SSL not working from Windows XP IE 6/7/8 clients

1,487 views
Skip to first unread message

RanUser

unread,
May 21, 2013, 5:10:18 PM5/21/13
to spray...@googlegroups.com
Cannot make SSL connection from Windows XP SP2+ using IE6/7/8+
 
environment:
 
- client: Windows XP SP2 or 3, IE 7 or 8 (v6 probably effected too, didn't test)
- server JDK7
- Spray M7
 
First I had a problem with no matching SSL protocol, then added "SSLv2Hello".  However now we cannot get past the no matching cipher suite error.
 
This page supposedly lists the available cipher suites in Wnidows XP:
 
 
However none of these cipher suites are apparently available in JDK7:
 
 
If I try adding TLS_RSA_WITH_RC4_128_SHA or TLS_RSA_WITH_RC4_128_MD5:
 
engine.setEnabledCipherSuites(Array("TLS_RSA_WITH_RC4_128_SHA"))
 
Exception:
 

java.lang.IllegalArgumentException: Unsupported ciphersuite TLS_RSA_WITH_RC4_128_MD5
        at sun.security.ssl.CipherSuite.valueOf(CipherSuite.java:231)
        at sun.security.ssl.CipherSuiteList.<init>(CipherSuiteList.java:82)
        at sun.security.ssl.SSLEngineImpl.setEnabledCipherSuites(SSLEngineImpl.java:2003)

 
As it is, I've been using:
 

engine.setEnabledCipherSuites(Array("TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_RC4_128_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"))

 
But Windows XP requests will throw:
 

 javax.net.ssl.SSLHandshakeException: no cipher suites in common
        at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1364)
        at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
        at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:790)
        at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:758)
        at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) 

 
Any guidance is GREATLY appreciated :) 

 

Johannes Rudolph

unread,
May 22, 2013, 3:46:16 AM5/22/13
to spray...@googlegroups.com
Maybe the first step would be to either a) capture a dump with wireshark so you can see which ciphers exactly were offered or b) start your server with the `-Djavax.net.debug=all` option and look at the logging output what's going on exactly. Do you have any custom configuration for the Java security providers?

Johannes


--
You received this message because you are subscribed to the Google Groups "spray-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to spray-user+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 



--
Johannes

-----------------------------------------------
Johannes Rudolph
http://virtual-void.net

RanUser

unread,
May 23, 2013, 2:56:03 AM5/23/13
to spray...@googlegroups.com, johannes...@googlemail.com
Thanks,
 
A couple updates:
 
- Running Spray M6, not M7, sorry!
- No custom configuration for Java security providers.  The parts I'm setting are:
 
my implicit sslContext (context parts):
 
val context = SSLContext.getInstance("TLS")
    context.init(keyManagerFactory.getKeyManagers, trustManagerFactory.getTrustManagers, new SecureRandom)
    context
 
my implicit sslEngineProvider:
 

engine.setEnabledCipherSuites(Array("TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_RC4_128_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"))

engine.setEnabledProtocols(Array("TLSv1", "SSLv3", "SSLv2Hello"))
 
 
These are the ciphers offered (from Wireshark, request via stock Windowx XP SP2 IE7, 11 ciphers counted). :
 
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
Cipher Suite: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA (0x0064)
Cipher Suite: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x0062)
Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006)
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)
Cipher Suite: TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA (0x0063)
 
-
 
This is the output from -Djavax.net.debug=all on request attempt:
 
 

Using SSLEngineImpl.
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
[Raw read]: length = 5
0000: 16 03 01 00 41                                     ....A
[Raw read]: length = 65
0000: 01 00 00 3D 03 01 51 9D   B8 A3 B7 A8 7C 47 83 E7  ...=..Q......G..
0010: 9A DB D8 14 C4 07 AD A3   41 D1 7A 97 45 C6 98 A1  ........A.z.E...
0020: 5E EB 05 02 3A A6 00 00   16 00 04 00 05 00 0A 00  ^...:...........
0030: 09 00 64 00 62 00 03 00   06 00 13 00 12 00 63 01  ..d.b.........c.
0040: 00                                                 .
service-content-spray-Runner-akka.actor.default-dispatcher-7, READ: TLSv1 Handshake, length = 65
*** ClientHello, TLSv1
RandomCookie:  GMT: 1352447907 bytes = { 183, 168, 124, 71, 131, 231, 154, 219, 216, 20, 196, 7, 173, 163, 65, 209, 122, 151, 69, 198, 152, 161,
94, 235, 5, 2, 58, 166 }
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_EXPORT1024_W
ITH_RC4_56_SHA, SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_DHE_DSS_WITH_3DES_ED
E_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA]
Compression Methods:  { 0 }
***
Warning: No renegotiation indication in ClientHello, allow legacy ClientHello
[read] MD5 and SHA1 hashes:  len = 65
0000: 01 00 00 3D 03 01 51 9D   B8 A3 B7 A8 7C 47 83 E7  ...=..Q......G..
0010: 9A DB D8 14 C4 07 AD A3   41 D1 7A 97 45 C6 98 A1  ........A.z.E...
0020: 5E EB 05 02 3A A6 00 00   16 00 04 00 05 00 0A 00  ^...:...........
0030: 09 00 64 00 62 00 03 00   06 00 13 00 12 00 63 01  ..d.b.........c.
0040: 00                                                 .
%% Initialized:  [Session-3, SSL_NULL_WITH_NULL_NULL]
service-content-spray-Runner-akka.actor.default-dispatcher-7, fatal error: 40: no cipher suites in common


javax.net.ssl.SSLHandshakeException: no cipher suites in common

%% Invalidated:  [Session-3, SSL_NULL_WITH_NULL_NULL]
service-content-spray-Runner-akka.actor.default-dispatcher-7, SEND TLSv1 ALERT:  fatal, description = handshake_failure
service-content-spray-Runner-akka.actor.default-dispatcher-7, WRITE: TLSv1 Alert, length = 2
service-content-spray-Runner-akka.actor.default-dispatcher-7, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException


: no cipher suites in common

[ERROR] [05/22/2013 23:35:15.616] [service-content-spray-Runner-akka.actor.default-dispatcher-7] [akka://service-content-spray-Runner
/user/httpsServer] Closing encrypted connection to content-dev.streamhoster.com/192.168.1.138:64911 due to javax.net.ssl.SSLHandshakeException: n
o cipher suites in common


javax.net.ssl.SSLHandshakeException: no cipher suites in common

        at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1362)


        at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
        at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:790)
        at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:758)
        at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)

        at spray.io.SslTlsSupport$$anon$4$SslPipelines.decrypt(SslTlsSupport.scala:119)
        at spray.io.SslTlsSupport$$anon$4$SslPipelines$$anonfun$3$$anonfun$apply$3.apply(SslTlsSupport.scala:61)
        at spray.io.SslTlsSupport$$anon$4$SslPipelines$$anonfun$3$$anonfun$apply$3.apply(SslTlsSupport.scala:61)
        at spray.io.SslTlsSupport$$anon$4$SslPipelines.withTempBuf(SslTlsSupport.scala:149)
        at spray.io.SslTlsSupport$$anon$4$SslPipelines$$anonfun$3.apply(SslTlsSupport.scala:61)       

Using SSLEngineImpl.
service-content-spray-Runner-akka.actor.default-dispatcher-7, called closeInbound()
service-content-spray-Runner-akka.actor.default-dispatcher-7, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Inbound
 closed before receiving peer's close_notify: possible truncation attack?
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
[Raw read]: length = 5
0000: 16 03 00 00 41                                     ....A
[Raw read]: length = 65
0000: 01 00 00 3D 03 00 51 9D   B8 A3 78 17 FB 91 8D CE  ...=..Q...x.....
0010: BC 1C 10 E3 0D 5E 3C 7F   99 CC 44 92 87 74 66 8D  .....^<...D..tf.
0020: 4F 3A 65 EE 26 EF 00 00   16 00 04 00 05 00 0A 00  O:e.&...........
0030: 09 00 64 00 62 00 03 00   06 00 13 00 12 00 63 01  ..d.b.........c.
0040: 00                                                 .
service-content-spray-Runner-akka.actor.default-dispatcher-8, READ: SSLv3 Handshake, length = 65
*** ClientHello, SSLv3
RandomCookie:  GMT: 1352447907 bytes = { 120, 23, 251, 145, 141, 206, 188, 28, 16, 227, 13, 94, 60, 127, 153, 204, 68, 146, 135, 116, 102, 141, 7
9, 58, 101, 238, 38, 239 }
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_EXPORT1024_W
ITH_RC4_56_SHA, SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_DHE_DSS_WITH_3DES_ED
E_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA]
Compression Methods:  { 0 }
***
Warning: No renegotiation indication in ClientHello, allow legacy ClientHello
[read] MD5 and SHA1 hashes:  len = 65
0000: 01 00 00 3D 03 00 51 9D   B8 A3 78 17 FB 91 8D CE  ...=..Q...x.....
0010: BC 1C 10 E3 0D 5E 3C 7F   99 CC 44 92 87 74 66 8D  .....^<...D..tf.
0020: 4F 3A 65 EE 26 EF 00 00   16 00 04 00 05 00 0A 00  O:e.&...........
0030: 09 00 64 00 62 00 03 00   06 00 13 00 12 00 63 01  ..d.b.........c.
0040: 00                                                 .
%% Initialized:  [Session-4, SSL_NULL_WITH_NULL_NULL]
service-content-spray-Runner-akka.actor.default-dispatcher-8, fatal error: 40: no cipher suites in common


javax.net.ssl.SSLHandshakeException: no cipher suites in common

%% Invalidated:  [Session-4, SSL_NULL_WITH_NULL_NULL]
service-content-spray-Runner-akka.actor.default-dispatcher-8, SEND SSLv3 ALERT:  fatal, description = handshake_failure
service-content-spray-Runner-akka.actor.default-dispatcher-8, WRITE: SSLv3 Alert, length = 2
service-content-spray-Runner-akka.actor.default-dispatcher-8, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException


: no cipher suites in common

service-content-spray-Runner-akka.actor.default-dispatcher-8, called closeInbound()
[ERROR] [05/22/2013 23:35:15.699] [service-content-spray-Runner-akka.actor.default-dispatcher-8] [akka://service-content-spray-Runner
/user/httpsServer] Closing encrypted connection to content-dev.streamhoster.com/192.168.1.138:64912 due to javax.net.ssl.SSLHandshakeException: n
o cipher suites in common


javax.net.ssl.SSLHandshakeException: no cipher suites in common

        at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1362)


        at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513)
        at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:790)
        at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:758)
        at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)

        at spray.io.SslTlsSupport$$anon$4$SslPipelines.decrypt(SslTlsSupport.scala:119)
        at spray.io.SslTlsSupport$$anon$4$SslPipelines$$anonfun$3$$anonfun$apply$3.apply(SslTlsSupport.scala:61)
        at spray.io.SslTlsSupport$$anon$4$SslPipelines$$anonfun$3$$anonfun$apply$3.apply(SslTlsSupport.scala:61)
        at spray.io.SslTlsSupport$$anon$4$SslPipelines.withTempBuf(SslTlsSupport.scala:149)
        at spray.io.SslTlsSupport$$anon$4$SslPipelines$$anonfun$3.apply(SslTlsSupport.scala:61)
       
Using SSLEngineImpl.
service-content-spray-Runner-akka.actor.default-dispatcher-8, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Inbound
 closed before receiving peer's close_notify: possible truncation attack?
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
service-content-spray-Runner-akka.actor.default-dispatcher-9, called closeInbound()
service-content-spray-Runner-akka.actor.default-dispatcher-9, closeInboundInternal()
service-content-spray-Runner-akka.actor.default-dispatcher-9, closeOutboundInternal()

Johannes Rudolph

unread,
May 23, 2013, 4:57:07 AM5/23/13
to spray...@googlegroups.com
On Tue, May 21, 2013 at 11:10 PM, RanUser <ranu...@gmail.com> wrote:
> If I try adding TLS_RSA_WITH_RC4_128_SHA or TLS_RSA_WITH_RC4_128_MD5:
>  
> engine.setEnabledCipherSuites(Array("TLS_RSA_WITH_RC4_128_SHA"))

Have you tried adding `SSL_RSA_WITH_RC4_128_SHA` instead? That should be an alias for the one you are looking for. If you look at the cipher suites presented by the client:

Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_EXPORT1024_W
ITH_RC4_56_SHA, SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_DHE_DSS_WITH_3DES_ED
E_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA]

you can see how Java interprets the presented cipher suite identifiers.

RanUser

unread,
May 23, 2013, 12:25:53 PM5/23/13
to spray...@googlegroups.com, johannes...@googlemail.com
That was it! Thanks you!
Reply all
Reply to author
Forward
0 new messages