I try to connect to office365 mail server with javaMail v1.5.3 (application is deployed on tomcat 6). Im running a thread on startup that is checking for new emails in a loop with one minute sleep. In most cases connection is successfully estabilished and everything works just fine but sometimes I get
"Remote host closed connection during handshake" error.
The error is caused by
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at sun.security.ssl.InputRecord.read(InputRecord.java:482)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:934)
I have tried sulutions from:
How to make Java 6, which fails SSL connection with "SSL peer shut down incorrectly", succeed like Java 7?
and javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake :
adding -Dhttps.protocols=TLSv1,SSLv3 and -Dsun.security.ssl.allowUnsafeRenegotiation=true to my tomcat environment
but I didn't get any result. Still - randomly exception occurs.
I enabled debug mode on javax.net and on IMAP connection and get results:
when connection is not estabilishing correctly log looks like this :
DEBUG: setDebug: JavaMail version 1.5.3
DEBUG: getProvider() returning javax.mail.Provider[STORE,imap,com.sun.mail.imap.IMAPStore,Oracle]
DEBUG IMAP: mail.imap.fetchsize: 16384
DEBUG IMAP: mail.imap.ignorebodystructuresize: false
DEBUG IMAP: mail.imap.statuscachetimeout: 1000
DEBUG IMAP: mail.imap.appendbuffersize: -1
DEBUG IMAP: mail.imap.minidletime: 10
DEBUG IMAP: closeFoldersOnStoreFailure
DEBUG IMAP: trying to connect to host "outlook.office365.com", port 993, isSSL true
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% Client cached [Session-4, TLS_RSA_WITH_AES_128_CBC_SHA]
%% Try resuming [Session-4, TLS_RSA_WITH_AES_128_CBC_SHA] from port 51400
*** ClientHello, TLSv1
RandomCookie:
GMT: 1435130635
bytes = { , , , , , , , , , , , , , , , , , , , , , , , , , , }
Session ID: {66, 20, 0, 0, 123, 9, 142, 72, 150, 39, 215, 34, 63, 169, 129, 23, 25, 182, 88, 196, 86, 27, 216, 191, 117, 196, 37, 118, 229, 8, 9, 64}-
Cipher Suites: [TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]-
Compression Methods: { }
Extension server_name, server_name: [host_name: outlook.office365.com]
***-
[write] MD5 and SHA1 hashes: len = 125
46#CheckMailThread, WRITE: TLSv1 Handshake, length = 125
[Raw write]: length = 130
46#CheckMailThread, received EOFException: error
46#CheckMailThread, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
46#CheckMailThread, SEND TLSv1 ALERT: fatal, description = handshake_failure
46#CheckMailThread, WRITE: TLSv1 Alert, length = 2
[Raw write]: length = 7
46#CheckMailThread, called closeSocket()
and then exception occurs
javax.mail.MessagingException: Remote host closed connection during handshake;
nested exception is:
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:733)
at javax.mail.Service.connect(Service.java:364)
at javax.mail.Service.connect(Service.java:245)
(...)
Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:953)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343)
at com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:574)
at com.sun.mail.util.SocketFetcher.createSocket(SocketFetcher.java:369)
at com.sun.mail.util.SocketFetcher.getSocket(SocketFetcher.java:236)
at com.sun.mail.iap.Protocol.<init>(Protocol.java:117)
at com.sun.mail.imap.protocol.IMAPProtocol.<init>(IMAPProtocol.java:120)
at com.sun.mail.imap.IMAPStore.newIMAPProtocol(IMAPStore.java:753)
at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:696)
... 6 more
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at sun.security.ssl.InputRecord.read(InputRecord.java:482)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:934)
... 16 more
In other hand in most cases thread is doing ok and the log looks like this:
DEBUG: setDebug: JavaMail version 1.5.3
DEBUG: getProvider() returning javax.mail.Provider[STORE,imap,com.sun.mail.imap.IMAPStore,Oracle]
DEBUG IMAP: mail.imap.fetchsize: 16384
DEBUG IMAP: mail.imap.ignorebodystructuresize: false
DEBUG IMAP: mail.imap.statuscachetimeout: 1000
DEBUG IMAP: mail.imap.appendbuffersize: -1
DEBUG IMAP: mail.imap.minidletime: 10
DEBUG IMAP: closeFoldersOnStoreFailure
DEBUG IMAP: trying to connect to host "outlook.office365.com", port 993, isSSL true
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% Client cached [Session-150, TLS_RSA_WITH_AES_128_CBC_SHA]
%% Try resuming [Session-150, TLS_RSA_WITH_AES_128_CBC_SHA] from port 59183
*** ClientHello, TLSv1
RandomCookie:
GMT: 1435076193
bytes = { , , , , , , , , , , , , , , , , , , , , , , , , , , , }
Session ID:
{241, 61, 0, 0, 224, 114, 43, 139, 255, 64, 232, 7, 209, 90, 5, 63, 63, 117, 33, 66, 215, 35, 48, 83, 131, 211, 38, 151, 73, 232, 6, 120}
Cipher Suites: [TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: {
}
Extension server_name, server_name: [host_name: outlook.office365.com]
***
[write] MD5 and SHA1 hashes: len = 125
46#CheckMailThread, WRITE: TLSv1 Handshake, length = 125
[Raw write]: length = 130
[Raw read]: length = 5
[Raw read]: length = 3532
46#CheckMailThread, READ: TLSv1 Handshake, length = 3532
*** ServerHello, TLSv1
RandomCookie:
GMT: 1435076194
Bytes = { , , , , , , , , , , , , , , , , , , , , , , , , , , , }
Session ID:
{112, 39, 0, 0, 59, 34, 200, 120, 31, 23, 110, 30, 10, 37, 236, 213, 46, 233, 201, 3, 253, 223, 81, 109, 188, 218, 33, 164, 33, 127, 27, 55}
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized: [Session-151, TLS_RSA_WITH_AES_128_CBC_SHA]
** TLS_RSA_WITH_AES_128_CBC_SHA
[read] MD5 and SHA1 hashes: len = 81
*** Certificate chain (...)
And then goes the certificate etc
So I was wonderig what can cause such inconsistent behaviour.
Related
Kafka client cannot connect to server via SSL connection for some reason. It goes through SSL handshake, I can see it in the client trace log, but then occasionally fails with "disconnected" message. Looks like Kafka server closes the connection after receives Client Hello.
It fails only when I try it from the OpenShift environment. The same build, configuration settings and SSL certificates work when I'm trying to connect from my local developer machine. Tools like OffsetExplorer are also able to connect from my local PC.
I'm trying to understand what can be different in terms of SSL between OpenShift and my local PC.
Here is the log I grep by KafkaListenerEndpointContainer#5-0-C-1 thread:
Line 93734: 2022-05-24 11:10:26,409 [org.springframework.kafka.KafkaListenerEndpointContainer#5-0-C-1] [TRACE] (org.apache.kafka.clients.NetworkClient) [org.apache.kafka.clients.NetworkClient::leastLoadedNode:722] mdc:()| [Consumer clientId=ADCAB-0, groupId=ADCAB_GROUP] Found least loaded node 10.53.15.97:9093 (id: -1 rack: null) with no active connection
Line 93735: 2022-05-24 11:10:26,409 [org.springframework.kafka.KafkaListenerEndpointContainer#5-0-C-1] [DEBUG] (org.apache.kafka.clients.NetworkClient) [org.apache.kafka.clients.NetworkClient$DefaultMetadataUpdater::maybeUpdate:1176] mdc:()| [Consumer clientId=ADCAB-0, groupId=ADCAB_GROUP] Initialize connection to node 10.53.15.97:9093 (id: -1 rack: null) for sending metadata request
Line 93736: 2022-05-24 11:10:26,409 [org.springframework.kafka.KafkaListenerEndpointContainer#5-0-C-1] [DEBUG] (org.apache.kafka.clients.NetworkClient) [org.apache.kafka.clients.NetworkClient::initiateConnect:1005] mdc:()| [Consumer clientId=ADCAB-0, groupId=ADCAB_GROUP] Initiating connection to node 10.53.15.97:9093 (id: -1 rack: null) using address /10.53.15.97
Line 93736: 2022-05-24 11:10:26,409 [org.springframework.kafka.KafkaListenerEndpointContainer#5-0-C-1] [DEBUG] (org.apache.kafka.clients.NetworkClient) [org.apache.kafka.clients.NetworkClient::initiateConnect:1005] mdc:()| [Consumer clientId=ADCAB-0, groupId=ADCAB_GROUP] Initiating connection to node 10.53.15.97:9093 (id: -1 rack: null) using address /10.53.15.97
Line 94113: 2022-05-24 11:10:27,386 [org.springframework.kafka.KafkaListenerEndpointContainer#5-0-C-1] [TRACE] (org.apache.kafka.common.network.SslTransportLayer) [org.apache.kafka.common.network.SslTransportLayer::doHandshake:339] mdc:()| [SslTransportLayer channelId=-1 key=channel=java.nio.channels.SocketChannel[connection-pending remote=/10.53.15.97:9093], selector=sun.nio.ch.EPollSelectorImpl#41c9572a, interestOps=8, readyOps=0] SSLHandshake NEED_WRAP channelId -1, appReadBuffer pos 0, netReadBuffer pos 0, netWriteBuffer pos 0
Line 94115: 2022-05-24 11:10:27,386 [org.springframework.kafka.KafkaListenerEndpointContainer#5-0-C-1] [TRACE] (org.apache.kafka.common.network.SslTransportLayer) [org.apache.kafka.common.network.SslTransportLayer::handshakeWrap:472] mdc:()| [SslTransportLayer channelId=-1 key=channel=java.nio.channels.SocketChannel[connection-pending remote=/10.53.15.97:9093], selector=sun.nio.ch.EPollSelectorImpl#41c9572a, interestOps=8, readyOps=0] SSLHandshake handshakeWrap -1
Line 94117: 2022-05-24 11:10:27,386 [org.springframework.kafka.KafkaListenerEndpointContainer#5-0-C-1] [TRACE] (org.apache.kafka.common.network.SslTransportLayer) [org.apache.kafka.common.network.SslTransportLayer::doHandshake:356] mdc:()| [SslTransportLayer channelId=-1 key=channel=java.nio.channels.SocketChannel[connection-pending remote=/10.53.15.97:9093], selector=sun.nio.ch.EPollSelectorImpl#41c9572a, interestOps=8, readyOps=0] SSLHandshake NEED_WRAP channelId -1, handshakeResult Status = OK HandshakeStatus = NEED_UNWRAP
Line 94122: 2022-05-24 11:10:27,387 [org.springframework.kafka.KafkaListenerEndpointContainer#5-0-C-1] [TRACE] (org.apache.kafka.common.network.SslTransportLayer) [org.apache.kafka.common.network.SslTransportLayer::doHandshake:365] mdc:()| [SslTransportLayer channelId=-1 key=channel=java.nio.channels.SocketChannel[connection-pending remote=/10.53.15.97:9093], selector=sun.nio.ch.EPollSelectorImpl#41c9572a, interestOps=8, readyOps=0] SSLHandshake NEED_UNWRAP channelId -1, appReadBuffer pos 0, netReadBuffer pos 0, netWriteBuffer pos 307
Line 94124: 2022-05-24 11:10:27,387 [org.springframework.kafka.KafkaListenerEndpointContainer#5-0-C-1] [TRACE] (org.apache.kafka.common.network.SslTransportLayer) [org.apache.kafka.common.network.SslTransportLayer::handshakeUnwrap:499] mdc:()| [SslTransportLayer channelId=-1 key=channel=java.nio.channels.SocketChannel[connection-pending remote=/10.53.15.97:9093], selector=sun.nio.ch.EPollSelectorImpl#41c9572a, interestOps=8, readyOps=0] SSLHandshake handshakeUnwrap -1
Line 94126: 2022-05-24 11:10:27,387 [org.springframework.kafka.KafkaListenerEndpointContainer#5-0-C-1] [TRACE] (org.apache.kafka.common.network.SslTransportLayer) [org.apache.kafka.common.network.SslTransportLayer::handshakeUnwrap:519] mdc:()| [SslTransportLayer channelId=-1 key=channel=java.nio.channels.SocketChannel[connection-pending remote=/10.53.15.97:9093], selector=sun.nio.ch.EPollSelectorImpl#41c9572a, interestOps=8, readyOps=0] SSLHandshake handshakeUnwrap: handshakeStatus NEED_UNWRAP status BUFFER_UNDERFLOW
Line 94128: 2022-05-24 11:10:27,387 [org.springframework.kafka.KafkaListenerEndpointContainer#5-0-C-1] [TRACE] (org.apache.kafka.common.network.SslTransportLayer) [org.apache.kafka.common.network.SslTransportLayer::doHandshake:387] mdc:()| [SslTransportLayer channelId=-1 key=channel=java.nio.channels.SocketChannel[connection-pending remote=/10.53.15.97:9093], selector=sun.nio.ch.EPollSelectorImpl#41c9572a, interestOps=8, readyOps=0] SSLHandshake NEED_UNWRAP channelId -1, handshakeResult Status = BUFFER_UNDERFLOW HandshakeStatus = NEED_UNWRAP
Line 94134: 2022-05-24 11:10:27,387 [org.springframework.kafka.KafkaListenerEndpointContainer#5-0-C-1] [TRACE] (org.apache.kafka.clients.NetworkClient) [org.apache.kafka.clients.NetworkClient::leastLoadedNode:719] mdc:()| [Consumer clientId=ADCAB-0, groupId=ADCAB_GROUP] Found least loaded connecting node 10.53.15.97:9093 (id: -1 rack: null)
Line 94137: 2022-05-24 11:10:27,388 [org.springframework.kafka.KafkaListenerEndpointContainer#5-0-C-1] [TRACE] (org.apache.kafka.common.network.SslTransportLayer) [org.apache.kafka.common.network.SslTransportLayer::doHandshake:365] mdc:()| [SslTransportLayer channelId=-1 key=channel=java.nio.channels.SocketChannel[connection-pending remote=/10.53.15.97:9093], selector=sun.nio.ch.EPollSelectorImpl#41c9572a, interestOps=8, readyOps=0] SSLHandshake NEED_UNWRAP channelId -1, appReadBuffer pos 0, netReadBuffer pos 0, netWriteBuffer pos 307
Line 94139: 2022-05-24 11:10:27,388 [org.springframework.kafka.KafkaListenerEndpointContainer#5-0-C-1] [TRACE] (org.apache.kafka.common.network.SslTransportLayer) [org.apache.kafka.common.network.SslTransportLayer::handshakeUnwrap:499] mdc:()| [SslTransportLayer channelId=-1 key=channel=java.nio.channels.SocketChannel[connection-pending remote=/10.53.15.97:9093], selector=sun.nio.ch.EPollSelectorImpl#41c9572a, interestOps=8, readyOps=0] SSLHandshake handshakeUnwrap -1
Line 94141: 2022-05-24 11:10:27,388 [org.springframework.kafka.KafkaListenerEndpointContainer#5-0-C-1] [TRACE] (org.apache.kafka.common.network.SslTransportLayer) [org.apache.kafka.common.network.SslTransportLayer::handshakeUnwrap:519] mdc:()| [SslTransportLayer channelId=-1 key=channel=java.nio.channels.SocketChannel[connection-pending remote=/10.53.15.97:9093], selector=sun.nio.ch.EPollSelectorImpl#41c9572a, interestOps=8, readyOps=0] SSLHandshake handshakeUnwrap: handshakeStatus NEED_UNWRAP status BUFFER_UNDERFLOW
Line 94143: 2022-05-24 11:10:27,388 [org.springframework.kafka.KafkaListenerEndpointContainer#5-0-C-1] [TRACE] (org.apache.kafka.common.network.SslTransportLayer) [org.apache.kafka.common.network.SslTransportLayer::handshakeUnwrap:499] mdc:()| [SslTransportLayer channelId=-1 key=channel=java.nio.channels.SocketChannel[connection-pending remote=/10.53.15.97:9093], selector=sun.nio.ch.EPollSelectorImpl#41c9572a, interestOps=8, readyOps=0] SSLHandshake handshakeUnwrap -1
Line 94145: 2022-05-24 11:10:27,388 [org.springframework.kafka.KafkaListenerEndpointContainer#5-0-C-1] [TRACE] (org.apache.kafka.common.network.SslTransportLayer) [org.apache.kafka.common.network.SslTransportLayer::handshakeUnwrap:519] mdc:()| [SslTransportLayer channelId=-1 key=channel=java.nio.channels.SocketChannel[connection-pending remote=/10.53.15.97:9093], selector=sun.nio.ch.EPollSelectorImpl#41c9572a, interestOps=8, readyOps=0] SSLHandshake handshakeUnwrap: handshakeStatus NEED_UNWRAP status BUFFER_UNDERFLOW
Line 94148: 2022-05-24 11:10:27,388 [org.springframework.kafka.KafkaListenerEndpointContainer#5-0-C-1] [DEBUG] (org.apache.kafka.common.network.Selector) [org.apache.kafka.common.network.Selector::pollSelectionKeys:606] mdc:()| [Consumer clientId=ADCAB-0, groupId=ADCAB_GROUP] Connection with /10.53.15.97 disconnected
Line 94178: 2022-05-24 11:10:27,389 [org.springframework.kafka.KafkaListenerEndpointContainer#5-0-C-1] [DEBUG] (org.apache.kafka.common.network.SslTransportLayer) [org.apache.kafka.common.network.SslTransportLayer::close:198] mdc:()| [SslTransportLayer channelId=-1 key=channel=java.nio.channels.SocketChannel[connection-pending remote=/10.53.15.97:9093], selector=sun.nio.ch.EPollSelectorImpl#41c9572a, interestOps=8, readyOps=0] Failed to send SSL Close message
Line 94208: 2022-05-24 11:10:27,390 [org.springframework.kafka.KafkaListenerEndpointContainer#5-0-C-1] [WARN] (org.apache.kafka.clients.NetworkClient) [org.apache.kafka.clients.NetworkClient::processDisconnection:775] mdc:()| [Consumer clientId=ADCAB-0, groupId=ADCAB_GROUP] Connection to node -1 (/10.53.15.97:9093) terminated during authentication. This may happen due to any of the following reasons: (1) Authentication failed due to invalid credentials with brokers older than 1.0.0, (2) Firewall blocking Kafka TLS traffic (eg it may only allow HTTPS traffic), (3) Transient network issue.
Line 94210: 2022-05-24 11:10:27,390 [org.springframework.kafka.KafkaListenerEndpointContainer#5-0-C-1] [WARN] (org.apache.kafka.clients.NetworkClient) [org.apache.kafka.clients.NetworkClient$DefaultMetadataUpdater::handleServerDisconnect:1079] mdc:()| [Consumer clientId=ADCAB-0, groupId=ADCAB_GROUP] Bootstrap broker 10.53.15.97:9093 (id: -1 rack: null) disconnected
And here is the listener configuration:
2022-05-24 11:10:23,199 [main] [INFO] (org.apache.kafka.clients.consumer.ConsumerConfig) [org.apache.kafka.common.config.AbstractConfig::logAll:361] mdc:()| ConsumerConfig values:
allow.auto.create.topics = true
auto.commit.interval.ms = 5000
auto.offset.reset = latest
bootstrap.servers = [10.53.15.97:9093, 10.53.15.96:9093]
check.crcs = true
client.dns.lookup = use_all_dns_ips
client.id = ADCAB-0
client.rack =
connections.max.idle.ms = 540000
default.api.timeout.ms = 60000
enable.auto.commit = false
exclude.internal.topics = true
fetch.max.bytes = 52428800
fetch.max.wait.ms = 500
fetch.min.bytes = 1
group.id = ADCAB_GROUP
group.instance.id = null
heartbeat.interval.ms = 3000
interceptor.classes = []
internal.leave.group.on.close = true
internal.throw.on.fetch.stable.offset.unsupported = false
isolation.level = read_uncommitted
key.deserializer = class org.apache.kafka.common.serialization.StringDeserializer
max.partition.fetch.bytes = 1048576
max.poll.interval.ms = 300000
max.poll.records = 500
metadata.max.age.ms = 300000
metric.reporters = []
metrics.num.samples = 2
metrics.recording.level = INFO
metrics.sample.window.ms = 30000
partition.assignment.strategy = [class org.apache.kafka.clients.consumer.RangeAssignor]
receive.buffer.bytes = 65536
reconnect.backoff.max.ms = 1000
reconnect.backoff.ms = 50
request.timeout.ms = 30000
retry.backoff.ms = 100
sasl.client.callback.handler.class = null
sasl.jaas.config = null
sasl.kerberos.kinit.cmd = /usr/bin/kinit
sasl.kerberos.min.time.before.relogin = 60000
sasl.kerberos.service.name = null
sasl.kerberos.ticket.renew.jitter = 0.05
sasl.kerberos.ticket.renew.window.factor = 0.8
sasl.login.callback.handler.class = null
sasl.login.class = null
sasl.login.refresh.buffer.seconds = 300
sasl.login.refresh.min.period.seconds = 60
sasl.login.refresh.window.factor = 0.8
sasl.login.refresh.window.jitter = 0.05
sasl.mechanism = GSSAPI
security.protocol = SSL
security.providers = null
send.buffer.bytes = 131072
session.timeout.ms = 10000
socket.connection.setup.timeout.max.ms = 127000
socket.connection.setup.timeout.ms = 10000
ssl.cipher.suites = null
ssl.enabled.protocols = [TLSv1.2]
ssl.endpoint.identification.algorithm =
ssl.engine.factory.class = null
ssl.key.password = [hidden]
ssl.keymanager.algorithm = SunX509
ssl.keystore.certificate.chain = null
ssl.keystore.key = null
ssl.keystore.location = /opt/keystore/kafka/sbercms/kafka_keystore.jks
ssl.keystore.password = [hidden]
ssl.keystore.type = JKS
ssl.protocol = TLS
ssl.provider = null
ssl.secure.random.implementation = null
ssl.trustmanager.algorithm = PKIX
ssl.truststore.certificates = null
ssl.truststore.location = /opt/keystore/kafka/sbercms/kafka_truststore.jks
ssl.truststore.password = [hidden]
ssl.truststore.type = JKS
value.deserializer = class ru.sberbank.pprb.sbbol.adcab.utils.kafka.LoggingJsonDeserializer
Sorry, there was an environment problem with the SSL certificates. DevOps managed to resolve it.
I have a the following exception :
com.sun.xml.internal.ws.client.ClientTransportException: HTTP
transport error: javax.net.ssl.SSLHandshakeException: Received fatal
alert: handshake_failure
when I try to send a soap request to a customer's web service
I use jre1.8.0_66 and I get UnlimitedJCEPolicyJDK8 jars in "Java\jre1.8.0_66\lib\security" folder
and I get Cipher.getMaxAllowedKeyLength("AES") = 2147483647
and for some reason I can't communicate with the customer to get the protocol in use or the cipher suite in the server side.
and here my javax.net.debug related logs :
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
http-nio-9700-exec-1, setSoTimeout(0) called
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1515623991 bytes = { 212, 12, 195, 65, 98, 206, 121, 198, 232, 203, 220, 162, 207, 122, 217, 87, 121, 168, 220, 246, 60, 50, 9, 61, 214, 181, 16, 190 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
***
[write] MD5 and SHA1 hashes: len = 237
http-nio-9700-exec-1, WRITE: TLSv1.2 Handshake, length = 237
[Raw write]: length = 242
[Raw read]: length = 5
0000: 15 03 01 00 02 .....
[Raw read]: length = 2
0000: 02 28 .(
http-nio-9700-exec-1, READ: TLSv1 Alert, length = 2
http-nio-9700-exec-1, RECV TLSv1.2 ALERT: fatal, handshake_failure
http-nio-9700-exec-1, called closeSocket()
http-nio-9700-exec-1, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
http-nio-9700-exec-1, called close()
http-nio-9700-exec-1, called closeInternal(true)
Try adding these parameters to your project configuration:
-Dhttps.cipherSuites=SSL_RSA_WITH_RC4_128_MD5
and comment the parameter for disabled algorithms in the java.security file in the jre folder:
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
Can you check if this (Diagnosing TLS, SSL and HTTPS from blogs.oracle.com) helps you?
I'm using nifi and I started to configure it for https in order to enable users. Nifi does not work, jetty Web server fails saying there are not ciphers. No idea how to debug this, any hint?
The same certificates have been tested on my computers and they work.
Any help appreciated
Update
Well... I enabled the SSL logging.
The biggest difference is about the Java environment, on the production server is java-1.8.0-openjdk, on my local machine is java-8-oracle.
There are still some important differences between the logs.
As ssl negotiation reference see this POST about how the protocol is supposed to work and the sessions involved.
The most dramatic differences are
no *** ECDH ServerKeyExchange session on production host.
Log starting from ClientHello is much different between the two machines:
Local ( I truncated too long lines and reported only little log session )
*** ClientHello, TLSv1.2
RandomCookie: GMT: 2028150611 bytes = { 31, 20, 137, 167, 52, 224, 12, 129, 113, 59, 113, 45, 161, 54, 164, 147, 115, 148
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_2
cc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, T
TH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RS
Compression Methods: { 0 }
Extension renegotiation_info, renegotiated_connection: <empty>
Unsupported extension type_23, data:
Unsupported extension type_35, data:
Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, SHA2
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data:
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension type_30032, data:
Extension ec_point_formats, formats: [uncompressed]
Extension elliptic_curves, curve names: {unknown curve 29, secp256r1, secp384r1}
***
%% Initialized: [Session-1, SSL_NULL_WITH_NULL_NULL]
%% Initialized: [Session-2, SSL_NULL_WITH_NULL_NULL]
matching alias: 1
matching alias: 1
matching alias: 1
matching alias: 1
%% Negotiating: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
%% Negotiating: [Session-2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
*** ServerHello, TLSv1.2
*** ServerHello, TLSv1.2
RandomCookie: RandomCookie: GMT: 1459404759 bytes = { GMT: 1459404759 bytes = { 196, 84, 148, 21, 202, 175, 156, 35, 50,
2 }
Session ID: {87, 253, 192, 215, 210, 220, 163, 93, 88, 20, 237, 50, 37, 61, 50, 192, 225, 180, 252, 8, 19, 154, 0, 18, 13
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
*** Certificate chain
47, 15, 107, 214, 199, 60, 245, 207, 215, 148, 102, 224, 0, 41, 172, 70, 101, 85, 85, 173, 79, 238, 15, 167, 136, 20, 14,
Session ID: {87, 253, 192, 215, 117, 67, 238, 169, 141, 93, 171, 129, 181, 146, 239, 178, 242, 31, 104, 115, 209, 119, 20
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=*.buongiorno.com, OU=PTY-SYS, O=BUONGIORNO SPA, L=Parma, ST=Parma, C=IT
***
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 256 bits
public x coord: 75079925706380992652797512247021193282035431148032843217618352685456618206389
public y coord: 43896241059818662260698096293954076915685388487376127769285950062051599700758
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA,
Cert Authorities:
<CN=thawte SSL CA - G2, O="thawte, Inc.", C=US>
*** ServerHelloDone
NiFi Web Server-21, WRITE: TLSv1.2 Handshake, length = 1753
NiFi Web Server-21, called closeInbound()
NiFi Web Server-21, fatal error: 80: Inbound closed before receiving peer's close_notify: possible truncation attack?
javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
%% Invalidated: [Session-2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
NiFi Web Server-21, SEND TLSv1.2 ALERT: fatal, description = internal_error
NiFi Web Server-21, WRITE: TLSv1.2 Alert, length = 2
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: Sun EC public key, 256 bits
public x coord: 115351230770955196648507742599468345245507684591583302635044967727219906604428
public y coord: 93087459299146270258246635135187638789539141095594448725666354447366218509864
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA,
....
On production things are differents:
( I truncated too long lines and reported only little log session )
*** ClientHello, TLSv1.2
RandomCookie: GMT: -1695295875 bytes = { 197, 207, 66, 60, 4, 242, 21, 101, 190, 160, 124, 185, 72, 238, 141, 237, 251
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_12
ES_256_GCM_SHA384, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, TLS_ECDHE_ECDSA_WITH_AES
CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TL
H_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods: { 0 }
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name: [type=host_name (0), value=nifi-dev.buongiorno.com]
Unsupported extension type_23, data:
Unsupported extension type_35, data:
Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, S
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data:
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension type_30032, data:
Extension ec_point_formats, formats: [uncompressed]
Extension elliptic_curves, curve names: {unknown curve 29, java.security.spec.ECParameterSpec#7862cc21, java.security.s
***
%% Initialized: [Session-4, SSL_NULL_WITH_NULL_NULL]
matching alias: 1
%% Negotiating: [Session-4, TLS_RSA_WITH_AES_256_GCM_SHA384]
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1459415539 bytes = { 67, 58, 139, 150, 47, 53, 247, 222, 255, 192, 141, 66, 114, 19, 171, 52, 6, 18
Session ID: {87, 253, 234, 243, 97, 92, 182, 14, 121, 224, 54, 149, 111, 196, 87, 79, 36, 149, 33, 51, 182, 47, 184, 6
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name:
***
Cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=*.buongiorno.com, OU=PTY-SYS, O=BUONGIORNO SPA, L=Parma, ST=Parma, C=IT
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
:
.
*** CertificateRequest
Cert Types: RSA, DSS, ECDSA
Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDS
withECDSA, SHA1withRSA, SHA1withDSA
Cert Authorities:
<CN=thawte SSL CA - G2, O="thawte, Inc.", C=US>
*** ServerHelloDone
NiFi Web Server-16, WRITE: TLSv1.2 Handshake, length = 1428
NiFi Web Server-21, READ: TLSv1.2 Handshake, length = 7
*** Certificate chain
<Empty>
***
UPDATE 2
I asked to install Java 8 and now keyexchange works, at this point my problems are going go vanish.
If you can provide the output (sanitized, if necessary) of your $NIFI_HOME/logs/nifi-app.log and $NIFI_HOME/logs/nifi-bootstrap.log, as well as the hardware, OS, JRE, and NiFi version you are using, that will help diagnose. Here are a couple common causes:
The certificate in the keystore is invalid (expired, not yet valid, can't validate the chain) and thus the available cipher suites that depend on an RSA/DSA key for signature or encryption are skipped by Jetty. You can check this by adding a new argument in $NIFI_HOME/conf/bootstrap.conf: java.arg.15=-Djavax.net.debug=ssl,handshake (where the argument number is updated to ensure it does not conflict with an existing argument). This will add substantial output to your log file covering the truststore configuration and every TLS handshake negotiation, including which cipher suites Jetty sees as available.
There was a minor issue where dynamically-generated certificates loaded into a keystore could not be used to provide TLSv1.1 cipher suites in test cases. See NIFI-1688 PR 624
The JRE running NiFi does not make any cipher suites available that the browser will accept. This is less common, but JRE 7 makes TLSv1.0 the default, and some browsers (nightly builds, etc.) may restrict TLS to TLSv1.1 or TLSv1.2 only. You can verify this by running the following command: $ openssl s_client -connect <host:port> -debug -state -cert <path_to_your_cert.pem> -key <path_to_your_key.pem> -CAfile <path_to_your_CA_cert.pem>. NiFi 0.x can run on Java 7, but NiFi 1.x requires Java 8+. If you are restricted to Java 7, you can explicitly enable these protocols via another Java argument: java.arg.16=-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2.
My Java (1.7) client seems to be failing at the very end of the handshake process with the below exception.
I guess there is some issue with the client set up. How should I go about debugging this?
...
main, WRITE: TLSv1 Change Cipher Spec, length = 1
*** Finished
verify_data: { 29, 85, 244, 219, 41, 146, 203, 174, 235, 86, 47, 92 }
***
main, WRITE: TLSv1 Handshake, length = 40
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT: fatal, handshake_failure
%% Invalidated: [Session-1, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Exception in thread "main" AxisFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
faultSubcode:
faultString: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
faultActor:
faultNode:
faultDetail:
I'm trying to setup a remote tomcat server for deployment in IntelliJ.
For some reason the "handshake" fails.
11:44:28 Error running VPS-Tomcat
Unable to connect to the 185.80.128.231:1099, reason:
java.rmi.ConnectIOException: error during JRMP connection establishment; nested exception is:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
I added some debug options to tomcat startup:
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1
RMI TCP Connection(16)-78.60.67.248, READ: TLSv1.2 Handshake, length = 207
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1431613995 bytes = { 210, 37, 184, 64, 38, 79, 199, 129, 139, 3, 89, 15, 7, 99, 193, 123, 94, 24, 149, 84, 76, 24, 210, 199, 14, 10, 32, 220 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
%% Initialized: [Session-14, SSL_NULL_WITH_NULL_NULL]
%% Invalidated: [Session-14, SSL_NULL_WITH_NULL_NULL]
RMI TCP Connection(16)-78.60.67.248, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
RMI TCP Connection(16)-78.60.67.248, WRITE: TLSv1.2 Alert, length = 2
RMI TCP Connection(16)-78.60.67.248, called closeSocket()
RMI TCP Connection(16)-78.60.67.248, handling exception: javax.net.ssl.SSLHandshakeException: no cipher suites in common
RMI TCP Connection(16)-78.60.67.248, called close()
RMI TCP Connection(16)-78.60.67.248, called closeInternal(true)
I don't really understand it but I assume that one end is using TLS1.2 and the other TLS1.1 although I'm not even sure which is which.
So how can I configure them to both use the same version? Or make tomcat support those cipher suites?
Or does the problem lie elsewhere?