Skip to main content

Limiting allowable SSL cipher suites in Glassfish V3 causes error

4 replies [Last post]
davidwarren
Offline
Joined: 2010-03-05
Points: 0

My apologies in advance if I am posting this on the wrong forum - if so, please let me know where I should post this...

I am trying to configure Glassfish v3 to limit the acceptable SSL cipher suites that a client can use to establish an SSL (TLS) connection with a web service available at port 8181 - which corresponds to the network listener "http-listener-2".

I did what I thought was the correct procedure through the Glassfish admin console. Under Configuration | Network Config | Network Listeners | http-listener-2, I selected the SSL tab and then selected the cipher suites I wanted to allow (I am trying to force an AES 256 cipher to be used). After saving these changes, the tag for http-listener-2 in domain.xml looks like this:

However, after I limit the allowable cipher suites, I can no longer connect to anything on port 8181. Every time I try, I get the error below. This happens even if I allow 128-bit cipher suites. The only way connections are successful is if I allow all cipher suites. I am trying to connect with a Java client that I know has JCE installed (cipher suite strength is not limited to 128 bits).

Can somebody tell me what I'm doing wrong?

Error stack trace:
[#|2010-06-15T18:41:15.807-0400|SEVERE|glassfishv3.0|com.sun.grizzly.config.GrizzlyServiceListener|_ThreadID=30;_ThreadName=Thread-1;|ProtocolChain exception
java.lang.IllegalArgumentException: CipherSuites may not be null
at com.sun.net.ssl.internal.ssl.CipherSuiteList.(CipherSuiteList.java:58)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.setEnabledCipherSuites(SSLEngineImpl.java:1735)
at com.sun.grizzly.filter.SSLReadFilter.newSSLEngine(SSLReadFilter.java:358)
at com.sun.grizzly.filter.SSLReadFilter.obtainSSLEngine(SSLReadFilter.java:394)
at com.sun.grizzly.filter.SSLReadFilter.execute(SSLReadFilter.java:154)
at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:135)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:102)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:88)
at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:76)
at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:53)
at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:57)
at com.sun.grizzly.ContextTask.run(ContextTask.java:69)
at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:330)
at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:309)
at java.lang.Thread.run(Thread.java:619)
|#]

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
orange80
Offline
Joined: 2009-05-03
Points: 0

I've got the same problem! I double checked that my JCE is not restricted, and regardless of what ciphers I select, any time I try to select some specific ciphers (rather than leaving blank to include all), SSL completely breaks.

This happens on my dev machine which is OS X using just the default localhost cert, and it ALSO happens on my Linux server (Ubuntu 10.04 LTS) which has a real cert signed by a real CA.

I'm running GlassFish V3 and I ran the update tool on both machines to make sure nothing was out of date.

Any help would be appreciated!

Thanks,
Jamie

By the way, I'm getting the exact same stack trace as the OP.

Message was edited by: orange80

Ryan Lubke

On 6/16/10 5:24 AM, webtier@javadesktop.org wrote:
> My apologies in advance if I am posting this on the wrong forum - if so, please let me know where I should post this...
>
> I am trying to configure Glassfish v3 to limit the acceptable SSL cipher suites that a client can use to establish an SSL (TLS) connection with a web service available at port 8181 - which corresponds to the network listener "http-listener-2".
>
> I did what I thought was the correct procedure through the Glassfish admin console. Under Configuration | Network Config | Network Listeners | http-listener-2, I selected the SSL tab and then selected the cipher suites I wanted to allow (I am trying to force an AES 256 cipher to be used). After saving these changes, the tag for http-listener-2 in domain.xml looks like this:
>
>
>
> However, after I limit the allowable cipher suites, I can no longer connect to anything on port 8181. Every time I try, I get the error below. This happens even if I allow 128-bit cipher suites. The only way connections are successful is if I allow all cipher suites. I am trying to connect with a Java client that I know has JCE installed (cipher suite strength is not limited to 128 bits).
>
> Can somebody tell me what I'm doing wrong?
>
I'll take a look and get back with you asap.
> Error stack trace:
> [#|2010-06-15T18:41:15.807-0400|SEVERE|glassfishv3.0|com.sun.grizzly.config.GrizzlyServiceListener|_ThreadID=30;_ThreadName=Thread-1;|ProtocolChain exception
> java.lang.IllegalArgumentException: CipherSuites may not be null
> at com.sun.net.ssl.internal.ssl.CipherSuiteList.(CipherSuiteList.java:58)
> at com.sun.net.ssl.internal.ssl.SSLEngineImpl.setEnabledCipherSuites(SSLEngineImpl.java:1735)
> at com.sun.grizzly.filter.SSLReadFilter.newSSLEngine(SSLReadFilter.java:358)
> at com.sun.grizzly.filter.SSLReadFilter.obtainSSLEngine(SSLReadFilter.java:394)
> at com.sun.grizzly.filter.SSLReadFilter.execute(SSLReadFilter.java:154)
> at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:135)
> at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:102)
> at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:88)
> at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:76)
> at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:53)
> at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:57)
> at com.sun.grizzly.ContextTask.run(ContextTask.java:69)
> at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:330)
> at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:309)
> at java.lang.Thread.run(Thread.java:619)
> |#]
> [Message sent by forum member 'davidwarren']
>
> http://forums.java.net/jive/thread.jspa?messageID=474475
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: webtier-unsubscribe@glassfish.dev.java.net
> For additional commands, e-mail: webtier-help@glassfish.dev.java.net
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: webtier-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: webtier-help@glassfish.dev.java.net

Ryan Lubke

Sorry for the delay. It appears to be an issue with the admin gui.

I've logged an issue [1] to track the problem.

[1] https://glassfish.dev.java.net/issues/show_bug.cgi?id=12289

The quick/dirty workaround is to remove the '+' from the beginning of
each of the cipher names.

On 6/16/10 8:02 PM, Ryan Lubke wrote:
> On 6/16/10 5:24 AM, webtier@javadesktop.org wrote:
>> My apologies in advance if I am posting this on the wrong forum - if
>> so, please let me know where I should post this...
>>
>> I am trying to configure Glassfish v3 to limit the acceptable SSL
>> cipher suites that a client can use to establish an SSL (TLS)
>> connection with a web service available at port 8181 - which
>> corresponds to the network listener "http-listener-2".
>>
>> I did what I thought was the correct procedure through the Glassfish
>> admin console. Under Configuration | Network Config | Network
>> Listeners | http-listener-2, I selected the SSL tab and then selected
>> the cipher suites I wanted to allow (I am trying to force an AES 256
>> cipher to be used). After saving these changes, the tag for
>> http-listener-2 in domain.xml looks like this:
>>
>> >> ssl3-tls-ciphers="+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA"
>> ssl3-enabled="false" cert-nickname="s1as" />
>>
>> However, after I limit the allowable cipher suites, I can no longer
>> connect to anything on port 8181. Every time I try, I get the error
>> below. This happens even if I allow 128-bit cipher suites. The only
>> way connections are successful is if I allow all cipher suites. I am
>> trying to connect with a Java client that I know has JCE installed
>> (cipher suite strength is not limited to 128 bits).
>>
>> Can somebody tell me what I'm doing wrong?
> I'll take a look and get back with you asap.
>> Error stack trace:
>> [#|2010-06-15T18:41:15.807-0400|SEVERE|glassfishv3.0|com.sun.grizzly.config.GrizzlyServiceListener|_ThreadID=30;_ThreadName=Thread-1;|ProtocolChain
>> exception
>> java.lang.IllegalArgumentException: CipherSuites may not be null
>> at
>> com.sun.net.ssl.internal.ssl.CipherSuiteList.(CipherSuiteList.java:58)
>>
>> at
>> com.sun.net.ssl.internal.ssl.SSLEngineImpl.setEnabledCipherSuites(SSLEngineImpl.java:1735)
>>
>> at
>> com.sun.grizzly.filter.SSLReadFilter.newSSLEngine(SSLReadFilter.java:358)
>>
>> at
>> com.sun.grizzly.filter.SSLReadFilter.obtainSSLEngine(SSLReadFilter.java:394)
>>
>> at
>> com.sun.grizzly.filter.SSLReadFilter.execute(SSLReadFilter.java:154)
>> at
>> com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:135)
>>
>> at
>> com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:102)
>>
>> at
>> com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:88)
>>
>> at
>> com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:76)
>>
>> at
>> com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:53)
>>
>> at
>> com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:57)
>>
>> at com.sun.grizzly.ContextTask.run(ContextTask.java:69)
>> at
>> com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:330)
>>
>> at
>> com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:309)
>>
>> at java.lang.Thread.run(Thread.java:619)
>> |#]
>> [Message sent by forum member 'davidwarren']
>>
>> http://forums.java.net/jive/thread.jspa?messageID=474475
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: webtier-unsubscribe@glassfish.dev.java.net
>> For additional commands, e-mail: webtier-help@glassfish.dev.java.net
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: webtier-unsubscribe@glassfish.dev.java.net
> For additional commands, e-mail: webtier-help@glassfish.dev.java.net
>

---------------------------------------------------------------------
To unsubscribe, e-mail: webtier-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: webtier-help@glassfish.dev.java.net

davidwarren
Offline
Joined: 2010-03-05
Points: 0

Thanks. Removing the + from in front of the cipher suite names in the element in domain.xml worked for me.