Hi All,
I'm being driven mad trying to work out what the problem is with my SSL config on a production deployment I have created.
I have replicated the same config from my workbench domain onto the production domain.
Both environments were installed from the same install package.
I have a Direct(HTTPS) acceptor created which I use to accept HTTPS posts from a third party.
From my workbench container log:
SSL Provider class progress.message.net.ssl.jsse.jsseSSLImpl has been loaded successfully
replacing RSA cipher DH_DSS_With_DES_CBC_SHA with JSSE cipher SSL_DH_DSS_WITH_DES_CBC_SHA
replacing RSA cipher RSA_Export_With_DES_40_CBC_SHA with JSSE cipher SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
.
.
.
.
replacing RSA cipher DH_Anon_With_AES_256_CBC_SHA with JSSE cipher TLS_DH_anon_WITH_AES_256_CBC_SHA
replacing RSA cipher RSA_With_AES_128_CBC_SHA with JSSE cipher TLS_RSA_WITH_AES_128_CBC_SHA
replacing RSA cipher RSA_With_AES_256_CBC_SHA with JSSE cipher TLS_RSA_WITH_AES_256_CBC_SHA
key store url: null
key store type: jks
key store password:
key store server alias: null
key store server key password: null
trust store url: null
trust store type: jks
trust store password:
custom key manager class: null
KeyManagerFactory.getDefaultAlgorithm(): SunX509
custom trust manager class: null
TrustManagerFactory.getDefaultAlgorithm(): PKIX
is client authentication required: false
Intializing SunX509 key manager factory for key manager of com.sonicsw.security.ssl.X509KeyManagerServerImpl, server alias = sonic, key entries in the PKCS keyStore:
Key entry by alias "sonic" contains certificate:
cert[0]:
[
[
Version: V3
Subject: EMAILADDRESS=sample.server@sonicsoftware.com, CN=Sample Server, OU=Sonic-QA, O=Sonic Software Corporation, L=Bedford, ST=MA, C=US
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: Sun RSA public key, 1024 bits
modulus: 142446486370566426597415928816442495172027147316632462473484303502573201405721274758876281060154708528746557072553770371434126324421547070522076171417741199445294169129069089135645308869032299332807263922402376839591754503346263631814190322556328899017975803203644832655361816530059351445464721212825982736783
public exponent: 65537
Validity: [From: Thu May 04 07:11:02 EST 2006,
To: Sun May 01 07:11:02 EST 2016]
Issuer: EMAILADDRESS=sonicqa.ca@sonicsoftware.com, CN=Sonic-QA, OU=Sonic-QA, O=Sonic Software Corporation, L=Bedford, ST=MA, C=US
SerialNumber: [ 02]
]
Algorithm: [MD5withRSA]
Signature:
0000: 17 C3 26 87 7E B5 C5 CB A2 BD 9F F1 8E A8 0A CA ..&.............
0010: 65 9A BE 85 6B E0 92 09 E4 A7 01 55 D0 03 BF 16 e...k......U....
0020: 9C 33 C7 3E E7 6D F1 87 0C E8 FC 81 3A AD AB FA .3.>.m......:...
0030: 9D 54 0D 24 ED 12 2D 22 DB 73 DD CB 8D 3B 51 D1 .T.$..-".s...;Q.
0040: 39 76 E0 E9 05 56 6E E3 8E 07 05 A4 AD A8 9A 77 9v...Vn........w
0050: F3 85 81 23 34 EC E7 C3 EE DA 0F 88 81 1F CB 7B ...#4...........
0060: F3 D2 46 5C E5 5D 7C CD D4 00 49 6B B7 32 AC 73 ..F\.]....Ik.2.s
0070: D5 70 3A 8D 59 0D AD 07 B7 D9 81 C0 55 FB 5A C4 .p:.Y.......U.Z.
]
Disable client authentication.
[11/09/22 12:13:57] ID=MgmtBroker (warning) Cipher suite RSA_With_RC2_CBC_MD5 not supported.
[11/09/22 12:13:57] ID=MgmtBroker (warning) Cipher suite SSL_DH_DSS_WITH_DES_CBC_SHA not supported.
.
.
.
.
[11/09/22 12:13:57] ID=MgmtBroker (warning) Cipher suite TLS_DH_anon_WITH_AES_256_CBC_SHA not supported.
[11/09/22 12:13:57] ID=MgmtBroker (warning) Cipher suite TLS_RSA_WITH_AES_256_CBC_SHA not supported.
Enabled cipher suites are:
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_RC4_128_MD5
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
SSL_RSA_WITH_NULL_SHA
SSL_RSA_WITH_NULL_MD5
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DH_anon_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_RC4_128_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DH_anon_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
[11/09/22 12:13:57] ID=MgmtBroker (info) https.BPFuelsImport: accepting connections on https://ieserpdev02:21000
[11/09/22 12:13:57] ID=MgmtBroker (info) TCP_ACCEPTOR: accepting connections on tcp://ieserpdev02:2506
[11/09/22 12:13:57] ID=MgmtBroker (info) SonicMQ Broker started
[11/09/22 12:13:57] (info) ...startup complete
com.sonicsw.security.ssl.X509KeyManagerServerImpl.chooseServerAlias(): keyType = RSA, server alias = sonic
com.sonicsw.security.ssl.X509KeyManagerServerImpl.getServerAliases(): keyType = RSA, issue(s):
com.sonicsw.security.ssl.X509KeyManagerServerImpl.getServerAliases(): returning [Ljava.lang.String;@745477
com.sonicsw.security.ssl.X509KeyManagerServerImpl.chooseServerAlias(): returning sonic
com.sonicsw.security.ssl.X509KeyManagerServerImpl.getPrivateKey(): retrieving private key for alias = sonic OK
com.sonicsw.security.ssl.X509KeyManagerServerImpl.getCertificateChain(): retrieving certificate chain for sonic OK, subject DN is EMAILADDRESS=sample.server@sonicsoftware.com, CN=Sample Server, OU=Sonic-QA, O=Sonic Software Corporation, L=Bedford, ST=MA, C=US
SSL Provider class progress.message.net.ssl.jsse.jsseSSLImpl has been loaded successfully Key entry by alias "sonic" contains certificate: cert[0]: Key: Sun RSA public key, 1024 bits ] ] Key: Sun RSA public key, 1024 bits ] ] com.sonicsw.security.ssl.X509KeyManagerServerImpl.getServerAliases(): returning null com.sonicsw.security.ssl.X509KeyManagerServerImpl.getServerAliases(): returning null the green lines just keep repeating until a java heap dump occurs. I even copied the certs folder from my workbench to the prod box, but get the same error. I have a support case ope with progress and supplied them heap dumps, but not solution so far. Thanks, Tony.
From my workbench container log:
key store url: null
key store type: jks
key store password:
key store server alias: null
key store server key password: null
trust store url: null
trust store type: jks
trust store password:
custom key manager class: null
KeyManagerFactory.getDefaultAlgorithm(): SunX509
custom trust manager class: null
TrustManagerFactory.getDefaultAlgorithm(): PKIX
is client authentication required: false
Intializing SunX509 key manager factory for key manager of com.sonicsw.security.ssl.X509KeyManagerServerImpl, server alias = sonic, key entries in the PKCS keyStore:
[
[
Version: V3
Subject: EMAILADDRESS=sample.server@sonicsoftware.com, CN=Sample Server, OU=Sonic-QA, O=Sonic Software Corporation, L=Bedford, ST=MA, C=US
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
modulus: 142446486370566426597415928816442495172027147316632462473484303502573201405721274758876281060154708528746557072553770371434126324421547070522076171417741199445294169129069089135645308869032299332807263922402376839591754503346263631814190322556328899017975803203644832655361816530059351445464721212825982736783
public exponent: 65537
Validity: [From: Thu May 04 07:11:02 EST 2006,
To: Sun May 01 07:11:02 EST 2016]
Issuer: EMAILADDRESS=sonicqa.ca@sonicsoftware.com, CN=Sonic-QA, OU=Sonic-QA, O=Sonic Software Corporation, L=Bedford, ST=MA, C=US
SerialNumber: [ 02]
Algorithm: [MD5withRSA]
Signature:
0000: 17 C3 26 87 7E B5 C5 CB A2 BD 9F F1 8E A8 0A CA ..&.............
0010: 65 9A BE 85 6B E0 92 09 E4 A7 01 55 D0 03 BF 16 e...k......U....
0020: 9C 33 C7 3E E7 6D F1 87 0C E8 FC 81 3A AD AB FA .3.>.m......:...
0030: 9D 54 0D 24 ED 12 2D 22 DB 73 DD CB 8D 3B 51 D1 .T.$..-".s...;Q.
0040: 39 76 E0 E9 05 56 6E E3 8E 07 05 A4 AD A8 9A 77 9v...Vn........w
0050: F3 85 81 23 34 EC E7 C3 EE DA 0F 88 81 1F CB 7B ...#4...........
0060: F3 D2 46 5C E5 5D 7C CD D4 00 49 6B B7 32 AC 73 ..F\.]....Ik.2.s
0070: D5 70 3A 8D 59 0D AD 07 B7 D9 81 C0 55 FB 5A C4 .p:.Y.......U.Z.
cert[1]:
[
[
Version: V3
Subject: EMAILADDRESS=sonicqa.ca@sonicsoftware.com, CN=Sonic-QA, OU=Sonic-QA, O=Sonic Software Corporation, L=Bedford, ST=MA, C=US
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
modulus: 136030370069619202212371385767353774020766770005613009960387639468519396101947464206155261355255711399293251385915244524838112686438952535646797367356143460279953893911569771408115825353028973705245107421686355053976542985080478204447199239672602853481180644413744881424844897590748699978874148816519548951809
public exponent: 65537
Validity: [From: Thu May 04 07:11:00 EST 2006,
To: Sun May 01 07:11:00 EST 2016]
Issuer: EMAILADDRESS=sonicqa.ca@sonicsoftware.com, CN=Sonic-QA, OU=Sonic-QA, O=Sonic Software Corporation, L=Bedford, ST=MA, C=US
SerialNumber: [ 021993c8 11]
Algorithm: [MD5withRSA]
Signature:
0000: 89 51 18 0D CA FD 95 D1 9D 39 4C 7C F2 98 BE 21 .Q.......9L....!
0010: 7C 26 A0 23 F6 25 19 55 D8 7A 5F 8C 73 C7 3D 17 .&.#.%.U.z_.s.=.
0020: DC 68 1A A7 AD 56 F2 E3 A7 24 5C 73 51 EB 04 EA .h...V...$\sQ...
0030: D2 F9 4F C1 68 0A 16 D0 34 F6 7C 71 D9 D8 A4 E7 ..O.h...4..q....
0040: 2A 09 B3 77 13 51 E7 98 B2 68 69 01 DF DB 0D 41 *..w.Q...hi....A
0050: 6D 61 7D E4 77 80 C6 03 23 25 26 1F 2D A7 AD 0C ma..w...#%&.-...
0060: 7A 3B B2 40 EE F3 E5 47 CA 82 64 C2 9A 58 23 B1 z;.@...G..d..X#.
0070: 81 39 AD 47 04 B7 78 26 43 B9 71 42 31 71 95 52 .9.G..x&C.qB1q.R
Disable client authentication.
[11/10/20 12:21:36] ID=brkrIES (warning) Cipher suite SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA not supported.
[11/10/20 12:21:36] ID=brkrIES (warning) Cipher suite SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA not supported.
[11/10/20 12:21:36] ID=brkrIES (warning) Cipher suite SSL_DH_DSS_WITH_DES_CBC_SHA not supported.
[11/10/20 12:21:36] ID=brkrIES (warning) Cipher suite SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA not supported.
[11/10/20 12:21:36] ID=brkrIES (warning) Cipher suite SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA not supported.
[11/10/20 12:21:36] ID=brkrIES (warning) Cipher suite SSL_DH_RSA_WITH_DES_CBC_SHA not supported.
[11/10/20 12:21:36] ID=brkrIES (warning) Cipher suite SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 not supported.
[11/10/20 12:21:36] ID=brkrIES (warning) Cipher suite TLS_DHE_DSS_WITH_AES_256_CBC_SHA not supported.
[11/10/20 12:21:36] ID=brkrIES (warning) Cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA not supported.
[11/10/20 12:21:36] ID=brkrIES (warning) Cipher suite TLS_DH_anon_WITH_AES_256_CBC_SHA not supported.
[11/10/20 12:21:36] ID=brkrIES (warning) Cipher suite TLS_RSA_WITH_AES_256_CBC_SHA not supported.
Enabled cipher suites are:
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_RC4_128_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DH_anon_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
[11/10/20 12:21:36] ID=brkrIES (info) http.BPFuelsImport: accepting connections on https://ieserp02:21000
com.sonicsw.security.ssl.X509KeyManagerServerImpl.chooseServerAlias(): keyType = DSA, server alias = sonic
com.sonicsw.security.ssl.X509KeyManagerServerImpl.getServerAliases(): keyType = DSA, issue(s):
com.sonicsw.security.ssl.X509KeyManagerServerImpl.chooseServerAlias(): keyType = DSA, server alias = sonic
com.sonicsw.security.ssl.X509KeyManagerServerImpl.getServerAliases(): keyType = DSA, issue(s):
Notice that the list of enabled cipher suites in the production is different from the one in your dev environment - while the very first cipher suite for the production requires a DSA certificate (notice keyType = DSA), the only certificate available in the keystore is a RSA certificate. To workaround the problem, remove any cipher suites requiring a DSA certificate from the list of supported cipher suites you configured. Also, you are using the sample certificate provided by Sonic - I assume you're going to replace that eventually.
Hi Perry,
I did notice the difference with the cipher suites, but my knowledge of SSL isn't large (am learning a lot while I go). I do remember reading some posts regarding cipher suites but didn't relate it my issue and now I can't find them.
What determines an DSA related cipher suite?
As to using the sample certificate, it will be replaced eventually.
Thanks,
Tony.
What determines an DSA related cipher suite?
Any cipher that has _DSS_ in it indicates a DSA certificate is required for key exchange.
To be more precise, if you are using a RSA certificate, namely a certificate that contains a RSA public key, you should only elect cipher suites with _RSA_. Some ciphers, e.g., those with _DH_, do not require a certificate for key exchange.
Thank you very, very, very much.
Wish I had posted last week instead of opening a support case, would have saved me my sanity!!
Thanks again,
Tony.
I'm adding you to my "Friends" list.