11 Replies Latest reply: Dec 23, 2011 5:34 AM by Andrea.Giovannini RSS

    SSLHandshakeException: no cipher suites in common

    Andrea.Giovannini
      Hi,
      I'm trying to configure HTTPS for our J2EE app (running on JBoss 3.2.1, JDK 1.4.2_19 and Windows Server 2008) at a customer site. The customer has already obtained two Thawte certificates, they have imported them in web browsers and they are already using them with a Microsoft application (for client authentication).
      If I import a self-generated certificate in a keystore then the application works fine with HTTPS.
      We have imported the two Thawte certificates in a keystore, configured JBoss for HTTPS use but when I connect with the browser (I.E. with the certificates installed) to our app I get a "The page cannot be displayed" error and in the log I find:

      ...
      Cipher Suites: [TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, Unknown 0xc0:0x13, Unknown 0xc0:0x14, Unknown 0xc0:0x9, Unknown 0xc0:0xa, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5]
      ...
      javax.net.ssl.SSLHandshakeException: no cipher suites in common
      ..

      I don't have the details of the certificates (I've asked but I haven't received any response yet) but probably the key length is higher that 1024 bits. Is it possible (I'm in Italy) that the JDK 1.4.2 doesn't support such a strong key length?

      I've read http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#importlimits: should I download "JCE Unlimited Strength Jurisdiction Policy Files"? Are they available for JDK 1.4.2 or should I upgrade to JDK 6 (or 7) ?

      Thanks in advance,
      Andrea
        • 1. Re: SSLHandshakeException: no cipher suites in common
          EJP
          should I download "JCE Unlimited Strength Jurisdiction Policy Files"?
          Yes.
          Are they available for JDK 1.4.2
          Yes.
          or should I upgrade to JDK 6 (or 7) ?
          Yes.
          • 2. Re: SSLHandshakeException: no cipher suites in common
            Andrea.Giovannini
            Hi EJP,
            thanks you for your reply.

            I don't understand the two last "Yes": if "JCE Unlimited ... files" are available for JDK 1.4.2 why should I upgrade to JDK 6 (or 7) ?

            However I've downloaded "JCE Unlimited ... files" for JDK 1.4.2 (from http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archive-downloads-java-plat-419418.html#7503-jce-1.4.2-oth-JPR), I've installed the files in the jre/lib/security folder of the JDK but I still get the same error.

            Any other idea about the reason?

            Thanks,
            Andrea
            • 3. Re: SSLHandshakeException: no cipher suites in common
              EJP
              I don't understand the two last "Yes": if "JCE Unlimited ... files" are available for JDK 1.4.2 why should I upgrade to JDK 6 (or 7) ?
              Because 1.4.2 is eight years old, and either at or near its service end of life.
              • 4. Re: SSLHandshakeException: no cipher suites in common
                gimbal2
                Andrea.Giovannini wrote:
                I've installed the files in the jre/lib/security folder of the JDK but I still get the same error.
                Even though it is a good idea to install this patch, it deals with the strength of encryption that you'll be able to use which is restricted in some countries. Your problem is not related to this; I know this because I copy/pasted "javax.net.ssl.SSLHandshakeException: no cipher suites in common" into google and read the results. I suggest you do the same.
                • 5. Re: SSLHandshakeException: no cipher suites in common
                  Andrea.Giovannini
                  Hi EJP,
                  I can't see your point: I know that 1.4.2 is at service EOL but if the "JCE Unlimited ... Files" kit is available then I expect that it works, or at least to get a different error (if the problem is in key length) .

                  However I will try with JDK 7 and I will post the result of the test.

                  Thank you very much for your reply.

                  Andrea
                  • 6. Re: SSLHandshakeException: no cipher suites in common
                    Andrea.Giovannini
                    gimbal2 wrote:
                    Andrea.Giovannini wrote:
                    I've installed the files in the jre/lib/security folder of the JDK but I still get the same error.
                    Even though it is a good idea to install this patch, it deals with the strength of encryption that you'll be able to use which is restricted in some countries. Your problem is not related to this; I know this because I copy/pasted "javax.net.ssl.SSLHandshakeException: no cipher suites in common" into google and read the results. I suggest you do the same.
                    Hi gimbal2,
                    I've already googled the error but I didn't find anything useful: however I will try again.

                    Thank you,
                    Andrea
                    • 7. Re: SSLHandshakeException: no cipher suites in common
                      gimbal2
                      Andrea.Giovannini wrote:
                      gimbal2 wrote:
                      Andrea.Giovannini wrote:
                      I've installed the files in the jre/lib/security folder of the JDK but I still get the same error.
                      Even though it is a good idea to install this patch, it deals with the strength of encryption that you'll be able to use which is restricted in some countries. Your problem is not related to this; I know this because I copy/pasted "javax.net.ssl.SSLHandshakeException: no cipher suites in common" into google and read the results. I suggest you do the same.
                      Hi gimbal2,
                      I've already googled the error but I didn't find anything useful: however I will try again.

                      Thank you,
                      Andrea
                      Weird, because the first result I got was a highly informative stackoverflow post. I think you need to blame more what you were looking for: you were looking for a cut, copy and paste solution in stead of searching for information to understand the problem and solve it. But that is conjecture on my part, feel free to ignore me.
                      • 8. Re: SSLHandshakeException: no cipher suites in common
                        EJP
                        I can't see your point: I know that 1.4.2 is at service EOL
                        That is my point.
                        but if the "JCE Unlimited ... Files" kit is available then I expect that it works, or at least to get a different error (if the problem is in key length) .
                        I didn't say it wouldn't work. I said you should download that kit, which clearly entails that it should work. What I said is that you should upgrade, and I gave the reason. Twice now.
                        • 9. Re: SSLHandshakeException: no cipher suites in common
                          Andrea.Giovannini
                          Hi gimbal2,
                          I've already googled the error but I didn't find anything useful: however I will try again.

                          Thank you,
                          Andrea
                          Weird, because the first result I got was a highly informative stackoverflow post. I think you need to blame more what you were looking for: you were looking for a cut, copy and paste solution in stead of searching for information to understand the problem and solve it. But that is conjecture on my part, feel free to ignore me.
                          I read that stackoverflow post (about forcing the RSA algorithm instead of the default DSA) some days ago but didn't fully understant it; now I first generated a keystore with the RSA algorithm then I imported the certificate and now it almost works, I.E. now warns me about the certificate not being trusted while it should (I can see the issuer in the Trusted Root CA of the browser). To recap:
                          - in every browser at the customer sites there are two certificates installed (one intermediate and one wildcard)
                          - the customer can use a Web MS application and has imported a certificate in IIS, so I exported this certificate and imported it in the keystore but I get the error about the CA not being trusted.

                          So now it's not working and I will try to import the intermediate and the wildcard certificate (I think this could solve). I will post the result.

                          Thank you gimbal2.
                          • 10. Re: SSLHandshakeException: no cipher suites in common
                            Andrea.Giovannini
                            EJP wrote:
                            I can't see your point: I know that 1.4.2 is at service EOL
                            That is my point.
                            but if the "JCE Unlimited ... Files" kit is available then I expect that it works, or at least to get a different error (if the problem is in key length) .
                            I didn't say it wouldn't work. I said you should download that kit, which clearly entails that it should work. What I said is that you should upgrade, and I gave the reason. Twice now.
                            Hi EJP,
                            thank you for the clarification.
                            I forgot to write in the reply to gimbal2 that now my app almost works with HTTPS with JDK 1.4.2 without the "JCE unlimited ... Files" kit: I tried with the 1.4.2 kit and with Java 7 with the kit and obtained the same results (the error about the CA not being trusted).
                            Now I will try to import the two certificates (intermediate and wildcard) and I'll write the results in this thread.
                            • 11. Re: SSLHandshakeException: no cipher suites in common
                              Andrea.Giovannini
                              OK I tried to force the RSA algorithm (it seems to be a possible solution) with the following steps:

                              - created a keystore with

                              keytool -genkey -alias alias1 -keyalg RSA -keystore mykeystore.keystore

                              - imported a .cer file (containing tha chained intermediate and wildcard certificates) with

                              keytool -import -trustcacerts -alias alias2 -file file.cer -keystore mykeystore.keystore

                              - with

                              keytool -list -v -keystore mykeystore.keystore

                              I get


                              Enter keystore password: mypassword

                              Keystore type: jks
                              Keystore provider: SUN

                              Your keystore contains 2 entries

                              Alias name: diapason
                              Creation date: Dec 23, 2011
                              Entry type: keyEntry
                              Certificate chain length: 1
                              Certificate[1]:
                              ... data of my dummy entry ...

                              *******************************************
                              *******************************************


                              Alias name: mykey
                              Creation date: Dec 23, 2011
                              Entry type: trustedCertEntry

                              ... data of the certificate ...

                              *******************************************
                              *******************************************

                              - configured JBoss with the "alias" alias for HTTPS.

                              Then I start JBoss and I get

                              java.io.IOException: Alias name alias2 does not identify a key entry

                              Should I create the keystore in a different way?

                              Thanks,
                              Andrea