After an installation of pki system I can't browse to the web page by firefox https://slipadc.slipa.sltest:8443/. An error:
"Peer reports it experienced an internal error. Error code: SSL_ERROR_INTERNAL_ERROR_ALERT"
My environment:
cat /etc/os-release NAME="ALT Server"
pki --version PKI Command-Line Interface 10.6.1-alt1.S1
java -version openjdk version "1.8.0_144" OpenJDK Runtime Environment (build 1.8.0_144-b01) OpenJDK 64-Bit Server VM (build 25.144-b01, mixed mode)
openjdk is packaged without sun.security.ec.SunEC provider.
rpm -q tomcat tomcat-8.5.29-alt1_1jpp8.noarch rpm -q tomcatjss tomcatjss-7.3.0-alt1.S1.noarch rpm -q jss jss-4.4.3-alt1.S1.x86_64
So, i have supported ciphers by pki:
DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA DHE-RSA-AES256-SHA256
from which, for example, my firefox(52.8.0) supports and fails:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
Issue can be reproduced using curl:
curl -vk --ciphers DHE-RSA-AES256-SHA256 https://slipadc.slipa.sltest:8443/ca/ ... curl: (56) OpenSSL SSL_read: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error, errno 0
DHE-RSA-AES*-GCM-SHA* ciphers are OK for curl, but are not supported by FF. The absolutely same problem with DHE-RSA-AES*-SHA* is on Fedora 28:
DHE-RSA-AES*-GCM-SHA*
DHE-RSA-AES*-SHA*
curl -k --ciphers DHE-RSA-AES256-SHA256 https://fedoradc.fedoraslev.slevtest:8443/ca/ curl: (56) OpenSSL SSL_read: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error, errno 0
Where can be problem? How can i debug and fix?
Metadata Update from @mharmsen: - Custom field component adjusted to None - Custom field feature adjusted to None - Custom field origin adjusted to None - Custom field proposedmilestone adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field type adjusted to None - Custom field version adjusted to None - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/3148
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Metadata Update from @dmoluguw: - Issue close_status updated to: migrated - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.