I've looked through similar questions on this but nothing seems to match what I'm doing or the suggested fixes work.
I've got a Jetty 9.4.0 server configured from Java (JDK 1.8.0_101) which is not accepting SSL connections from Chrome or from my own Java client. Connecting from openssl s_client works.
The reported error on the Jetty side is "javax.net.ssl.SSLHandshakeException: no cipher suites in common". Chrome reports "The client and server don't support a common SSL protocol version or cipher suite."
I'm using an internal CA to create Certificates. The CA certs have been added to Chrome as trusted. The Jetty server side uses an in-memory JKS containing the private key, server cert, and CA trusted certs.
The Jetty server and Chrome/openssl are run on the same system (Windows 10).
OUTPUT FROM JETTY/JAVA DEBUG WHEN CHROME CONNECTS:
Session ID: {}
Cipher Suites: [Unknown 0xba:0xba, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods: { 0 }
Unsupported extension type_56026, data:
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name: [type=host_name (0), value=dim.magnicomp.com]
Unsupported extension type_23, data:
Unsupported extension type_35, data:
Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, SHA256withRSA, SHA256withECDSA, SHA1withRSA, SHA1withECDSA
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data:
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension type_30032, data:
Extension ec_point_formats, formats: [uncompressed]
Extension elliptic_curves, curve names: {unknown curve 23130, unknown curve 29, java.security.spec.ECParameterSpec@b25af0c, java.security.spec.ECParameterSpec@4ac6a6d}
Unsupported extension type_64250, data: 00
***
%% Initialized: [Session-11, SSL_NULL_WITH_NULL_NULL]
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
qtp93314457-157, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated: [Session-11, SSL_NULL_WITH_NULL_NULL]
qtp93314457-157, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
qtp93314457-157, WRITE: TLSv1.2 Alert, length = 2
qtp93314457-157, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
qtp93314457-157, called closeOutbound()
qtp93314457-157, closeOutboundInternal()
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
qtp93314457-151, READ: TLSv1 Handshake, length = 206
*** ClientHello, TLSv1.2
RandomCookie: GMT: -2087203376 Using SSLEngineImpl.
bytes = { 70, 173, 91, 213, 98, 98, 217, 46, 252, 233, 43, 114, 31, 19, 183, 40, 228, 28, 173, 130, 85, 182, 183, 173, 4, 212, 40, 245 }
Session ID: {}
Cipher Suites: [Unknown 0x8a:0x8a, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods: { 0 }
Unsupported extension type_51914, data:
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name: [type=host_name (0), value=dim.magnicomp.com]
Unsupported extension type_23, data:
Unsupported extension type_35, data:
Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, SHA256withRSA, SHA256withECDSA, SHA1withRSA, SHA1withECDSA
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data:
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension type_30032, data:
Extension ec_point_formats, formats: [uncompressed]
Extension elliptic_curves, curve names: {unknown curve 39578, unknown curve 29, java.security.spec.ECParameterSpec@638b01ff, java.security.spec.ECParameterSpec@3dbba4da}
Unsupported extension type_56026, data: 00
***
%% Initialized: [Session-12, SSL_NULL_WITH_NULL_NULL]
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
matching alias: myPrivateKey for CN=dim.magnicomp.com
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
qtp93314457-151, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
%% Invalidated: [Session-12, SSL_NULL_WITH_NULL_NULL]
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
qtp93314457-151, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
qtp93314457-151, WRITE: TLSv1.2 Alert, length = 2
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
qtp93314457-151, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
qtp93314457-151, called closeOutbound()
qtp93314457-151, closeOutboundInternal()
qtp93314457-160, READ: TLSv1 Handshake, length = 212
*** ClientHello, TLSv1.2
RandomCookie: GMT: -316909219 bytes = { 57, 49, 102, 214, 160, 20, 226, 56, 251, 203, 38, 163, 9, 6, 194, 243, 5, 216, 212, 3, 4, 190, 51, 224, 44, 154, 92, 64 }
Session ID: {}
Cipher Suites: [Unknown 0xea:0xea, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, Unknown 0xcc:0x14, Unknown 0xcc:0x13, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods: { 0 }
Unsupported extension type_23130, data:
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name: [type=host_name (0), value=dim.magnicomp.com]
Unsupported extension type_23, data:
Unsupported extension type_35, data:
Extension signature_algorithms, signature_algorithms: SHA512withRSA, SHA512withECDSA, SHA384withRSA, SHA384withECDSA, SHA256withRSA, SHA256withECDSA, SHA1withRSA, SHA1withECDSA
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data:
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension type_30032, data:
Extension ec_point_formats, formats: [uncompressed]
Extension elliptic_curves, curve names: {unknown curve 6682, unknown curve 29, java.security.spec.ECParameterSpec@e90285a, java.security.spec.ECParameterSpec@51bbd50e}
Unsupported extension type_19018, data: 00
***
%% Initialized: [Session-13, SSL_NULL_WITH_NULL_NULL]
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
matching alias: myPrivateKey for CN=dim.magnicomp.com
qtp93314457-160, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated: [Session-13, SSL_NULL_WITH_NULL_NULL]
qtp93314457-160, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
qtp93314457-160, WRITE: TLSv1.2 Alert, length = 2
qtp93314457-160, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
qtp93314457-160, called closeOutbound()
qtp93314457-160, closeOutboundInternal()
Here is my Jetty code:
private Server createServer() {
Server server = new Server();
server.setStopAtShutdown(true);
if (log.getDebugLevel() >= 1)
server.setDumpAfterStart(true);
ServerConnector httpConnector = createHttpConnector(server);
ServerConnector httpsConnector = createHttpsConnector(server);
server.addConnector(httpConnector);
server.addConnector(httpsConnector);
... snip ...
}
private ServerConnector createHttpsConnector(Server server) {
HttpConfiguration httpConfig = new HttpConfiguration(getBasicHttpConfiguration());
httpConfig.addCustomizer(new SecureRequestCustomizer());
SslContextFactory sslContextFactory = createSslContextFactory();
SslConnectionFactory connectionFactory = new SslConnectionFactory(sslContextFactory, HTTP_VERSION);
ServerConnector connector = new ServerConnector(server, connectionFactory, new HttpConnectionFactory(httpConfig));
connector.setPort(getHttpsPort());
connector.setIdleTimeout(getHttpIdleTimeoutSeconds());
return connector;
}
private SslContextFactory createSslContextFactory() {
KeyStore keyStore = createKeyStore();
KeyStore trustStore = createTrustStore();
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStore(keyStore);
sslContextFactory.setTrustStore(trustStore);
sslContextFactory.setExcludeCipherSuites(excludeCiphers);
sslContextFactory.setExcludeProtocols(excludeProtocols);
return sslContextFactory;
}
private HttpConfiguration getBasicHttpConfiguration() {
if (basicHttpConfig == null) {
basicHttpConfig = new HttpConfiguration();
basicHttpConfig.setSecureScheme("https");
basicHttpConfig.setSecurePort(getHttpsPort());
}
return basicHttpConfig;
}
public KeyStore createKeyStore(...) {
X509Certificate xcert = ...
List<X509Certificate> chain = new ArrayList<>();
chain.add(xcert);
chain.addAll(caCerts);
PrivateKey privateKey = ... ;
String keyAlias = "myPrivateKey for " + xcert.getSubjectX500Principal().getName();
String certAlias = "myCertificate for " + xcert.getSubjectX500Principal().getName();
KeyStore ks = KeyStore.getInstance(KEYSTORE_TYPE);
ks.load(null, null);
ks.setCertificateEntry(certAlias, xcert);
ks.setKeyEntry(keyAlias, privateKey, null, xchain.toArray(new X509Certificate [] {}));
return ks;
}
public KeyStore createTrustStore() {
KeyStore ks = null;
try {
ks = KeyStore.getInstance("JKS");
ks.load(null, null);
} catch (NoSuchAlgorithmException | CertificateException | IOException | KeyStoreException e) {
throw new OperationFailedException(e);
}
int count = 0;
for (CertificateAuthority ca : list) {
boolean isTrusted = (ca.getTrusted() != null) ? ca.getTrusted() : false;
if (isTrusted == false)
continue;
X509Certificate xcert = CertificateConverter.convertToX509Certificate(ca.getCertificate());
String alias = xcert.getSubjectDN().getName();
TrustedCertificateEntry entry = new TrustedCertificateEntry(xcert);
try {
ks.setEntry(alias, entry, null);
++count;
} catch (KeyStoreException e) {
throw new OperationFailedException(e);
}
}
if (count == 0)
throw new OperationFailedException("No Trusted Certificate Authorities found");
return ks;
}
When the Jetty server starts it does show it's included Ciphers:
| | +- Protocol Selections
| | | +- Enabled (size=3)
| | | | +- TLSv1
| | | | +- TLSv1.1
| | | | +- TLSv1.2
| | | +- Disabled (size=2)
| | | +- SSLv2Hello - ConfigExcluded:'SSLv2Hello'
| | | +- SSLv3 - JreDisabled:java.security, ConfigExcluded:'SSLv3'
| | +- Cipher Suite Selections
| | +- Enabled (size=34)
| | | +- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
| | | +- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
| | | +- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
| | | +- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
| | | +- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
| | | +- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
| | | +- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
| | | +- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
| | | +- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
| | | +- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
| | | +- TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
| | | +- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
| | | +- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
| | | +- TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
| | | +- TLS_EMPTY_RENEGOTIATION_INFO_SCSV
| | | +- TLS_RSA_WITH_AES_128_CBC_SHA
| | | +- TLS_RSA_WITH_AES_128_CBC_SHA256
| | | +- TLS_RSA_WITH_AES_128_GCM_SHA256
| | | +- TLS_RSA_WITH_AES_256_CBC_SHA
| | | +- TLS_RSA_WITH_AES_256_CBC_SHA256
| | | +- TLS_RSA_WITH_AES_256_GCM_SHA384
| | +- Disabled (size=48)
| | +- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA', ConfigExcluded:'.*DES.*', ConfigExcluded:'.*DSS.*'
| | +- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA - ConfigExcluded:'.*DES.*', ConfigExcluded:'.*DSS.*'
| | +- SSL_DHE_DSS_WITH_DES_CBC_SHA - JreDisabled:java.security, ConfigExcluded:'SSL_DHE_DSS_WITH_DES_CBC_SHA', ConfigExcluded:'.*DES.*', ConfigExcluded:'.*DSS.*'
... snip ...
There are definitely multiple ciphers in common with the above Include Ciphers output from Jetty and what the ClientHello shows (from Chrome).
I can successfully connect to the Jetty server with openssl:
openssl s_client -CAfile ca-bundle.crt -connect dim.magnicomp.com:443
CONNECTED(00000003)
depth=2 CN = MagniComp Root CA
verify return:1
depth=1 DC = com, DC = magnicomp, CN = MagniComp Issuing CA3
verify return:1
depth=0 CN = dim.magnicomp.com
verify return:1
---
Certificate chain
0 s:/CN=dim.magnicomp.com
i:/DC=com/DC=magnicomp/CN=MagniComp Issuing CA3
1 s:/DC=com/DC=magnicomp/CN=MagniComp Issuing CA3
i:/CN=MagniComp Root CA
2 s:/CN=MagniComp Root CA
i:/CN=MagniComp Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHLDCCBRSgAwIBAgITSwAAHrdVt+0m8ilX2QABAAAetzANBgkqhkiG9w0BAQsF
... snip ...
+yePwA+yZbwCJmfm6H/tHw==
-----END CERTIFICATE-----
subject=/CN=dim.magnicomp.com
issuer=/DC=com/DC=magnicomp/CN=MagniComp Issuing CA3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5896 bytes and written 490 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: 585C70B03124705067B91809B759000159C3537719D2D49CDA95FA34A8A0A838
Session-ID-ctx:
Master-Key: 869543E852F7C7FB0C8849CFE673FDB5C89EA7F8BA118215E00781F80390ADD6DA71B747F8DAA8F5E610FE9EF2F0ADFD
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1482453168
Timeout : 300 (sec)
Verify return code: 0 (ok)
Here is the server certificate I'm using:
Signature Algorithm: sha256WithRSAEncryption
Issuer: DC=com, DC=magnicomp, CN=MagniComp Issuing CA3
Validity
Not Before: Dec 22 22:09:32 2016 GMT
Not After : Dec 22 22:09:32 2017 GMT
Subject: CN=dim.magnicomp.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a1:95:ef:ff:bf:c8:a2:fb:4e:3a:81:b5:4d:36:
03:21:55:3e:fb:35:93:14:b0:4e:93:16:2c:13:fd:
dd:7e:b4:4d:5a:32:04:28:9a:51:93:23:01:e4:80:
37:e9:4e:9b:9e:ca:ba:8d:96:5e:2b:78:2d:f9:3f:
bd:7e:cf:70:32:75:9b:e8:c7:1d:42:d4:ee:8e:2d:
e0:b8:2f:93:02:2b:a4:72:ac:99:8c:6d:05:f9:6b:
18:88:47:52:06:02:71:a9:9d:fe:87:71:d3:4f:28:
84:9b:55:2a:cd:af:37:77:94:a9:cc:6f:26:fe:88:
6b:c0:b5:b2:c6:59:c0:94:dd:af:3a:50:d7:7b:da:
2f:e4:98:b0:8a:b7:56:a7:ed:13:fd:7f:b3:39:14:
76:12:f4:39:0d:b4:ac:31:f3:2b:c6:12:3a:44:ef:
5b:b8:0d:03:0d:e4:f4:06:05:38:46:66:a7:07:9b:
ec:83:af:bc:48:46:d0:32:e7:96:13:96:6a:c6:d9:
49:71:c0:49:3c:04:9b:1e:20:ab:2f:06:af:6f:43:
ff:5a:30:55:35:3b:96:6b:51:61:cf:95:5b:58:c3:
37:e4:bf:05:09:d0:3b:57:82:86:40:bf:7e:bf:d8:
41:be:27:1c:f5:36:a7:b1:63:98:ea:cb:ff:32:99:
60:83
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:dim.magnicomp.com, DNS:dim
X509v3 Subject Key Identifier:
8D:8D:4E:99:AB:6A:15:32:B8:EA:C0:61:52:9D:3B:BE:A9:2E:C9:13
X509v3 Authority Key Identifier:
keyid:22:D9:24:A4:0C:3C:E9:63:82:D2:22:F6:87:C0:03:A2:2F:97:ED:80
X509v3 CRL Distribution Points:
Full Name:
URI:http://CDP.magnicomp.com/PKI/MagniComp%20Issuing%20CA3.crl
URI:ldap:///CN=MagniComp%20Issuing%20CA3,CN=ca3,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=magnicomp,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
Authority Information Access:
CA Issuers - URI:http://CDP.magnicomp.com/PKI/ca3.magnicomp.com_MagniComp%20Issuing%20CA3(1).crt
CA Issuers - URI:ldap:///CN=MagniComp%20Issuing%20CA3,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=magnicomp,DC=com?cACertificate?base?objectClass=certificationAuthority
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
1.3.6.1.4.1.311.21.7:
0..&+.....7.....X...........b...d^...q......d...
1.3.6.1.4.1.311.21.10:
0.0
..+.......
Signature Algorithm: sha256WithRSAEncryption
... snip ...
I finally figured this out. The KeyStore alias must be "jetty" for both the cert and key entries. I was using a custom name for each to more easily identify the entries in the keystore.
RANT: Why in the world does Jetty or the underlying Java SSL code report "no ciphers in common" when it can't find the cert/key in the KeyStore? This is completely obtuse and has almost no chance of helping the developer figure out what the problem is!
https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html https://www.eclipse.org/jetty/documentation/current/jetty-ssl-distribution.html
Don't follow anything else other than the official documentation from jetty. I could make it work after following what has been told above, plus adding these following lines in start.ini.
jetty.sslContext.keyStorePath=etc/keystore
jetty.sslContext.trustStorePath=etc/keystore
jetty.sslContext.keyStorePassword=password
jetty.sslContext.keyManagerPassword=password
jetty.sslContext.trustStorePassword=password
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With