hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ting Zhao <tingz...@us.ibm.com>
Subject HTTPClient doesn't connect to server with SiteB 192bits security mode
Date Sat, 15 Jun 2013 21:01:30 GMT

Hello,

The issue may relate to how to set proper ciphersuite to the SSLFactory
that HTTPClient managed.

The server is WebSphere liberty profile with IBM JDK1.7SR1. It configured
with SuiteB 192 bits security mode.
The client is also running with IBM JDK1.7SR1, but it can't connect to the
server throguht the HTTPS port when using Apache HTTPClient library. I
tried with HTTPClient 4.2.1 and 4.2.5.
The error message in the server side is:
[6/15/13 16:22:27:735 EDT] 00000087 SystemOut     O   Session ID:
[6/15/13 16:22:27:735 EDT] 00000087 SystemOut     O   {}
[6/15/13 16:22:27:736 EDT] 00000087 SystemOut     O   Cipher Suites:
[TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_RSA_WITH_AES_256_CBC_SHA256,
SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384, SSL_DHE_RSA_WITH_AES_256_CBC_SHA256,
SSL_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA,
SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA,
SSL_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_DSS_WITH_AES_256_CBC_SHA,
SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_128_CBC_SHA256,
SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_RSA_WITH_AES_128_CBC_SHA256,
SSL_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA,
SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA,
SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA,
SSL_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ECDHE_RSA_WITH_RC4_128_SHA,
SSL_RSA_WITH_RC4_128_SHA, SSL_ECDH_ECDSA_WITH_RC4_128_SHA,
SSL_ECDH_RSA_WITH_RC4_128_SHA, SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_RC4_128_MD5]
[6/15/13 16:22:27:736 EDT] 00000087 SystemOut     O   Compression Methods:
{
[6/15/13 16:22:27:736 EDT] 00000087 SystemOut     O   0
[6/15/13 16:22:27:737 EDT] 00000087 SystemOut     O    }
[6/15/13 16:22:27:737 EDT] 00000087 SystemOut     O   Extension
elliptic_curves, curve names: {secp256r1, secp192r1, secp224r1, secp384r1,
secp521r1, secp160k1, secp160r1, secp160r2, secp192k1, secp224k1,
secp256k1}
[6/15/13 16:22:27:737 EDT] 00000087 SystemOut     O   Extension
ec_point_formats, formats: [uncompressed]
[6/15/13 16:22:27:738 EDT] 00000087 SystemOut     O   Extension
signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA,
SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA,
SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA256withDSA,
SHA1withDSA, MD5withRSA
[6/15/13 16:22:27:738 EDT] 00000087 SystemOut     O   ***
[6/15/13 16:22:27:739 EDT] 00000087 SystemOut     O   %% Initialized:
[Session-51, SSL_NULL_WITH_NULL_NULL]
[6/15/13 16:22:27:739 EDT] 00000087 SystemOut     O   Default
Executor-thread-59, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
[6/15/13 16:22:27:740 EDT] 00000087 SystemOut     O   %% Invalidated:
[Session-51, SSL_NULL_WITH_NULL_NULL]
[6/15/13 16:22:27:740 EDT] 00000087 SystemOut     O   Default
Executor-thread-59
[6/15/13 16:22:27:740 EDT] 00000087 SystemOut     O   , SEND TLSv1.2 ALERT:
[6/15/13 16:22:27:741 EDT] 00000087 SystemOut     O   fatal,
[6/15/13 16:22:27:741 EDT] 00000087 SystemOut     O   description =
handshake_failure
[6/15/13 16:22:27:741 EDT] 00000087 SystemOut     O   Default
Executor-thread-59, WRITE: TLSv1.2 Alert, length = 2
[6/15/13 16:22:27:741 EDT] 00000087 SSLUtils      1   before wrap:
	encBuf: hc=51166382 pos=0 lim=24576 cap=24576
[6/15/13 16:22:27:742 EDT] 00000087 SystemOut     O   Default
Executor-thread-59, fatal: engine already closed.  Rethrowing
javax.net.ssl.SSLHandshakeException: no cipher suites in common
[6/15/13 16:22:27:745 EDT] 00000087 SSLHandshakeE E   CWWKO0801E: Unable to
initialize SSL connection. Unauthorized access was denied or security
settings have expired. Exception is javax.net.ssl.SSLHandshakeException: no
cipher suites in common
	at com.ibm.jsse2.ab.y(ab.java:423)
	at com.ibm.jsse2.nc.b(nc.java:177)
	at com.ibm.jsse2.nc.c(nc.java:43)
	at com.ibm.jsse2.nc.wrap(nc.java:411)

It looks like the issue is that the client side missing
SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 cipher suite. But I can't figure
out how to add it.

Intesting thing is that URLConnection code is working from the same client
applicaiton. And the server side trace shows the following information.
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1354425382 bytes = { 67, 32, 214, 118, 151, 170, 157,
137, 169, 238, 131, 57, 130, 134, 128, 196, 39, 179, 102, 31, 88, 68, 194,
179, 220, 198, 85, 83 }
Session ID:  {}
Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_RSA_WITH_AES_256_CBC_SHA256,
SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384, SSL_DHE_RSA_WITH_AES_256_CBC_SHA256,
SSL_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA,
SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA,
SSL_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_DSS_WITH_AES_256_CBC_SHA,
SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_128_CBC_SHA256,
SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_RSA_WITH_AES_128_CBC_SHA256,
SSL_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA,
SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA,
SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA,
SSL_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ECDHE_RSA_WITH_RC4_128_SHA,
SSL_RSA_WITH_RC4_128_SHA, SSL_ECDH_ECDSA_WITH_RC4_128_SHA,
SSL_ECDH_RSA_WITH_RC4_128_SHA, SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_RC4_128_MD5, SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_RSA_WITH_AES_256_GCM_SHA384,
SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384, SSL_DHE_DSS_WITH_AES_256_GCM_SHA384,
SSL_DHE_RSA_WITH_AES_256_GCM_SHA384,
SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_128_GCM_SHA256,
SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_RSA_WITH_AES_128_GCM_SHA256,
SSL_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_DH_anon_WITH_AES_256_CBC_SHA256,
SSL_ECDH_anon_WITH_AES_256_CBC_SHA, SSL_DH_anon_WITH_AES_256_CBC_SHA,
SSL_DH_anon_WITH_AES_256_GCM_SHA384, SSL_DH_anon_WITH_AES_128_GCM_SHA256,
SSL_DH_anon_WITH_AES_128_CBC_SHA256, SSL_ECDH_anon_WITH_AES_128_CBC_SHA,
SSL_DH_anon_WITH_AES_128_CBC_SHA, SSL_ECDH_anon_WITH_RC4_128_SHA,
SSL_DH_anon_WITH_RC4_128_MD5, SSL_ECDH_anon_WITH_3DES_EDE_CBC_SHA,
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_NULL_SHA256,
SSL_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ECDHE_RSA_WITH_NULL_SHA,
SSL_RSA_WITH_NULL_SHA, SSL_ECDH_ECDSA_WITH_NULL_SHA,
SSL_ECDH_RSA_WITH_NULL_SHA, SSL_ECDH_anon_WITH_NULL_SHA,
SSL_RSA_WITH_NULL_MD5, SSL_KRB5_WITH_RC4_128_SHA,
SSL_KRB5_WITH_RC4_128_MD5, SSL_KRB5_WITH_3DES_EDE_CBC_SHA,
SSL_KRB5_WITH_3DES_EDE_CBC_MD5]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp192r1, secp224r1,
secp384r1, secp521r1, secp160k1, secp160r1, secp160r2, secp192k1,
secp224k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA,
SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA,
SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA,
SHA256withDSA, SHA1withDSA, MD5withRSA
***
main, WRITE: TLSv1.2 Handshake, length = 271
main, READ: TLSv1.2 Handshake, length = 1954
*** ServerHello, TLSv1.2
RandomCookie:  GMT: 1354425382 bytes = { 54, 154, 50, 186, 181, 67, 201, 3,
93, 233, 225, 202, 114, 183, 133, 148, 13, 239, 83, 101, 121, 24, 190, 236,
134, 187, 236, 197 }
Session ID:  {81, 187, 228, 38, 17, 34, 49, 27, 193, 182, 47, 99, 158, 214,
25, 136, 48, 99, 86, 75, 205, 110, 60, 76, 150, 148, 48, 248, 48, 205, 70,
246}
Cipher Suite: SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Compression Method: 0
Extension renegotiation_info, ri_length: 0, ri_connection_data: { null }
Extension ec_point_formats, formats: [uncompressed]
***
JsseJCE:  Using MessageDigest SHA-384 from provider IBMJCE version 1.7
%% Initialized:  [Session-1, SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384]
** SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

Could somebody please help?

Thanks,
Ting


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-unsubscribe@hc.apache.org
For additional commands, e-mail: httpclient-users-help@hc.apache.org


Mime
View raw message