Spray-can 1.3.1 ssl error no cipher suites in common

[shingh...@gmail.com]

Hi,

   I have managed to run the example on ssl successfully  from
            https://github.com/spray/spray/tree/release/1.2/examples/spray-can/simple-http-server


  In  the trait MySslConfiguration, I tried using my own self-signed certificate by replacing

     val keyStoreResource = "/ssl-test-keystore.jks"
     val password = ""
   
by
   val keyStoreResource = "/gauss.jks"
    val password = "xxx"


With the above change, I get the following error when I access https://localhost:8080 from Firefox 29.0..1

Using SSLEngineImpl.
Using SSLEngineImpl.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
SSLTest-akka.actor.default-dispatcher-3, READ: TLSv1 Handshake, length = 177
SSLTest-akka.actor.default-dispatcher-2, READ: TLSv1 Handshake, length = 177
*** ClientHello, TLSv1
*** ClientHello, TLSv1
RandomCookie:  RandomCookie:  GMT: 395986783 GMT: -1974684754 bytes = { bytes = { 76, 29, 67, 233, 107, 204, 231, 157, 177, 50, 66, 79, 136, 138, 75, 73, 253, 72, 57, 122, 173, 66, 169, 46, 134, 81, 221, 221, 22, 242, 33, 158, 71, 206, 1, 103, 200, 106, 132, 42, 86, 53, 63, 86, 16, 28, 223, 148, 246, 111, 121, 5, 203, 164, 220172 }
 }
Session ID:  Session ID:  {83, 147, 118, 231, 217, 198, 203, 103, 199, 129, 91, 64, 95, 239, 41, 190, 214, 225, 212, 138, 238, 40, 175, 202, 45, 163, 98, 18, 6, 152, 56, 199}
{83, 147, 118, 231, 217, 198, 203, 103, 199, 129, 91, 64, 95, 239, 41, 190, 214, 225, 212, 138, 238, 40, 175, 202, 45, 163, 98, 18, 6, 152, 56, 199}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5]
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5]
Compression Methods:  { Compression Methods:  { 00 }
 }
Extension server_name, server_name: [host_name: localhost]
Extension server_name, server_name: [host_name: localhost]
Extension renegotiation_info, renegotiated_connection: <empty>
Extension renegotiation_info, renegotiated_connection: <empty>
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
Extension ec_point_formats, formats: [uncompressed]
Unsupported extension type_35, data:
Unsupported extension type_35, data:
Unsupported extension type_13172, data:
Unsupported extension type_13172, data:
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension status_request, data: 01:00:00:00:00
***
***
%% Initialized:  [Session-1, SSL_NULL_WITH_NULL_NULL]
%% Initialized:  [Session-2, SSL_NULL_WITH_NULL_NULL]
SSLTest-akka.actor.default-dispatcher-3, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
SSLTest-akka.actor.default-dispatcher-2, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated:  [Session-1, SSL_NULL_WITH_NULL_NULL]
%% Invalidated:  [Session-2, SSL_NULL_WITH_NULL_NULL]
SSLTest-akka.actor.default-dispatcher-3, SEND TLSv1 ALERT:  fatal, description = handshake_failure
SSLTest-akka.actor.default-dispatcher-2, SEND TLSv1 ALERT:  fatal, description = handshake_failure
SSLTest-akka.actor.default-dispatcher-3, WRITE: TLSv1 Alert, length = 2
SSLTest-akka.actor.default-dispatcher-2, WRITE: TLSv1 Alert, length = 2
SSLTest-akka.actor.default-dispatcher-3, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
SSLTest-akka.actor.default-dispatcher-2, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
[ERROR] [06/07/2014 22:31:40.737] [SSLTest-akka.actor.default-dispatcher-3] [akka://SSLTest/user/IO-HTTP/listener-0/1] Aborting encrypted connection to localhost/127.0.0.1:40816 due to [SSLHandshakeException:no cipher suites in common] -> [SSLHandshakeException:no cipher suites in common]
[ERROR] [06/07/2014 22:31:40.737] [SSLTest-akka.actor.default-dispatcher-2] [akka://SSLTest/user/IO-HTTP/listener-0/0] Aborting encrypted connection to localhost/127.0.0.1:40815 due to [SSLHandshakeException:no cipher suites in common] -> [SSLHandshakeException:no cipher suites in common]
[DEBUG] [06/07/2014 22:31:40.741] [SSLTest-akka.actor.default-dispatcher-7] [akka://SSLTest/system/IO-TCP/selectors/$a/0] New connection accepted


The following thread  had a similar problem. But the fix there does not work for me.
https://groups.google.com/forum/#!searchin/spray-user/no$20cipher$20suites$20in$20common|sort:relevance/spray-user/j6pdNilBy_o/UGFAUjuCjiwJ

Thanks in advance for any assistance!

Shing

[shingh...@gmail.com]

In case it helps, below is my gauss.jks.


matmsh@gauss:~/keystore> keytool -list -v -keystore gauss.jks
Enter keystore password: 

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: 1
Creation date: 09-Oct-2013
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=localhost, OU=Adbrain, O=Adbrain, L=London, ST=Some-State, C=UK
Issuer: CN=localhost, OU=Adbrain, O=Adbrain, L=London, ST=Some-State, C=UK
Serial number: e1e9f508dc01ad82
Valid from: Wed Oct 09 10:45:02 BST 2013 until: Wed Sep 09 10:45:02 BST 2015
Certificate fingerprints:
         MD5:  87:97:E4:20:F9:4F:1E:3C:A7:4A:A8:69:C8:47:AF:D4
         SHA1: F7:09:0F:57:CE:56:72:7E:3C:A6:C8:75:68:44:B2:0F:FE:09:E0:C7
         SHA256: 35:CE:8E:1C:94:F9:3B:70:9F:7B:D8:BA:31:4B:40:8E:80:00:00:E2:89:5B:B3:6A:74:82:37:53:35:AE:AB:29
         Signature algorithm name: SHA1withRSA
         Version: 1


*******************************************
*******************************************




matmsh@gauss:~/keystore>

Shing

[shingh...@gmail.com]

I think I have not set ciphersSuites correctly in
engine.setEnabledCipherSuites

implicit def sslEngineProvider: ServerSSLEngineProvider = {
    ServerSSLEngineProvider { engine =>
      engine.setEnabledCipherSuites(Array("TLS_RSA_WITH_AES_256_CBC_SHA"))
      engine.setEnabledProtocols(Array("SSLv3", "TLSv1"))
      engine
    }
  }


Shing

[shingh...@gmail.com]

Instead of constructing the SSLContext in the way specified in MySslConfiguration in

https://github.com/spray/spray/blob/release/1.2/examples/spray-can/simple-http-server/src/main/scala/spray/examples/MySslConfiguration.scala

I have tried using  SslContextParamaters from Apache Camel-core.

trait CamelSslConfiguration {

  // if there is no SSLContext in scope implicitly the HttpServer uses the default SSLContext,
  // since we want non-default settings in this example we make a custom SSLContext available here
  implicit def sslContext: SSLContext = {

    val keyStoreFile = "/home/matmsh/keystore/gauss.jks"
  
    val ksp = new KeyStoreParameters()
    ksp.setResource(keyStoreFile);
    ksp.setPassword("xxx")

    val kmp = new KeyManagersParameters()
    kmp.setKeyStore(ksp)
    kmp.setKeyPassword("xxx")

    val scp = new SSLContextParameters()
    scp.setKeyManagers(kmp)
   
   val context= scp.createSSLContext()
  
   context
  }

  // if there is no ServerSSLEngineProvider in scope implicitly the HttpServer uses the default one,
  // since we want to explicitly enable cipher suites and protocols we make a custom ServerSSLEngineProvider
  // available here
//  implicit def sslEngineProvider: ServerSSLEngineProvider = {
//    ServerSSLEngineProvider { engine =>
//      engine.setEnabledCipherSuites(Array("TLS_RSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"))
//      engine.setEnabledProtocols(Array("SSLv3", "TLSv1"))
//      engine
//    }
//  }


The above works.


Shing

[David Bolene]

Thank you.  Worked for me as well

david...

[lin chunwei]

I had the same problem and solved it.

If you want to read the keystore file outside the project, you could use

new FileInputStream("/path/to/keystore.jks")

Otherwise you need to put the file in project's resource folder and read it

getClass.getResourceAsStream("/keystore.jks")

shingh...@gmail.com於 2014年6月9日星期一 UTC+8下午9時15分33秒寫道：