tags:

views:

74

answers:

2

Hi, I have an issue when a client (not mine) connects to my server securely.

It seems that the connection is being refused on the basis of mismatching ciphers, but I have verified that the server indeed shares some of the ciphers with the client.

Could it be an issue with the unknown cipher (Unknown 0x0:0x60)? If so, what must I do to fix it?

Java SSL logs are shown below:

Listener-https, setSoTimeout(30000) called
Worker-30, READ: SSLv3 Handshake, length = 63
*** ClientHello, SSLv3
RandomCookie:  GMT: 1267050437 bytes = { 23, 244, 228, 68, 161, 225, 218, 222, 207, 128, 228, 138, 127, 141, 159, 63, 232, 48, 242, 240, 26, 76, 58, 158, 179, 0, 192, 140 }
Session ID:  {}
Cipher Suites: [TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_IDEA_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_EXPORT1024_WITH_RC4_56_SHA, Unknown 0x0:0x60, SSL_RSA_EXPORT_WITH_RC4_40_MD5]
Compression Methods:  { 0 }
***
Worker-30, SEND SSLv3 ALERT:  fatal, description = handshake_failure
Worker-30, WRITE: SSLv3 Alert, length = 2
Worker-30, called closeSocket()
Worker-30, handling exception: javax.net.ssl.SSLHandshakeException: no cipher suites in common
Worker-30, called close()
Worker-30, called closeInternal(true)
Worker-30, called close()
Worker-30, called closeInternal(true)

Thanks, -Ben

+3  A: 

You say that some of the client's requested ciphers are enabled on your server. Have you successfully connected with one of them? For example, try OpenSSL's s_client utility with the -cipher option specifying only that cipher suite.

Perhaps the provider doesn't support all the ciphers you think you have enabled, or perhaps the unlimited strength jurisdiction files are not correctly installed on your server.

erickson
+2  A: 

Adding to erickson's answer, if your certificate does not use a RSA key-pair, and instead turns out to use a DSA key-pair, then no amount of RSA cipher suite "stuffing" will aid in resolving this issue. You'll need to enable the DSA related cipher suites (they're usually indicated by the DSS keyword in them), and also have the client utilize the same cipher suites.

The reason this edge case might turn out to be your problem is due to the default behavior of the keytool utility when generating secret keypairs - DSA and not RSA is the default algorithm.

Vineet Reynolds
Looks like my server uses a keystore that has a single cert with a DSA key-pair. I'll try switching to RSA and see if that works right now...
Ben
@Ben, good to know of the progress. Been there, done that :)
Vineet Reynolds
It totally worked! You are the best, I have been dealing with this for waaaaay too long. Thank you thank you thank you!
Ben