1

I am using Spring boot 1.2.2 and JDK1.8.0.40, I have specified the SSL cipher suit as SSL_RSA_WITH_3DES_EDE_CBC_SHA and also import cer file to keystore.

When I run my project, I set the jvm arguments as following:

-Djavax.net.debug=all -Djavax.net.ssl.keyStore=/java_home/jre/lib/security/cacerts -Djava.net.keyStorePassword=changeit

But I always get 

handing exception:javax.net.ssl.SSLHandshakeException: No appropriate protocol(protocol is disabled or cipher suites are inappropriate)
SEND TLSv1.2 ALERT: fatal, description = handshake_failure
WRITE: TLSv1.2 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 03 00 02 02 28       ......(
called closeSocket()
com.ibm.msg.client.jms.DetailedJMSException: JMSWMQ0018: Failed to connect to queue manager 'XXXX' with connection mode 'Client' and host name 'xxx.xxx.com(xxxxx)'.

Indeed I have do several operations to fix the issue, such as:

  1. Replace jce jars to unlimit encrypt
  2. Import cer file to jks
  3. specified jks path in jvm arguments
  4. Using matched SSL Cipher Suite
  5. Using SSL channel

But now, I still failed on handshake and the error logs are same as above.

Or do I need generate the cer from my machine and upload to the server? Could you kindly give some advice?

Improve this question

2 Answers 2

Reset to default
1

SSL_RSA_WITH_3DES_EDE_CBC_SHA is an SSL 3 cipher suite. SSL 3 is insecure and disabled by default in Java 8. Is there any reason why you're using a ciphersuite for an insecure protocol?

If you want to stick to a single cipher suite, you can pick one that Java 8 supports.

Improve this answer
1
  • yes, I comment jdk.tls.disabledAlgorithms=SSLv3 and get many ssl logs. I can see there's a "no_certificate" warning in ServerHelloDone section. And there are some logs such as WRITE: SSLv3 Application Data. READ: SSLv3 Application Data. But the socket was closed very quickly and still cannot get data from MQ.
    – Qilin Lou
    Commented Jun 9, 2017 at 1:51
1

New JDK versions keep on updating the minimal security level, which is good. But it's not always easy (or possible) to keep these protocol restrictions up-to-date on all components involved.

The best way is really to pick a cipher suite that is supported.

But if you are in development (and know what you are doing) you can, for testing, remove this restriction by editing your JDK's jre\lib\security\java.security file.

Search for jdk.tls.disabledAlgorithms and remove or edit the restrictions

# previously: 
# jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
jdk.tls.disabledAlgorithms=MD5withRSA, DH keySize < 768
Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.