Uploaded image for project: 'WildFly Elytron'
  1. WildFly Elytron
  2. ELY-2117

SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate) on IBM JDK after ELY-2026

    XMLWordPrintable

Details

    • Hide 
      git clone git@github.com:jbossws/jbossws-cxf.git

# set IBM JDK on path

# pass
mvn -V  -Pwildfly2300 -Dwildfly2300.version=23.0.0.Final clean integration-test -Dtest=SSLContextElytronClientConfigTestCaseForked -Dwildfly.elytron.version=1.13.0.Final

# fail
mvn -V  -Pwildfly2300 -Dwildfly2300.version=23.0.0.Final clean integration-test -Dtest=SSLContextElytronClientConfigTestCaseForked -Dwildfly.elytron.version=1.13.1.Final
      Show
      git clone git@github.com:jbossws/jbossws-cxf.git # set IBM JDK on path # pass mvn -V -Pwildfly2300 -Dwildfly2300.version=23.0.0.Final clean integration-test -Dtest=SSLContextElytronClientConfigTestCaseForked -Dwildfly.elytron.version=1.13.0.Final # fail mvn -V -Pwildfly2300 -Dwildfly2300.version=23.0.0.Final clean integration-test -Dtest=SSLContextElytronClientConfigTestCaseForked -Dwildfly.elytron.version=1.13.1.Final
    • Undefined

    Description

      I wanted to update elytron client version for tests at jbossws-cxf project but when I did I started to see handshake exceptions in one test. I tried several elytron version to pinpoint it to ELY-2026

      IOW test works with IBM JDK8 up to elytron client version 1.13.0.Final, it fails with any version after that (see steps to reproduce).

      The test fails because it is not able to process SSL handshake before sending message:

      Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
	at org.jboss.test.ws.jaxws.cxf.clientConfig.SSLContextElytronClientConfigTestCaseForked.testConfiguredSSLContext(SSLContextElytronClientConfigTestCaseForked.java:93)

      Running with `-Djavax.net.debug=ssl:handshake` reveals:

      javax.net.ssl|FINE|01|main|2021-04-23 02:48:11.031 CEST|Thread.java:1164|No available cipher suite for TLS13
javax.net.ssl|FINE|01|main|2021-04-23 02:48:11.032 CEST|Thread.java:1164|No available cipher suite for TLS12
javax.net.ssl|FINE|01|main|2021-04-23 02:48:11.032 CEST|Thread.java:1164|No available cipher suite for TLS11
javax.net.ssl|FINE|01|main|2021-04-23 02:48:11.032 CEST|Thread.java:1164|No available cipher suite for TLS10
javax.net.ssl|SEVERE|01|main|2021-04-23 02:48:11.039 CEST|Thread.java:1164|Fatal (HANDSHAKE_FAILURE): Couldn't kickstart handshaking

      So it looks like the changes introduced in ELY-2026 somehow filter out usable cipher suites for the handshake, but that is only my naive guess.

      Attachments

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-24221 [QA](7.4.z) ELY-2117 - SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate) on IBM JDK after ELY-2026

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified

          Bug - A problem that impairs or prevents the functions of the product. ELY-2494 SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate) on IBM JDK after ELY-2026

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. JBWS-4221 SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate) on IBM JDK after ELY-2026

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is duplicated by

          Bug - A problem that impairs or prevents the functions of the product. ELY-2495 ConfiguredSSL(Server)SocketFactory method getDefaultCipherSuites returns incorrect list of ciphers

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              dvilkola@redhat.com Diana Krepinska
              jbliznak@redhat.com Jan Blizňák
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: