Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Oracle Java 8u92 expired on July 19, 2016 (see release notes)

The expiration is specifically designed for the very fast moving SSL/TLS changes in configuration.
Oracle recommends that you stay up to date with the JVM is you are using SSL/TLS from Java (either as a client, or a server).


Joakim Erdfelt / joakim@xxxxxxxxxxx

On Fri, Feb 24, 2017 at 11:37 AM, Lou DeGenaro <lou.degenaro@xxxxxxxxx> wrote:
I thought 1.8 was pretty new.  So now I tried this one from Oracle for running the Jetty server, which seems to be from Aug. 2016 - modern enuf?

java version "1.8.0_92"
Java(TM) SE Runtime Environment (build 1.8.0_92-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.92-b14, mixed mode

And when I visit via https + port 8443 using

Firefox 45.7.0: SSL_ERROR_NO_CYPHER_OVERLAP
Chromium 55.0.2883.75 ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Again, I'm using Jetty out-of-the-box with just my certificate installed in the keystore and the keystore password config'd in start.ini.

I will try your -Djavax.net.debug=all suggestion next...

Lou.

On Fri, Feb 24, 2017 at 11:02 AM, Simone Bordet <sbordet@xxxxxxxxxxx> wrote:
Hi,

On Fri, Feb 24, 2017 at 2:49 PM, Lou DeGenaro <lou.degenaro@xxxxxxxxx> wrote:
> 2017-02-24 08:05:25.900:INFO:oejs.Server:main: jetty-9.4.2.v20170220
>
> I created a folder for my webapp called "test" and put my "Hello World"
> index.html in it.  http serves it just fine, thank you.  https no so much.
>
> Chromium says: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
> FireFox says:  SSL_ERROR_NO_CYPHER_OVERLAP
>
> I created the keystore like so:
>
> keytool -keystore keystore -import -alias jetty -file ducc.crt
>
> I edited the start.ini file with the keystore password for both
> jetty.keystore.password and jetty.truststore.password.
>
> I've made no other changes to the jetty that I downloaded.
>
> I'm a bit out of my comfort zone here, so it's likely that I'm doing
> something wrong.  Please advise.

You have no ciphers in common between the client and the server.
Browsers are quite aggressive at not using obsolete ciphers, and you
are using an old JVM on the server, or you have configured the server
in a way that it uses obsoleted ciphers.

Use -Djavax.net.debug=all on the server to see that there are no
ciphers, but updating to the latest JVM and paying attention to TLS
configuration will solve your issue.

--
Simone Bordet
----
http://cometd.org
http://webtide.com
Developer advice, training, services and support
from the Jetty & CometD experts.
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


Back to the top