Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-91-generic x86_64)Jetty 9.3.8.v20160314 lehnt TLSv1 und TLSv1.1 aber nicht TLSv1.2 Verbindungen
java version "1.8.0_91" Java (TM) SE Runtime Environment (build 1.8.0_91-b14) HotSpot Java (TM) 64-Bit-Server VM (build 25,91-b14, mixed mode)
Anlegestelle 9.3.8.v2016031 Verbinder wie nachstehend konfiguriert :
SslContextFactory sslContextFactory = new SslContextFactory();
sslContextFactory.setKeyStorePath(sslKeystore);
sslContextFactory.setKeyStorePassword(SystemUtils.getEnvOrThrow("SERVER_SSL_PASSWORD"));
sslContextFactory.setKeyManagerPassword(SystemUtils.getEnvOrThrow("SERVER_SSL_KEY_PASSWORD"));
HttpConfiguration https_config = new HttpConfiguration();
https_config.setOutputBufferSize(32768);
https_config.addCustomizer(new SecureRequestCustomizer());
ServerConnector https = new ServerConnector(
server,
new SslConnectionFactory(sslContextFactory, "http/1.1"),
new HttpConnectionFactory(https_config));
https.setPort(Integer.valueOf(SystemUtils.getEnvOrThrow("SERVER_SSL_PORT")));
https.setIdleTimeout(60000);
server.setConnectors(new Connector[] { https });
ich kann TLSv1.2 Verbindungen herstellen:
curl -X "GET" "https://<hidden_hostname>/some/path" -v --tlsv1.2
* Connected to <hidden_hostname> (123.45.67.890) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
aber wenn ich versuche TLSv1.0 oder TLSv1.1 bekomme ich diese:
curl -X "GET" "https://<hidden_hostname>/some/path" -v --tlsv1.0
* Connected to <hidden_hostname> (123.45.67.890) port 443 (#0)
* Server aborted the SSL handshake
Liste der aktiviert und unterstützten Protokolle ist:
Enabled protocol: SSLv2Hello
Enabled protocol: TLSv1
Enabled protocol: TLSv1.1
Enabled protocol: TLSv1.2
Supported protocol: SSLv2Hello
Supported protocol: SSLv3
Supported protocol: TLSv1
Supported protocol: TLSv1.1
Supported protocol: TLSv1.2
Und ich weiß nicht, wo das Problem liegt. Ich habe einige Clients, die nichts anderes als TLSv1.0 verwenden können.
Update 1 - hinzugefügt sslscan Ausgang
Failed SSLv3 256 bits ECDHE-RSA-AES256-GCM-SHA384
Failed SSLv3 256 bits ECDHE-ECDSA-AES256-GCM-SHA384
Failed SSLv3 256 bits ECDHE-RSA-AES256-SHA384
Failed SSLv3 256 bits ECDHE-ECDSA-AES256-SHA384
Rejected SSLv3 256 bits ECDHE-RSA-AES256-SHA
Rejected SSLv3 256 bits ECDHE-ECDSA-AES256-SHA
Failed SSLv3 256 bits SRP-DSS-AES-256-CBC-SHA
Failed SSLv3 256 bits SRP-RSA-AES-256-CBC-SHA
Failed SSLv3 256 bits SRP-AES-256-CBC-SHA
Failed SSLv3 256 bits DHE-DSS-AES256-GCM-SHA384
Failed SSLv3 256 bits DHE-RSA-AES256-GCM-SHA384
Failed SSLv3 256 bits DHE-RSA-AES256-SHA256
Failed SSLv3 256 bits DHE-DSS-AES256-SHA256
Rejected SSLv3 256 bits DHE-RSA-AES256-SHA
Rejected SSLv3 256 bits DHE-DSS-AES256-SHA
Rejected SSLv3 256 bits DHE-RSA-CAMELLIA256-SHA
Rejected SSLv3 256 bits DHE-DSS-CAMELLIA256-SHA
Rejected SSLv3 256 bits AECDH-AES256-SHA
Failed SSLv3 256 bits ADH-AES256-GCM-SHA384
Failed SSLv3 256 bits ADH-AES256-SHA256
Rejected SSLv3 256 bits ADH-AES256-SHA
Rejected SSLv3 256 bits ADH-CAMELLIA256-SHA
Failed SSLv3 256 bits ECDH-RSA-AES256-GCM-SHA384
Failed SSLv3 256 bits ECDH-ECDSA-AES256-GCM-SHA384
Failed SSLv3 256 bits ECDH-RSA-AES256-SHA384
Failed SSLv3 256 bits ECDH-ECDSA-AES256-SHA384
Rejected SSLv3 256 bits ECDH-RSA-AES256-SHA
Rejected SSLv3 256 bits ECDH-ECDSA-AES256-SHA
Failed SSLv3 256 bits AES256-GCM-SHA384
Failed SSLv3 256 bits AES256-SHA256
Rejected SSLv3 256 bits AES256-SHA
Rejected SSLv3 256 bits CAMELLIA256-SHA
Failed SSLv3 256 bits PSK-AES256-CBC-SHA
Rejected SSLv3 168 bits ECDHE-RSA-DES-CBC3-SHA
Rejected SSLv3 168 bits ECDHE-ECDSA-DES-CBC3-SHA
Failed SSLv3 168 bits SRP-DSS-3DES-EDE-CBC-SHA
Failed SSLv3 168 bits SRP-RSA-3DES-EDE-CBC-SHA
Failed SSLv3 168 bits SRP-3DES-EDE-CBC-SHA
Rejected SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Rejected SSLv3 168 bits EDH-DSS-DES-CBC3-SHA
Rejected SSLv3 168 bits AECDH-DES-CBC3-SHA
Rejected SSLv3 168 bits ADH-DES-CBC3-SHA
Rejected SSLv3 168 bits ECDH-RSA-DES-CBC3-SHA
Rejected SSLv3 168 bits ECDH-ECDSA-DES-CBC3-SHA
Rejected SSLv3 168 bits DES-CBC3-SHA
Failed SSLv3 168 bits PSK-3DES-EDE-CBC-SHA
Failed SSLv3 128 bits ECDHE-RSA-AES128-GCM-SHA256
Failed SSLv3 128 bits ECDHE-ECDSA-AES128-GCM-SHA256
Failed SSLv3 128 bits ECDHE-RSA-AES128-SHA256
Failed SSLv3 128 bits ECDHE-ECDSA-AES128-SHA256
Rejected SSLv3 128 bits ECDHE-RSA-AES128-SHA
Rejected SSLv3 128 bits ECDHE-ECDSA-AES128-SHA
Failed SSLv3 128 bits SRP-DSS-AES-128-CBC-SHA
Failed SSLv3 128 bits SRP-RSA-AES-128-CBC-SHA
Failed SSLv3 128 bits SRP-AES-128-CBC-SHA
Failed SSLv3 128 bits DHE-DSS-AES128-GCM-SHA256
Failed SSLv3 128 bits DHE-RSA-AES128-GCM-SHA256
Failed SSLv3 128 bits DHE-RSA-AES128-SHA256
Failed SSLv3 128 bits DHE-DSS-AES128-SHA256
Rejected SSLv3 128 bits DHE-RSA-AES128-SHA
Rejected SSLv3 128 bits DHE-DSS-AES128-SHA
Rejected SSLv3 128 bits DHE-RSA-SEED-SHA
Rejected SSLv3 128 bits DHE-DSS-SEED-SHA
Rejected SSLv3 128 bits DHE-RSA-CAMELLIA128-SHA
Rejected SSLv3 128 bits DHE-DSS-CAMELLIA128-SHA
Rejected SSLv3 128 bits AECDH-AES128-SHA
Failed SSLv3 128 bits ADH-AES128-GCM-SHA256
Failed SSLv3 128 bits ADH-AES128-SHA256
Rejected SSLv3 128 bits ADH-AES128-SHA
Rejected SSLv3 128 bits ADH-SEED-SHA
Rejected SSLv3 128 bits ADH-CAMELLIA128-SHA
Failed SSLv3 128 bits ECDH-RSA-AES128-GCM-SHA256
Failed SSLv3 128 bits ECDH-ECDSA-AES128-GCM-SHA256
Failed SSLv3 128 bits ECDH-RSA-AES128-SHA256
Failed SSLv3 128 bits ECDH-ECDSA-AES128-SHA256
Rejected SSLv3 128 bits ECDH-RSA-AES128-SHA
Rejected SSLv3 128 bits ECDH-ECDSA-AES128-SHA
Failed SSLv3 128 bits AES128-GCM-SHA256
Failed SSLv3 128 bits AES128-SHA256
Rejected SSLv3 128 bits AES128-SHA
Rejected SSLv3 128 bits SEED-SHA
Rejected SSLv3 128 bits CAMELLIA128-SHA
Failed SSLv3 128 bits PSK-AES128-CBC-SHA
Rejected SSLv3 128 bits ECDHE-RSA-RC4-SHA
Rejected SSLv3 128 bits ECDHE-ECDSA-RC4-SHA
Rejected SSLv3 128 bits AECDH-RC4-SHA
Rejected SSLv3 128 bits ADH-RC4-MD5
Rejected SSLv3 128 bits ECDH-RSA-RC4-SHA
Rejected SSLv3 128 bits ECDH-ECDSA-RC4-SHA
Rejected SSLv3 128 bits RC4-SHA
Rejected SSLv3 128 bits RC4-MD5
Failed SSLv3 128 bits PSK-RC4-SHA
Rejected SSLv3 56 bits EDH-RSA-DES-CBC-SHA
Rejected SSLv3 56 bits EDH-DSS-DES-CBC-SHA
Rejected SSLv3 56 bits ADH-DES-CBC-SHA
Rejected SSLv3 56 bits DES-CBC-SHA
Rejected SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-EDH-DSS-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-ADH-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-DES-CBC-SHA
Rejected SSLv3 40 bits EXP-RC2-CBC-MD5
Rejected SSLv3 40 bits EXP-ADH-RC4-MD5
Rejected SSLv3 40 bits EXP-RC4-MD5
Rejected SSLv3 0 bits ECDHE-RSA-NULL-SHA
Rejected SSLv3 0 bits ECDHE-ECDSA-NULL-SHA
Rejected SSLv3 0 bits AECDH-NULL-SHA
Rejected SSLv3 0 bits ECDH-RSA-NULL-SHA
Rejected SSLv3 0 bits ECDH-ECDSA-NULL-SHA
Failed SSLv3 0 bits NULL-SHA256
Rejected SSLv3 0 bits NULL-SHA
Rejected SSLv3 0 bits NULL-MD5
Failed TLSv1 256 bits ECDHE-RSA-AES256-GCM-SHA384
Failed TLSv1 256 bits ECDHE-ECDSA-AES256-GCM-SHA384
Failed TLSv1 256 bits ECDHE-RSA-AES256-SHA384
Failed TLSv1 256 bits ECDHE-ECDSA-AES256-SHA384
Rejected TLSv1 256 bits ECDHE-RSA-AES256-SHA
Rejected TLSv1 256 bits ECDHE-ECDSA-AES256-SHA
Failed TLSv1 256 bits SRP-DSS-AES-256-CBC-SHA
Failed TLSv1 256 bits SRP-RSA-AES-256-CBC-SHA
Failed TLSv1 256 bits SRP-AES-256-CBC-SHA
Failed TLSv1 256 bits DHE-DSS-AES256-GCM-SHA384
Failed TLSv1 256 bits DHE-RSA-AES256-GCM-SHA384
Failed TLSv1 256 bits DHE-RSA-AES256-SHA256
Failed TLSv1 256 bits DHE-DSS-AES256-SHA256
Rejected TLSv1 256 bits DHE-RSA-AES256-SHA
Rejected TLSv1 256 bits DHE-DSS-AES256-SHA
Rejected TLSv1 256 bits DHE-RSA-CAMELLIA256-SHA
Rejected TLSv1 256 bits DHE-DSS-CAMELLIA256-SHA
Rejected TLSv1 256 bits AECDH-AES256-SHA
Failed TLSv1 256 bits ADH-AES256-GCM-SHA384
Failed TLSv1 256 bits ADH-AES256-SHA256
Rejected TLSv1 256 bits ADH-AES256-SHA
Rejected TLSv1 256 bits ADH-CAMELLIA256-SHA
Failed TLSv1 256 bits ECDH-RSA-AES256-GCM-SHA384
Failed TLSv1 256 bits ECDH-ECDSA-AES256-GCM-SHA384
Failed TLSv1 256 bits ECDH-RSA-AES256-SHA384
Failed TLSv1 256 bits ECDH-ECDSA-AES256-SHA384
Rejected TLSv1 256 bits ECDH-RSA-AES256-SHA
Rejected TLSv1 256 bits ECDH-ECDSA-AES256-SHA
Failed TLSv1 256 bits AES256-GCM-SHA384
Failed TLSv1 256 bits AES256-SHA256
Rejected TLSv1 256 bits AES256-SHA
Rejected TLSv1 256 bits CAMELLIA256-SHA
Failed TLSv1 256 bits PSK-AES256-CBC-SHA
Rejected TLSv1 168 bits ECDHE-RSA-DES-CBC3-SHA
Rejected TLSv1 168 bits ECDHE-ECDSA-DES-CBC3-SHA
Failed TLSv1 168 bits SRP-DSS-3DES-EDE-CBC-SHA
Failed TLSv1 168 bits SRP-RSA-3DES-EDE-CBC-SHA
Failed TLSv1 168 bits SRP-3DES-EDE-CBC-SHA
Rejected TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Rejected TLSv1 168 bits EDH-DSS-DES-CBC3-SHA
Rejected TLSv1 168 bits AECDH-DES-CBC3-SHA
Rejected TLSv1 168 bits ADH-DES-CBC3-SHA
Rejected TLSv1 168 bits ECDH-RSA-DES-CBC3-SHA
Rejected TLSv1 168 bits ECDH-ECDSA-DES-CBC3-SHA
Rejected TLSv1 168 bits DES-CBC3-SHA
Failed TLSv1 168 bits PSK-3DES-EDE-CBC-SHA
Failed TLSv1 128 bits ECDHE-RSA-AES128-GCM-SHA256
Failed TLSv1 128 bits ECDHE-ECDSA-AES128-GCM-SHA256
Failed TLSv1 128 bits ECDHE-RSA-AES128-SHA256
Failed TLSv1 128 bits ECDHE-ECDSA-AES128-SHA256
Rejected TLSv1 128 bits ECDHE-RSA-AES128-SHA
Rejected TLSv1 128 bits ECDHE-ECDSA-AES128-SHA
Failed TLSv1 128 bits SRP-DSS-AES-128-CBC-SHA
Failed TLSv1 128 bits SRP-RSA-AES-128-CBC-SHA
Failed TLSv1 128 bits SRP-AES-128-CBC-SHA
Failed TLSv1 128 bits DHE-DSS-AES128-GCM-SHA256
Failed TLSv1 128 bits DHE-RSA-AES128-GCM-SHA256
Failed TLSv1 128 bits DHE-RSA-AES128-SHA256
Failed TLSv1 128 bits DHE-DSS-AES128-SHA256
Rejected TLSv1 128 bits DHE-RSA-AES128-SHA
Rejected TLSv1 128 bits DHE-DSS-AES128-SHA
Rejected TLSv1 128 bits DHE-RSA-SEED-SHA
Rejected TLSv1 128 bits DHE-DSS-SEED-SHA
Rejected TLSv1 128 bits DHE-RSA-CAMELLIA128-SHA
Rejected TLSv1 128 bits DHE-DSS-CAMELLIA128-SHA
Rejected TLSv1 128 bits AECDH-AES128-SHA
Failed TLSv1 128 bits ADH-AES128-GCM-SHA256
Failed TLSv1 128 bits ADH-AES128-SHA256
Rejected TLSv1 128 bits ADH-AES128-SHA
Rejected TLSv1 128 bits ADH-SEED-SHA
Rejected TLSv1 128 bits ADH-CAMELLIA128-SHA
Failed TLSv1 128 bits ECDH-RSA-AES128-GCM-SHA256
Failed TLSv1 128 bits ECDH-ECDSA-AES128-GCM-SHA256
Failed TLSv1 128 bits ECDH-RSA-AES128-SHA256
Failed TLSv1 128 bits ECDH-ECDSA-AES128-SHA256
Rejected TLSv1 128 bits ECDH-RSA-AES128-SHA
Rejected TLSv1 128 bits ECDH-ECDSA-AES128-SHA
Failed TLSv1 128 bits AES128-GCM-SHA256
Failed TLSv1 128 bits AES128-SHA256
Rejected TLSv1 128 bits AES128-SHA
Rejected TLSv1 128 bits SEED-SHA
Rejected TLSv1 128 bits CAMELLIA128-SHA
Failed TLSv1 128 bits PSK-AES128-CBC-SHA
Rejected TLSv1 128 bits ECDHE-RSA-RC4-SHA
Rejected TLSv1 128 bits ECDHE-ECDSA-RC4-SHA
Rejected TLSv1 128 bits AECDH-RC4-SHA
Rejected TLSv1 128 bits ADH-RC4-MD5
Rejected TLSv1 128 bits ECDH-RSA-RC4-SHA
Rejected TLSv1 128 bits ECDH-ECDSA-RC4-SHA
Rejected TLSv1 128 bits RC4-SHA
Rejected TLSv1 128 bits RC4-MD5
Failed TLSv1 128 bits PSK-RC4-SHA
Rejected TLSv1 56 bits EDH-RSA-DES-CBC-SHA
Rejected TLSv1 56 bits EDH-DSS-DES-CBC-SHA
Rejected TLSv1 56 bits ADH-DES-CBC-SHA
Rejected TLSv1 56 bits DES-CBC-SHA
Rejected TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-EDH-DSS-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-ADH-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-DES-CBC-SHA
Rejected TLSv1 40 bits EXP-RC2-CBC-MD5
Rejected TLSv1 40 bits EXP-ADH-RC4-MD5
Rejected TLSv1 40 bits EXP-RC4-MD5
Rejected TLSv1 0 bits ECDHE-RSA-NULL-SHA
Rejected TLSv1 0 bits ECDHE-ECDSA-NULL-SHA
Rejected TLSv1 0 bits AECDH-NULL-SHA
Rejected TLSv1 0 bits ECDH-RSA-NULL-SHA
Rejected TLSv1 0 bits ECDH-ECDSA-NULL-SHA
Failed TLSv1 0 bits NULL-SHA256
Rejected TLSv1 0 bits NULL-SHA
Rejected TLSv1 0 bits NULL-MD5
Update 2 - detailliertere curl Ausgabe
* Hostname was NOT found in DNS cache
* Trying 123.45.67.890...
* Connected to <hidden_hostname> (123.45.67.890) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to <hidden_hostname>:443
* Closing connection 0
curl: (35) Unknown SSL protocol error in connection to <hidden_hostname>:443
Ja, ich bin mir dessen bewusst das Risiko mit diesem Ansatz. Danke für Ihre Hilfe. Ich werde es versuchen und ich werde es euch wissen lassen. – aguyngueran
Als schnelle Lösung habe ich sslContextFactory.setExcludeCipherSuites() hinzugefügt und es funktioniert. In Zukunft werde ich versuchen, die Clients zu aktualisieren. Vielen Dank. – aguyngueran