ofbiz-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jacques Le Roux <jacques.le.r...@les7arts.com>
Subject Re: Updating SSL certificate version
Date Tue, 05 Mar 2019 08:13:23 GMT
Hi Mathieu,

Did Girish's answer help? (thanks Girish)


Le 04/03/2019 à 08:09, Girish Vasmatkar a écrit :
> Hi Mathieu
> Perhaps it will help if you could enable SSL debugging (either in your
> browser or in OFBiz (-Djavax.net.debug=ssl)) and provide details how the
> SSL handshake happened. Specifically, it would be interesting to see what
> all protocols your browser presented to OFBiz.
> It looks like the two could not agree on the cipher suites to use for
> encryption unless your browser only supports SSL 2.0 which is outdated or TLS
> 1.3 which is fairly new . I may be saying obvious here but it will help if
> you can turn on SSL debugging and provide details of the SSL handshake. It
> will help what ClientHello message looked like when browser initiated
> communication with OFBiz. For example, here are the details of connection
> to localhost OFBiz on my machine -
> Cipher Suite used - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> Protocol used - TLS 1.2.
> What I think happened is that both client and server agreed on SSL version
> but the server does not support any of the list of cipher suites browser
> supports. Please launch OFBiz JVM with javax.net.debug=ssl and that should
> help.
> Thanks and Regards,
> Girish
> On Mon, Mar 4, 2019 at 3:54 AM Jacques Le Roux <jacques.le.roux@les7arts.com>
> wrote:
>> Hi Mathieu,
>> Hold on, I think I can help you but not before tomorrow evening
>> Hopefully someone will beat me on it...
>> Jacques
>> Le 03/03/2019 à 19:00, Mathieu Lirzin a écrit :
>>> Hello,
>>> I am facing a rather annoying issue when using OFBiz trunk on localhost
>>> which prevents me from using my preferred Web browsers.
>>> The issue is that some of the browsers I use or more precisely the
>>> library used by those browsers to do the TLS handshake seems to not
>>> accept the default certificate provided by OFBiz.  Here is the specific
>>> error I get on Chromium:
>>> --8<---------------cut here---------------start------------->8---
>>> This site can’t provide a secure connection localhost uses an
>> unsupported protocol.
>>> Unsupported protocol
>>> The client and server don't support a common SSL protocol version or
>> cipher suite.
>>> --8<---------------cut here---------------end--------------->8---
>>> Which is similar to what I have on GNU Icecat (→ Firefox)
>>> --8<---------------cut here---------------start------------->8---
>>> Secure Connection Failed
>>> An error occurred during a connection to localhost:8443. Cannot
>> communicate securely with peer: no common encryption algorithm(s). Error
>>>       The page you are trying to view cannot be shown because the
>> authenticity of the received data could not be verified.
>>>       Please contact the website owners to inform them of this problem.
>>> --8<---------------cut here---------------end--------------->8---
>>> I am using a rather exotic GNU/Linux distribution which is GuixSD so it
>>> might be difficult for any of you to reproduce the issue. However my
>>> guess is that the format of the OFBiz certificate is considered outdated
>>> on my machine.  As a consequence I would like to try to upgrade that
>>> certificate to a more recent format version.  Unfortunately I don't know
>>> much about SSL/TLS and in particular I don't know what is the proper way
>>> to regenerate the OFBiz certificate.
>>> The README in “framework/base/config/” mentions the details of that
>>> certificate but does not mention the command which has been used to
>>> generate it.  Does anyone know how I could achieve the regeneration of
>>> tha certificate?
>>> Thanks.

View raw message