Skip to main content

JMX and SSL - result : no cipher suites in common

No replies
peterB007
Offline
Joined: 2012-02-16

Hello

I tried to learn things about JMX technology and follow these instructions

http://docs.oracle.com/javase/tutorial/jmx/mbeans/standard.html (I downloaded exactly the example from this page) and try to connect over SSL folowing these instructions http://docs.oracle.com/javase/6/docs/technotes/guides/management/agent.h....

Eveything went fine until I started play with ssl.

Here is how I generated SSL certificates:

1. generate certificate on server side:

keytool -genkey -alias serverkey -keyalg RSA -keypass psw -storepass psw -keystore c:\install\ssl\keystore.jks

2. export certificate file on server side:

keytool -export -alias serverkey -storepass psw -file c:\server.cer -keystore c:\install\ssl\keystore.jks

3. generate certificate on client side:

keytool -genkey -alias clientkey -keyalg RSA -keypass psw -storepass psw -keystore c:\install\ssl\keystore.jks

4. export certificate file on client side:

keytool export -alias clientkey -storepass psw -file c:\client.cer -keystore c:\install\ssl\keystore.jks

5. import client certificate file on server side

keytool -import -v -trustcacerts -alias clientkey -file c:\client.cer -keystore c:\install\ssl\cacerts.jks -keypass psw-storepass psw

6. import server certificate file on client side

keytool -import -v -trustcacerts -alias serverkey -file c:\server.cer -keystore c:\install\ssl\cacerts.jks -keypass psw -storepass psw

After this I run server with following JVM options:

java -Dcom.sun.management.jmxremote.port=9999 -Dcom.sun.management.jmxremote.ssl=true -Djavax.net.ssl.keyStore=c:\Install\ssl\cacerts.jks -Djavax.net.ssl.keyStoreType=JKS -Djavax.net.ssl.keyStorePassword=psw-Djavax.net.ssl.trustStore=c:\Install\ssl\cacerts.jks -Djavax.net.ssl.trustStoreType=JKS -Djavax.net.ssl.trustStorePassword=psw-Djavax.net.debug=ssl -jar JmxApp1.jar

After this I run client with following JVM options:

-Djavax.net.ssl.keyStore=c:\Install\ssl\cacerts.jks -Djavax.net.ssl.keyStoreType=JKS -Djavax.net.ssl.keyStorePassword=psw -Djavax.net.ssl.trustStore=c:\Install\ssl\cacerts.jks -Djavax.net.ssl.trustStoreType=JKS -Djavax.net.ssl.trustStorePassword=psw -Djavax.net.debug=ssl

And the result on client side:

main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Exception in thread "main" java.rmi.ConnectIOException: error during JRMP connection establishment; nested exception is:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:286)
at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:184)
at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:110)
at javax.management.remote.rmi.RMIServerImpl_Stub.newClient(Unknown Source)
at javax.management.remote.rmi.RMIConnector.getConnection(RMIConnector.java:2327)
at javax.management.remote.rmi.RMIConnector.connect(RMIConnector.java:277)
at javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:248)
at com.example.Client.main(Client.java:76)
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1806)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:986)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1170)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:637)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:89)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at java.io.DataOutputStream.flush(DataOutputStream.java:106)
at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:211)
... 7 more

On the server side (is too long here is only part):

Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH
_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC
_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_
DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SH
A, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_
WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WI
TH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
***
RMI TCP Connection(4)-192.168.1.86, setSoTimeout(7200000) called
RMI TCP Connection(3)-192.168.1.86, SEND TLSv1 ALERT: fatal, description = hand
shake_failure
RMI TCP Connection(4)-192.168.1.86, READ: SSL v2, contentType = Handshake, tran
slated length = 75
RMI TCP Connection(3)-192.168.1.86, WRITE: TLSv1 Alert, length = 2
*** ClientHello, TLSv1
RandomCookie: GMT: 1330890827 bytes = { 179, 201, 139, 196, 180, 189, 83, 153,
222, 120, 107, 84, 30, 9, 22, 67, 8, 165, 205, 205, 6, 63, 221, 182, 230, 158, 5
2, 209 }
Session ID: {}
RMI TCP Connection(3)-192.168.1.86, called closeSocket()
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH
_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC
_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_
DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SH
A, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_
WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WI
TH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
***
RMI TCP Connection(3)-192.168.1.86, handling exception: javax.net.ssl.SSLHandsha
keException: no cipher suites in common
RMI TCP Connection(4)-192.168.1.86, SEND TLSv1 ALERT: fatal, description = hand
shake_failure
RMI TCP Connection(3)-192.168.1.86, called close()
RMI TCP Connection(4)-192.168.1.86, WRITE: TLSv1 Alert, length = 2
RMI TCP Connection(3)-192.168.1.86, called closeInternal(true)
RMI TCP Connection(4)-192.168.1.86, called closeSocket()
RMI TCP Connection(4)-192.168.1.86, handling exception: javax.net.ssl.SSLHandsha
keException: no cipher suites in common
RMI TCP Connection(4)-192.168.1.86, called close()
RMI TCP Connection(4)-192.168.1.86, called closeInternal(true)

But the main problem is

RMI TCP Connection(4)-192.168.1.86, handling exception: javax.net.ssl.SSLHandsha
keException: no cipher suites in common

No idea what to do next? Do you have any clue?

Thanks a lot