Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-2117

SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate) on IBM JDK after ELY-2026

XMLWordPrintable

    • Hide
      git clone git@github.com:jbossws/jbossws-cxf.git
      
      # set IBM JDK on path
      
      # pass
      mvn -V  -Pwildfly2300 -Dwildfly2300.version=23.0.0.Final clean integration-test -Dtest=SSLContextElytronClientConfigTestCaseForked -Dwildfly.elytron.version=1.13.0.Final
      
      # fail
      mvn -V  -Pwildfly2300 -Dwildfly2300.version=23.0.0.Final clean integration-test -Dtest=SSLContextElytronClientConfigTestCaseForked -Dwildfly.elytron.version=1.13.1.Final
      
      Show
      git clone git@github.com:jbossws/jbossws-cxf.git # set IBM JDK on path # pass mvn -V -Pwildfly2300 -Dwildfly2300.version=23.0.0.Final clean integration-test -Dtest=SSLContextElytronClientConfigTestCaseForked -Dwildfly.elytron.version=1.13.0.Final # fail mvn -V -Pwildfly2300 -Dwildfly2300.version=23.0.0.Final clean integration-test -Dtest=SSLContextElytronClientConfigTestCaseForked -Dwildfly.elytron.version=1.13.1.Final
    • Undefined

      I wanted to update elytron client version for tests at jbossws-cxf project but when I did I started to see handshake exceptions in one test. I tried several elytron version to pinpoint it to ELY-2026

      IOW test works with IBM JDK8 up to elytron client version 1.13.0.Final, it fails with any version after that (see steps to reproduce).

      The test fails because it is not able to process SSL handshake before sending message:

      Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
      	at org.jboss.test.ws.jaxws.cxf.clientConfig.SSLContextElytronClientConfigTestCaseForked.testConfiguredSSLContext(SSLContextElytronClientConfigTestCaseForked.java:93)
      

      Running with `-Djavax.net.debug=ssl:handshake` reveals:

      javax.net.ssl|FINE|01|main|2021-04-23 02:48:11.031 CEST|Thread.java:1164|No available cipher suite for TLS13
      javax.net.ssl|FINE|01|main|2021-04-23 02:48:11.032 CEST|Thread.java:1164|No available cipher suite for TLS12
      javax.net.ssl|FINE|01|main|2021-04-23 02:48:11.032 CEST|Thread.java:1164|No available cipher suite for TLS11
      javax.net.ssl|FINE|01|main|2021-04-23 02:48:11.032 CEST|Thread.java:1164|No available cipher suite for TLS10
      javax.net.ssl|SEVERE|01|main|2021-04-23 02:48:11.039 CEST|Thread.java:1164|Fatal (HANDSHAKE_FAILURE): Couldn't kickstart handshaking
      

      So it looks like the changes introduced in ELY-2026 somehow filter out usable cipher suites for the handshake, but that is only my naive guess.

              dvilkola@redhat.com Diana Krepinska (Inactive)
              jbliznak@redhat.com Jan Blizňák
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: