carriersoft,h=[carriersoft.com],w=[carriersoft.com]) from [carriersoft]
02:41:43,531 [qtp451111351-14] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager - Chose alias carriersoft/RSA on 13196d35[SSLEngine[hostname=24.205.233.242 port=54796] SSL_NULL_WITH_NULL_NULL]
02:41:43,530 [qtp451111351-16] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager - Matched megabeeqa.carriersoft.com with X509@2970a5bc(carriersoft,h=[carriersoft.com],w=[carriersoft.com]) from [carriersoft]
02:41:43,532 [qtp451111351-16] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager - Chose alias carriersoft/RSA on 31f0632a[SSLEngine[hostname=24.205.233.242 port=54795] SSL_NULL_WITH_NULL_NULL]
When connecting with FireFox I only get the following output in the logs:
02:40:55,459 [qtp451111351-17] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - Customize 2223aad3[SSLEngine[hostname=24.205.233.242 port=54783] SSL_NULL_WITH_NULL_NULL]
02:40:55,465 [qtp451111351-16] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - SNI matching for type=host_name (0), value=megabeeqa.carriersoft.com
02:40:55,465 [qtp451111351-16] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - SNI matched megabeeqa.carriersoft.com->X509@2970a5bc(carriersoft,h=[carriersoft.com],w=[carriersoft.com])
Which seems like a good set of ciphers to me, can anyone help identify my issue and help me enable a cipher that firefox will accept?
Upvotes: 0
Views: 1851
Answers (2)
cloudpta
Reputation: 174
I had exact same error but it was not the version of java that caused the issue.
The issue was that the ca certificate was saying for abc.com and server certificate was for xyz.com, so it looked like:
keytool -genkeypair -alias ca -keyalg RSA -validity 45 -keysize 2048 -keystore ca.jks -dname "CN=abc.com" -storepass password
...
keytool -genkeypair -keyalg RSA -keysize 2048 -validity 45 -alias server -dname "CN=xyz.com" -keystore server.jks -storepass password.
I add this in case other people have the same error and changing the version of java doesnt help.
Upvotes: 0
Gregg Harrington
Reputation: 123
The issue here turned out to be the version of Java I was using. While it was 1.8, it was update 91, and later versions had the correct combination of ciphers.
Upvotes: 1
Related Questions
- Jetty "javax.net.ssl.SSLHandshakeException: no cipher suites in common"
- Jetty: How to use SSL in Jetty client side
- Configuring SSL on Jetty
- Configure SSL in jetty server using pfx file
- SSLHandshakeException : jetty server does not pick any of cipher to initiate SSL handshake
- Configure SSL on Jetty
- Chrome/Firefox and Jetty HTTPS
- Configuring SSL with Jetty 9
- Jetty HTTP Client with SSL
- https servlet with Jetty