Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] keystore
Secure Connection Failed Error code: SSL_ERROR_NO_CYPHER_OVERLAP

The stated reason from Firefox for that error is that you lack the required cipher suites for the updated TLS configuration present since FireFox 50.x

https://support.mozilla.org/en-US/questions/1148536
https://support.mozilla.org/en-US/questions/1153050
https://support.mozilla.org/en-US/questions/1167953

Your IBM JVM reports 14 selected Cipher Suites (31 disabled) by default.
Oracle JVM reports 29 selected Cipher Suites (53 disabled) by default.

Conclusion: You have a cipher suite issue.

Try MSIE or FireFox 45 (suggestions made in the mozilla support forum).  If those work, then you have a Cipher Suite issue with your IBM JVM.


Joakim Erdfelt / joakim@xxxxxxxxxxx

On Wed, Mar 14, 2018 at 11:36 AM, Lothar Kimmeringer <job@xxxxxxxxxxxxxx> wrote:
Hi,

Am 14.03.2018 um 17:24 schrieb Joakim Erdfelt:

* The IBM JVM is not sane, look into its cipher suites and protocols.

A quick comparison shows that it has half the cipher suites that oracle jvm or openjdk has.

Not necessarily. At least the JVM for i Series has more or less the same
ciphers but the textual representation is not starting with TLS_... but SSL_...
so filters based on the textual representation will filter out most
of them (in my case where I found that out, all ciphers were filtered).

Here as an example -Djavax.net.debug=ssl:handshake output for a ClientHello
sent by an AS/400:

Cipher Suites: [
 TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
 SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
 SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
 SSL_RSA_WITH_AES_256_CBC_SHA256,
 SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
 SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384,
 SSL_DHE_RSA_WITH_AES_256_CBC_SHA256,
 SSL_DHE_DSS_WITH_AES_256_CBC_SHA256,
 SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
 SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA,
 SSL_RSA_WITH_AES_256_CBC_SHA,
 SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
 SSL_ECDH_RSA_WITH_AES_256_CBC_SHA,
 SSL_DHE_RSA_WITH_AES_256_CBC_SHA,
 SSL_DHE_DSS_WITH_AES_256_CBC_SHA,
 SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
 SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
 SSL_RSA_WITH_AES_128_CBC_SHA256,
 SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
 SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256,
 SSL_DHE_RSA_WITH_AES_128_CBC_SHA256,
 SSL_DHE_DSS_WITH_AES_128_CBC_SHA256,
 SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
 SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA,
 SSL_RSA_WITH_AES_128_CBC_SHA,
 SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
 SSL_ECDH_RSA_WITH_AES_128_CBC_SHA,
 SSL_DHE_RSA_WITH_AES_128_CBC_SHA,
 SSL_DHE_DSS_WITH_AES_128_CBC_SHA,
 SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
 SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 SSL_RSA_WITH_AES_256_GCM_SHA384,
 SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
 SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384,
 SSL_DHE_DSS_WITH_AES_256_GCM_SHA384,
 SSL_DHE_RSA_WITH_AES_256_GCM_SHA384,
 SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
 SSL_RSA_WITH_AES_128_GCM_SHA256,
 SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
 SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256,
 SSL_DHE_RSA_WITH_AES_128_GCM_SHA256,
 SSL_DHE_DSS_WITH_AES_128_GCM_SHA256]


Cheers, Lothar
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

Back to the top