-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IBM JVM 8, Using TLS 1.3, and setting the ciphers in include ciphers list, still see javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate) #11399
Comments
@jnjanardhannaidu we do not have the JVM you are using available, so we cannot tell. IBM's JVM was (perhaps still is) known to have different names for the ciphers, so I would double check that. If the error happens on the server, it may well be that the ciphers you chose are too restrictive for the client that is trying to connect (in other words, you have an old client using -- say -- TLS 1.1 and old ciphers, and the server disabling TLS 1.1 and using only TLS 1.3 ciphers). This is not a Jetty issue, just a configuration issue on your part: if you restrict too much the protocols (only TLS 1.3) and the ciphers, then old clients won't be able to connect. |
It is possible to use the IBM JVM with SSL/TLS. But using an IBM JVM will require you to do a ton of extra work and possibly even some custom coding.
We know Jetty works, out of the box, with TLS/1.3 on all OpenJDK variants. Some quick advice, set the cipher and protocol exclude lists to null, and specify EXACTLY the names of the IBM Cipher Suites and IBM Protocol names you want to use in the include lists. You MUST use the EXACT names that the IBM JVM uses for cipher suite names and protocol names, not the spec compliant names, not the RFC names. Do not use any documentation for SSL/TLS on Java that isn't written specifically for the specific version of the IBM JVM you are wanting to use. Of special note: Whatever configuration you come up with for your IBM JVM will be unique to that IBM JVM. |
Also, the IBM JVM 8.0.8.10 pxa6480sr8fp10-20230703_02(SR8 FP10) points at use of Jetty 9 (or older), as that JVM is incapable of being used for Jetty 10/11 or 12. That means your version of Jetty is now at End of Community Support.
You should be using Jetty 12 at this point in time. |
HI @joakime, when I set cipher with TLS it works-> TLS_CHACHA20_POLY1305_SHA256 |
You need to consult the IBM JVM documentation, we do not use or test on any IBM JVM due the broken nature of SSL/TLS on them. The list of exclusions in Jetty 12 (the only supported version of Jetty at this point in time). jetty.project/jetty-core/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java Lines 119 to 138 in a683690
The OpenJDK Certificate Exclusions (
The OpenJDK Legacy Certificate Algorithms (
The OpenJDK TLS Disabled Algorithms (
The OpenJDK TLS Legacy Algorithms ( jdk.tls.legacyAlgorithms=NULL, anon, RC4, DES, 3DES_EDE_CBC My point is, do not ignore all of the configuration present in multiple places that can disable/exclude various protocols and algorithms, almost globally using the RFC naming. |
Jetty version(s)
Jetty Environment
Java version/vendor
(use: java -version)
8.0.8.10 - pxa6480sr8fp10-20230703_02(SR8 FP10)
OS type/version
Linux
Description
We are able to use tls1.2 without any issue.
When we try to use tls1.3, we are facing below issue. we are setting ciphers with the help of below method.
connFactory.setIncludeCipherSuites(dashboardCipherSuites);
Error when TLS1.3 is used.
[2024-02-13 11:41:40.436] ALL 000000000000 GLOBAL_SCOPE javax.net.ssl|ALL|5C|qtp1169988660-92|2024-02-13 11:41:40.435 IST|Thread.java:1178|Invalidated session: Session(1707804699787|SSL_NULL_WITH_NULL_NULL)
[2024-02-13 11:41:40.447] ALL 000000000000 GLOBAL_SCOPE javax.net.ssl|FINE|5B|qtp1169988660-91|2024-02-13 11:41:40.447 IST|Thread.java:1178|No available cipher suite for TLS13
[2024-02-13 11:41:40.448] ALL 000000000000 GLOBAL_SCOPE javax.net.ssl|SEVERE|5B|qtp1169988660-91|2024-02-13 11:41:40.448 IST|Thread.java:1178|Fatal (INTERNAL_ERROR): problem unwrapping net record (
"throwable" : {
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
at com.ibm.jsse2.aa.(aa.java:9)
at com.ibm.jsse2.ad.(ad.java:12)
at com.ibm.jsse2.bb.a(bb.java:129)
at com.ibm.jsse2.bg.f(bg.java:200)
at com.ibm.jsse2.bg.e(bg.java:290)
at com.ibm.jsse2.bg.unwrap(bg.java:287)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:39)
at org.eclipse.jetty.io.ssl.SslConnection.unwrap(SslConnection.java:429)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:718)
at org.eclipse.jetty.server.HttpConnection.fillRequestBuffer(HttpConnection.java:350)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:555)
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:410)
at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:164)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:137)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)
at java.lang.Thread.run(Thread.java:825)}
How to reproduce?
Enable tls1.3
ciphers used:
TLS_CHACHA20_POLY1305_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256
The text was updated successfully, but these errors were encountered: