harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Suresh Kumar J <suresh.kuma...@gmail.com>
Subject Re: Internal error upon seeing the "Camellia" cipher suites in the SSL handshake message
Date Wed, 03 Sep 2008 17:09:18 GMT
Hi Tim,

As you mentioned the client uses SSLv2 handshake message for initial 
negotiation. But that doesn't seem to be a problem in this case. The 
issue seems to be because of couple of unsupported cipher suites. As I 
mentioned in the original post, the following cipher suites seems to 
cause the server to "Internal error" state.

dhe_dss_camellia_128_sha (0x000044)
dhe_dss_camellia_256_sha (0x000087)
dhe_rsa_camellia_128_sha (0x000045)
dhe_rsa_camellia_256_sha (0x000088)
rsa_camellia_128_sha (0x000041)
rsa_camellia_256_sha (0x000084)

When I disable these cipher suites in the client, then the web communication on https WORKS
WELL. This makes me to strongly thing that Harmony doesn't seem to handle these cipher suites.
Note there are couple of common ciphers present in the client's set of ciphers suites. If
the client handshake message didn't have the "Camellia" related ciphers then the client-server
communication on SSL succeeds. 

If Harmony doesn't understand some of the cipher suites in the handshake 
message then it should gracefully handle them by ignore the unrecognized 
cipher suites. Should I file a bug for this issue. This issue is easy to 
reproduce with the FireFox 3.0.1 browser which recently added support 
for "Camellia" cipher suites.

My setup is Apache-Tomcat 6.0.13, Harmony JRE, FireFox 3.0.1 browser.


Tim Ellison wrote:
> Hi Suresh,
> I'm no expert in this area, but remember this has been raised before.
> Looking in the archives, this seems most relevant [1].
> In particular,
> "Harmony's JSSE provider supports TLS v1 and SSL v3 versions of the
> protocol, and if the server uses SSL v2 it simply does not understand
> the client."
> Your Frame 4 capture shows that the negotiation was attempting to
> conduct an SSLv2 handshake.
> I don't know what effort is required to also support SSLv2.
> [1]
> http://mail-archives.apache.org/mod_mbox/harmony-dev/200610.mbox/%3Ce09a11790610180326i4f466152u7015458d7b0e0062@mail.gmail.com%3E
> Regards,
> Tim
> Suresh Kumar J wrote:
>> Hi
>> I have a web-application which runs on Apache-Tomcat v6.0.13. Am using
>> theApache Harmony JRE(v6). When I try to launch the application on the
>> latest FireFox v3.0.1 browser, tomcat errors out with the following
>> message in the catalina.out :
>> --------------------------------------------------
>> Aug 29, 2008 2:52:52 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run
>> SEVERE: Socket accept failed
>> Throwable occurred: java.net.SocketException: SSL handshake error
>> javax.net.ssl.SSLException: INTERNAL ERROR
>>        at
>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:150)
>>        at
>> org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)
>>        at java.lang.Thread.run(Thread.java:657)
>> --------------------------------------------------
>> After debugging the issue, it turns out to be that the Apache-Tomcat is
>> not able to handle the full set of cipher suites implemented in the
>> latest FireFox v3.0.1.
>> dhe_dss_camellia_128_sha (0x000044)
>> dhe_dss_camellia_256_sha (0x000087)
>> dhe_rsa_camellia_128_sha (0x000045)
>> dhe_rsa_camellia_256_sha (0x000088)
>> rsa_camellia_128_sha (0x000041)
>> rsa_camellia_256_sha (0x000084)
>> In order to make my web application to work with FireFox browser
>> v3.0.1), the above mentioned cipher suites needs to be "disabled" in the
>> browser via the "about:config" option.
>> * Am having the default lib/security/java.security config of the Harmony
>> JRE.
>> * Below is the snippet of the server.xml config file of the tomcat server:
>> ----------------------------
>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>>               maxThreads="150" scheme="https" secure="true"
>>               clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12"
>>               keystoreFile="conf/my-key-store" keystorePass="abcd"/>
>> ----------------------------
>> * Why does Tomcat(when used with Harmony JRE) errors out if it doesn't
>> understand the some of the cipher suite. Instead it should gracefully
>> ignore them.
>> * Have enclosed the packet capture which shows the SSL handshake message
>> from the client(frame$4) and the response from the tomcat server which
>> has the internal error(frame$6).
>> * Here is the bug filed no apache-tomcat which got rejected saying the
>> issue was not actually of Tomcat's and of Harmony JRE.
>> https://issues.apache.org/bugzilla/show_bug.cgi?id=45730
>> * Here was my posting in the firefox-security-dev mailing list:
>> http://www.nabble.com/FireFox-v3.0.1-of-Windows-uses-SSLv2-Record-Layer-even-when-SSLv2-is-disabled-td19239646.html
>> * Here was my posting in the tomcat-user mailing list:
>> http://www.nabble.com/How-to-make-to-Apache-Tomcat-6.0.13-to-support-all-of-SSLv2-SSLv3-and-TLS-protocols-tt19228675.html
>> Any inputs on this issue would be appreciated.
>> Thanks,
>> Suresh

View raw message