Issue #3030: DHE-RSA-AES*-SHA* don't function - dogtagpki

dogtagpki

#3030 DHE-RSA-AES-SHA don't function

Closed: migrated 3 years ago by dmoluguw. Opened 5 years ago by slev.

After an installation of pki system I can't browse to the web page by firefox https://slipadc.slipa.sltest:8443/.
An error:

"Peer reports it experienced an internal error. Error code: SSL_ERROR_INTERNAL_ERROR_ALERT"

My environment:

cat /etc/os-release 
NAME="ALT Server"

pki --version
PKI Command-Line Interface 10.6.1-alt1.S1

java -version
openjdk version "1.8.0_144"
OpenJDK Runtime Environment (build 1.8.0_144-b01)
OpenJDK 64-Bit Server VM (build 25.144-b01, mixed mode)

openjdk is packaged without sun.security.ec.SunEC provider.

rpm -q tomcat
tomcat-8.5.29-alt1_1jpp8.noarch

rpm -q tomcatjss
tomcatjss-7.3.0-alt1.S1.noarch

rpm -q jss
jss-4.4.3-alt1.S1.x86_64

So, i have supported ciphers by pki:

DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA
DHE-RSA-AES256-SHA256

from which, for example, my firefox(52.8.0) supports and fails:

TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)

Issue can be reproduced using curl:

curl -vk --ciphers DHE-RSA-AES256-SHA256 https://slipadc.slipa.sltest:8443/ca/
...
curl: (56) OpenSSL SSL_read: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error, errno 0

DHE-RSA-AES*-GCM-SHA* ciphers are OK for curl, but are not supported by FF.
The absolutely same problem with DHE-RSA-AES*-SHA* is on Fedora 28:

curl -k --ciphers DHE-RSA-AES256-SHA256 https://fedoradc.fedoraslev.slevtest:8443/ca/
curl: (56) OpenSSL SSL_read: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error, errno 0

Where can be problem?
How can i debug and fix?

Metadata Update from @mharmsen:
- Custom field component adjusted to None
- Custom field feature adjusted to None
- Custom field origin adjusted to None
- Custom field proposedmilestone adjusted to None
- Custom field proposedpriority adjusted to None
- Custom field reviewer adjusted to None
- Custom field type adjusted to None
- Custom field version adjusted to None
- Issue set to the milestone: 0.0 NEEDS_TRIAGE

5 years ago

dmoluguw commented 3 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/3148

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Metadata Update from @dmoluguw:
- Issue close_status updated to: migrated
- Issue status updated to: Closed (was: Open)

3 years ago

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

0.0 NEEDS_TRIAGE

lowhangingfruit

None

reporter

None

rhbz

None

type

None

version

None

keywords

None

estimate

None

feature

None

origin

None

proposedpriority

None

fixedinversion

None

platforms

None

blockedby

None

blocking

None

reviewer

None

component

None

proposedmilestone

None

dogtagpki

Source Code

#3030 DHE-RSA-AES*-SHA* don't function Closed: migrated 3 years ago by dmoluguw. Opened 5 years ago by slev.

Metadata

#3030 DHE-RSA-AES-SHA don't function

Closed: migrated 3 years ago by dmoluguw. Opened 5 years ago by slev.