wildfly 10.1 ssl misconfigured: browser handsha...| JBoss.org Content Archive (Read Only)

link管理

链接快照平台

输入网页链接，自动生成快照
标签化管理网页链接

相关文章推荐

刀枪不入的感冒药 · 利用burp插件和Xposed实现Andro ...· 14 小时前 ·

坚强的鸵鸟 · AES Encryption: ...· 19 小时前 ·

发财的乌龙茶 · AES decryption AES ...· 19 小时前 ·

傲视众生的拐杖 · E: The repository ...· 3 天前 ·

爽快的日光灯 · ORDS standalone jetty ...· 1 周前 ·

失眠的匕首 · 机器人“秒速”发卡+收费！大兴机场高速全市率 ...· 1 月前 ·

谦和的数据线 · Tapdata Connector ...· 2 月前 ·

细心的豆腐 · 安装 — mayavi 4.8.3.dev0 文档· 3 月前 ·

私奔的牛腩 · python如何实现程序后台运行 - CSDN文库· 3 月前 ·

温柔的汉堡包 · 国新办举行贯彻落实中央经济工作会议部署、金融 ...· 4 月前 ·

Hi all,

I likely have missed an obvious setting here, so I apologize in advance

Context

I've tried to set up wildfly 10.1 to terminate SSL per the configuration below

Result

Wildfly starts up ok, however my browser cannot connect. Firefox shows "The connection to localhost was interrupted while the page was loading.". Openssl shows a handshake failure. [I associate a 'handshake error' with this scenario: browser tries to connect w/ SSL, but the server sends back 'plain http']

Open ssl output:

$ openssl s_client -connect ${HOST}:${PORT} -showcerts </dev/null

140074818008736:error:140790E5:SSL routines:SSL23_WRITE: ssl handshake failure :s23_lib.c:177:

Questions

-I've pasted my configuraiton below: security-realm, socket-binding, listener. What am I missing?

-what formats does wildfly support for public cert files (jks/x509/pkcs7/pkcs12)

thanks in advance

Configurations

Security Realm

<security-realm name="SslRealm">

<server-identities>

<ssl>

<keystore path="/home/joedeveloper/ssl_files/learn.better.jks"

keystore-password="learn.better.password"

key-password="learn.better.password"

alias="learn.better.alias"

</ssl>

</server-identities>

Https Listener

<buffer-cache name="default"/>

<https-listener name="default-ssl" socket-binding="https" security-realm="SslRealm"/>

<http-listener name="default" socket-binding="http" redirect-socket="https" worker="http-worker"

socket binding

<socket-binding name="https" port="${jboss.https.port:443}"/>

Certificate Generation

SSL_KEY_ALIAS=learn.better.alias

SSL_KEY_PASSWORD=learn.better.password

SSL_KEYSTORE_PASSWORD=learn.better.password

SSL_KEYSTORE_FILE=learn.better.jks

keytool \

-alias ${SSL_KEY_ALIAS} \

-genkey \

-keyalg RSA \

-keypass ${SSL_KEY_PASSWORD} \

-keystore ${SSL_KEYSTORE_FILE} \

-sigalg MD5withRSA \

-storepass ${SSL_KEYSTORE_PASSWORD} \

-validity 9999

Reference

SSL setup guide - WildFly 8 - Project Documentation Editor

Wildfly 9 http to https - Stack Overflow

Configuring SSL in Wildfly 8/9/10 | Real Life Java

Setting up SSL/TLS with Wildfly 10

thanks in advance

tldr;

It turns out the problem lies with the JDK. Specifically IBM's jdk. (I should have mentioned: we're using IBM's jdk).

More information:

I turned ssl handshake debugging and found this error:

2017-02-28 20:18:12,463 [INFO ] stdout ( 936) - default task-1, fatal error: 40: javax.net.ssl.SSLHandshakeException: no cipher suites in common

I tried tweaking the listener configiration, specifically adding the bold below....but 'no dice.' [I don't know the crypto cipher stuff details well]

<https-listener name="default-ssl" socket-binding="https" security-realm="SslRealm"

enabled-protocols="TLSv1.2"

enabled-cipher-suites="

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,

TLS_RSA_WITH_AES_128_GCM_SHA256 "

On a whim I tried switching to Oracle JDK 8: and it worked

Summary

Wildfly 10.1 SSL worked "out of the box" (i.e. no cipher tweaking) with Oracle JDK (1.8.0_45 ), but failed with IBM JDK (ibm-java-sdk-8.0-1.1 build pxa6480sr1fp1-20150603_01(SR1 FP1))

Your problem may relates to [ELY-438] There is not possibility to use alternative JSSE Cipher Suite Names for IBM JDK - JBoss Issue Tracker

* Try to specify enabled-cipher-suites without whitespaces

enabled-cipher-suites=" TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256 "

* look into ssl handshake debugging and see what which cipher suites is your browser requesting

* Try to specify SSL_ variants [1] of cipher suites (probably won't work because of aforementioned issue)

enabled-cipher-suites="SSL_DHE_RSA_WITH_AES_128_GCM_SHA256,SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256,SSL_RSA_WITH_AES_128_GCM_SHA256 "

[1] IBM Knowledge Center

Hi Martin,

Thanks for your response.

I tried both these but they didn't work. Actually, I had to cut out "TLS_RSA_WITH_AES_128_GCM_SHA256" as server.log complained abou tit.

Token \"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256\" not allowed at offset 36 of mechanism selection string

* Try to specify enabled-cipher-suites without whitespaces

enabled-cipher-suites="TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256 "

* look into ssl handshake debugging and see what which cipher suites is your browser requesting

* Try to specify SSL_ variants [1] of cipher suites (probably won't work because of aforementioned issue)

enabled-cipher-suites="SSL_DHE_RSA_WITH_AES_128_GCM_SHA256,SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256,SSL_RSA_WITH_AES_128_GCM_SHA256 "

SSL Handshake debugging shows these messages (I've reformatted for easier viewing here):

[Note that the entries and order appears to match the list on the imb jsse page here IBM Knowledge Center ]

Ignoring unsupported cipher suite :

SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384

SSL_RSA_WITH_AES_256_CBC_SHA256

SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384

SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384

SSL_DHE_RSA_WITH_AES_256_CBC_SHA256

SSL_DHE_DSS_WITH_AES_256_CBC_SHA256

SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256

SSL_RSA_WITH_AES_128_CBC_SHA256

SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256

SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256

SSL_DHE_RSA_WITH_AES_128_CBC_SHA256

SSL_DHE_DSS_WITH_AES_128_CBC_SHA256

SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384

SSL_RSA_WITH_AES_256_GCM_SHA384

SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384

SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384

SSL_DHE_DSS_WITH_AES_256_GCM_SHA384

SSL_DHE_RSA_WITH_AES_256_GCM_SHA384

SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256

SSL_RSA_WITH_AES_128_GCM_SHA256

SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256

SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256

SSL_DHE_RSA_WITH_AES_128_GCM_SHA256

SSL_DHE_DSS_WITH_AES_128_GCM_SHA256

Questions

The [ELY-438] IBM JSSE bug is old, a blocker and still open.

Can you (or anyone) suggest a workaround?

thanks in advance

I tried that..and got same error:

2017-03-06 16:30:35,651 [INFO ] stdout

( 936) - default task-2, fatal error: 40: no cipher suites in common

javax.net.ssl.SSLHandshakeException: no cipher suites in common

Here is command I used to generate the keystore:

#!/bin/bash

STORETYPE=JKS

SSL_KEY_ALIAS=learn.best.alias

SSL_KEY_PASSWORD=learn.best.password

SSL_KEYSTORE_PASSWORD=learn.best.password

keytool \

-genkey \

-storetype ${STORETYPE} \

-keyalg RSA \

-keysize 2048 \

-validity 3650 \

-keystore ${SSL_KEYSTORE_FILE} \

-alias ${SSL_KEY_ALIAS} \

-dname "CN=Milspec, OU=my.learn, ST=IL, C=USA" \

-keypass ${SSL_KEY_PASSWORD} \

-storepass ${SSL_KEYSTORE_PASSWORD}