2015-07-08 21 views
5

Sto cercando di installare il mio certificato SSL ho acquistato per il mio dominio da Comodo, ma sto ottenendo uno SSLHandshakeExceptionSSLHandshakeException: Nessuna suite di cifratura in comune - a spruzzo può SSL configurazione

: Nessuna suite di cifratura in comune

Ho letto le domande multiple su questo argomento ma nessuna delle risposte proposte mi ha ancora aiutato.

Comodo fornito quattro certificati:

  • AddTrustExternalCARoot.crt
  • COMODORSAAddTrustCA.crt
  • COMODORSADomainValidationSecureServerCA.crt
  • STAR_example_com.crt

Sto installando il server in un Dockerfile per isolare il problema dal mio ambiente di sviluppo locale:

from google/debian:wheezy 
# Server binary and certificates are copied in before this 
RUN apt-get update && apt-get install -y openjdk-7-jre 
ADD UnlimitedJCEPolicyJDK7.zip/
RUN unzip UnlimitedJCEPolicyJDK7.zip && cp UnlimitedJCEPolicy/*.jar /usr/lib/jvm/java-1.7.0-openjdk-amd64/jre/lib/security/ 
RUN keytool -import -trustcacerts -alias root -file AddTrustExternalCARoot.crt -keystore /example.com.jks -storepass changeit -noprompt 
RUN keytool -import -trustcacerts -alias int-1 -file COMODORSAAddTrustCA.crt -keystore /example.com.jks -storepass changeit -noprompt 
RUN keytool -import -trustcacerts -alias int-2 -file COMODORSADomainValidationSecureServerCA.crt -keystore /example.com.jks -storepass changeit -noprompt 
RUN keytool -import -trustcacerts -alias mykey -file STAR_example_com.crt -keystore /example.com.jks -storepass changeit -noprompt 

uscita dai comandi keytool in Docker:

Step 10 : RUN keytool -import -trustcacerts -alias root -file AddTrustExternalCARoot.crt -keystore /example.com.jks -storepass changeit -noprompt 
---> Running in 949afa47c891 
Certificate was added to keystore 
---> 1df5ff85c32a 
Removing intermediate container 949afa47c891 
Step 11 : RUN keytool -import -trustcacerts -alias int-1 -file COMODORSAAddTrustCA.crt -keystore /example.com.jks -storepass changeit -noprompt 
---> Running in 6cc802ee61f9 
Certificate was added to keystore 
---> f6eee577e7d5 
Removing intermediate container 6cc802ee61f9 
Step 12 : RUN keytool -import -trustcacerts -alias int-2 -file COMODORSADomainValidationSecureServerCA.crt -keystore /example.com.jks -storepass changeit -noprompt 
---> Running in 22e6bc1e70a6 
Certificate was added to keystore 
---> d7a0472a9e1f 
Removing intermediate container 22e6bc1e70a6 
Step 13 : RUN keytool -import -trustcacerts -alias mykey -file STAR_example_com.crt -keystore /example.com.jks -storepass changeit -noprompt 
---> Running in 9a812b1182ca 
Certificate was added to keystore 

Comodos instructions dire che questa ultima 'Certificato è stato aggiunto al keystore' messaggio deve essere 'La risposta del certificato è stato installato nel keystore'. Cosa dovrei fare diversamente quando installo il certificato di dominio?

La configurazione SSL in Spray si presenta in questo modo:

trait SslConfiguration { 
    implicit def sslContext: SSLContext = { 
    val password = "changeit" 
    val keyStoreResource = "/example.com.jks" 

    val keyStore = KeyStore.getInstance("jks") 
    keyStore.load(new FileInputStream(keyStoreResource), password.toCharArray) 
    val keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm) 
    keyManagerFactory.init(keyStore, password.toCharArray) 
    val trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm) 
    trustManagerFactory.init(keyStore) 
    val context = SSLContext.getInstance("TLS") 

    context.init(keyManagerFactory.getKeyManagers, null, new SecureRandom) 
    context 
    } 

    implicit def sslEngineProvider: ServerSSLEngineProvider = { 
    ServerSSLEngineProvider { engine => 
     engine.setEnabledCipherSuites(Array("TLS_RSA_WITH_AES_256_CBC_SHA")) 
     engine.setEnabledProtocols(Array("SSLv3", "TLSv1")) 
     engine 
    } 
    } 
} 

server di avvio:

object Server extends SimpleRoutingApp with SprayJsonSupport with SslConfiguration { 
    def apply(config: Configuration, router: ActorRef)(implicit actorSystem: ActorSystem) = { 
    val settings = ServerSettings(actorSystem).copy(sslEncryption = true) 
    startServer("0.0.0.0", config.notifyPort, serviceActorName = "notify-server", settings = Some(settings)) { 
     path("ping") { 
     complete("OK") 
     } 
    } 
    } 
} 

Stretta di mano di debug di uscita:

ricciolo https://localhost:9082/ping

Using SSLEngineImpl. 
Using SSLEngineImpl. 
Using SSLEngineImpl. 
Using SSLEngineImpl. 
Allow unsafe renegotiation: false 
Allow legacy hello messages: true 
Is initial handshake: true 
Is secure renegotiation: false 
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for SSLv2Hello 
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for SSLv2Hello 
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for SSLv2Hello 
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for SSLv2Hello 
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for SSLv2Hello 
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for SSLv2Hello 
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for SSLv2Hello 
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1 
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1 
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1 
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1 
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1 
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1 
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1 
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1 
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1 
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1 
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1 
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1 
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1 
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1 
[Raw read]: length = 5 
0000: 16 03 01 00 BF          ..... 
[Raw read]: length = 191 
0000: 01 00 00 BB 03 03 55 9C 69 B9 0E 94 CA 61 A4 3C ......U.i....a.< 
0010: 95 0B A5 81 B6 BA D4 90 3D 4B 8C 4E BB 35 17 8F ........=K.N.5.. 
0020: 19 9E B6 D0 2E BB 00 00 5E 00 FF C0 24 C0 23 C0 ........^...$.#. 
0030: 0A C0 09 C0 07 C0 08 C0 28 C0 27 C0 14 C0 13 C0 ........(.'..... 
0040: 11 C0 12 C0 26 C0 25 C0 2A C0 29 C0 05 C0 04 C0 ....&.%.*.)..... 
0050: 02 C0 03 C0 0F C0 0E C0 0C C0 0D 00 3D 00 3C 00 ............=.<. 
0060: 2F 00 05 00 04 00 35 00 0A 00 67 00 6B 00 33 00 /.....5...g.k.3. 
0070: 39 00 16 00 AF 00 AE 00 8D 00 8C 00 8A 00 8B 00 9............... 
0080: B1 00 B0 00 2C 00 3B 01 00 00 34 00 00 00 0E 00 ....,.;...4..... 
0090: 0C 00 00 09 6C 6F 63 61 6C 68 6F 73 74 00 0A 00 ....localhost... 
00A0: 08 00 06 00 17 00 18 00 19 00 0B 00 02 01 00 00 ................ 
00B0: 0D 00 0C 00 0A 05 01 04 01 02 01 04 03 02 03  ............... 
notify-server-akka.actor.default-dispatcher-6, READ: TLSv1 Handshake, length = 191 
*** ClientHello, TLSv1.2 
RandomCookie: GMT: 1419536569 bytes = { 14, 148, 202, 97, 164, 60, 149, 11, 165, 129, 182, 186, 212, 144, 61, 75, 140, 78, 187, 53, 23, 143, 25, 158, 182, 208, 46, 187 } 
Session ID: {} 
Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_PSK_WITH_AES_256_CBC_SHA384, TLS_PSK_WITH_AES_128_CBC_SHA256, TLS_PSK_WITH_AES_256_CBC_SHA, TLS_PSK_WITH_AES_128_CBC_SHA, TLS_PSK_WITH_RC4_128_SHA, TLS_PSK_WITH_3DES_EDE_CBC_SHA, TLS_PSK_WITH_NULL_SHA384, TLS_PSK_WITH_NULL_SHA256, TLS_PSK_WITH_NULL_SHA, TLS_RSA_WITH_NULL_SHA256] 
Compression Methods: { 0 } 
Extension server_name, server_name: [host_name: localhost] 
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1} 
Extension ec_point_formats, formats: [uncompressed] 
Extension signature_algorithms, signature_algorithms: SHA384withRSA, SHA256withRSA, SHA1withRSA, SHA256withECDSA, SHA1withECDSA 
*** 
[read] MD5 and SHA1 hashes: len = 191 
0000: 01 00 00 BB 03 03 55 9C 69 B9 0E 94 CA 61 A4 3C ......U.i....a.< 
0010: 95 0B A5 81 B6 BA D4 90 3D 4B 8C 4E BB 35 17 8F ........=K.N.5.. 
0020: 19 9E B6 D0 2E BB 00 00 5E 00 FF C0 24 C0 23 C0 ........^...$.#. 
0030: 0A C0 09 C0 07 C0 08 C0 28 C0 27 C0 14 C0 13 C0 ........(.'..... 
0040: 11 C0 12 C0 26 C0 25 C0 2A C0 29 C0 05 C0 04 C0 ....&.%.*.)..... 
0050: 02 C0 03 C0 0F C0 0E C0 0C C0 0D 00 3D 00 3C 00 ............=.<. 
0060: 2F 00 05 00 04 00 35 00 0A 00 67 00 6B 00 33 00 /.....5...g.k.3. 
0070: 39 00 16 00 AF 00 AE 00 8D 00 8C 00 8A 00 8B 00 9............... 
0080: B1 00 B0 00 2C 00 3B 01 00 00 34 00 00 00 0E 00 ....,.;...4..... 
0090: 0C 00 00 09 6C 6F 63 61 6C 68 6F 73 74 00 0A 00 ....localhost... 
00A0: 08 00 06 00 17 00 18 00 19 00 0B 00 02 01 00 00 ................ 
00B0: 0D 00 0C 00 0A 05 01 04 01 02 01 04 03 02 03  ............... 
%% Initialized: [Session-1, SSL_NULL_WITH_NULL_NULL] 
notify-server-akka.actor.default-dispatcher-6, fatal error: 40: no cipher suites in common 
javax.net.ssl.SSLHandshakeException: no cipher suites in common 
%% Invalidated: [Session-1, SSL_NULL_WITH_NULL_NULL] 
notify-server-akka.actor.default-dispatcher-6, SEND TLSv1.2 ALERT: fatal, description = handshake_failure 
notify-server-akka.actor.default-dispatcher-6, WRITE: TLSv1.2 Alert, length = 2 
notify-server-akka.actor.default-dispatcher-6, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common 
[ERROR] [07/08/2015 00:07:22.230] [notify-server-akka.actor.default-dispatcher-6] [akka://notify-server/user/IO-HTTP/listener-0/0] Aborting encrypted connection to 10.0.2.2/10.0.2.2:50790 due to [SSLHandshakeException:no cipher suites in common] -> [SSLHandshakeException:no cipher suites in common] 

Ho seguito Comodos instructions su un tee EXCEPT per l'impostazione dell'alias. Non sono sicuro al 100% se dovrei impostare l'alias del dominio su "mykey" o qualcos'altro. Questo potrebbe essere il problema?

Qualsiasi aiuto con questo problema sarebbe molto apprezzato!

+0

potrebbe essere utile - http://stackoverflow.com/questions/30758303/problems-connecting-via-https-ssl-through-own-java-client – ZhongYu

+0

My local_policy.jar non contiene restrizioni sugli algoritmi di crittografia, quindi purtroppo che non mi aiuta – Upio

+0

dove viene lanciata l'eccezione? sul lato client o sul lato server. – ZhongYu

risposta

4

Il problema è stato risolto quando ho seguito these instructions per installare il certificato e la chiave privata nel keystore. Stavo seguendo le istruzioni che presumevano che questo passo fosse già stato fatto.

1

Avevo lo stesso identico problema dovuto all'estensione di Crittografia Java mancante. È possibile scaricarlo e installarlo da qui http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html

Normalmente il JDK (non il JRE) viene fornito con alcune librerie già installate.

+0

Non era questo alla fine. Aveva a che fare con il modo in cui stavo preparando il mio keystore. Non stavo installando correttamente la chiave privata + il certificato http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore – Upio

0

Per me questo è stato causato dall'errato keystore in uso.

Avevo due moduli nella stessa applicazione, e un altro inizializzava javax.net.ssl ​​a suo piacimento e la parte che lanciava l'Eccezione elencata sopra ha ottenuto il turno solo dopo.

E una volta che javax.net.ssl ​​è stato inizializzato una volta, la modifica delle proprietà del sistema key-and-truststore non ha più alcun effetto.

L'ho capito mettendo -Djavax.net.debug = ssl alla chiamata da riga di comando del server delle applicazioni originale, per assicurarsi che l'opzione fosse impostata prima che qualcun altro avesse il proprio turno. Quindi puoi vedere su STDOUT chi inizializza i negozi e con cosa.