Firefox v39 will no longer connect to my web application over HTTPS. I'm using Spring Boot with embedded Tomcat and I've made sure I'm using the latest version of Boot (v1.2.5). Firefox shows the following error message:
Secure Connection Failed
An error occurred during a connection to [website]. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)
I understand this is to protect against a known vulnerability called Logjam. A solution for Tomcat is provided at weakdh.org.
Spring Boot passes SSL configuration to Tomcat via application.properties and as such I have added server.ssl.ciphers to my application.properties as follows:
server.port=443
server.ssl.key-store=/home/ec2-user/boot.p12
server.ssl.key-store-password=...
server.ssl.keyStoreType=PKCS12
server.ssl.keyAlias=...
server.ssl.ciphers=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_SHA256,TLS_ECDHE_RSA_WITH_AES_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_SHA,TLS_ECDHE_RSA_WITH_AES_256_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,TLS_ECDHE_RSA_WITH_AES_256_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_128_SHA,TLS_DHE_DSS_WITH_AES_128_SHA256,TLS_DHE_RSA_WITH_AES_256_SHA256,TLS_DHE_DSS_WITH_AES_256_SHA,TLS_DHE_RSA_WITH_AES_256_SHA
After restarting boot, I notice the following in my log file:
WARN 2674 [main] --- o.a.t.util.net.jsse.JSSESocketFactory : None of the ciphers specified are supported by the SSL engine : TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, ...
Additionally, connecting using Firefox fails with the following message:
Secure Connection Failed
The connection to [website] was interrupted while the page was loading.
And I see the following in my log file:
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
Unfortunately I'm no encryption expert. Can anyone suggest how to fix this? Do I need to recreate my HTTPS certificate?
The solution was to upgrade server Java on the server from 1.7 to 1.8.
sudo yum remove java-1.7.0-openjdk
sudo yum install java-1.8.0
After this was complete, no other configuration was necessary. Not even modyfing Tomcat as per the advice at weakdh.org.
Related
as the title says I'm facing the error:
WebSocket connection failure. Due to security constraints in your web
browser, the reason for the failure is not available to this Neo4j
Driver…​
My neo4j DB is running on a Ubuntu Linux machine:
Unbungu 20.04.04 LTS, Release 20.04
Neo4j Community Edition, Version 4.4.8
I can connect to the db via:
http://localhost:7474/browser/
but not under
https://localhost:7473/browser/ or bolt+s://localhost:7687
I already tried multiple "solutions" but none of them work.
Here is what I changed in my config.
dbms.default_listen_address=0.0.0.0
dbms.connectors.default_list_address=0.0.0.0
dbms.connector.bolt.enabled=true
dbms.connector.bolt.address=0.0.0.0:7687
dbms.connector.https.enabled=true
dbms.connector.https.listen_address=0.0.0.0:7473
I also generated SSL certificates:
Bolt SSL configuration
dbms.ssl.policy.bolt.enabled=true
dbms.ssl.policy.bolt.base_directory=certificates/bolt
dbms.ssl.policy.bolt.private_key=private.key
dbms.ssl.policy.bolt.public_certificate=public.crt
dbms.ssl.policy.bolt.client_auth=NONE
Https SSL configuration
dbms.ssl.policy.https.enabled=true
dbms.ssl.policy.https.base_directory=certificates/https
dbms.ssl.policy.https.private_key=private.key
dbms.ssl.policy.https.public_certificate=public.crt
dbms.ssl.policy.https.client_auth=NONE
Any ideas?
*Edit: Typo
When I run any maven command with specified http and https proxy address and port as below:
mvn <command> -Dhttps.proxyHost=<MY.PROXY.HOST.ADDRESS> -Dhttps.proxyPort=<MY_PROXY_PORT> -Dhttp.proxyHost...
It's running without any error.
I want to set those configurations as default for my STS network connections and select the manual Active Provider (see attached screenshot for my configurations),
I think it's not related to the STS versions because I faced the same problem with 3.8 and 4.6 version. Anyway, Here is my STS version
Now, when I try the same maven command without proxy and port arguments, the maven command fails due to a network connection error.
[ERROR] unable to read java.net.ConnectException: Connection timed out
I am new in ldap enviromnet and I am trying to set up the apache fortress with symas openldap (https://github.com/apache/directory-fortress-core/blob/master/README-QUICKSTART-SLAPD.md)
When I set up with ldap, all the integration tests pass succesfully but when I set the ldaps it throws an handshake error.
Does someone now where I have to set all the client and server certificates because setting up as the repository README, it is not possible.
Fixed:
Following the below answer of the creator of that project, I got the proper set up with LDAPS.
Next Problem:
But now I get an error when I run the 3rd step of Apache Fortress Rest Set Up:
mvn clean install -Dload.file=./src/main/resources/FortressRestServerPolicy.xml tomcat:deploy
error output:
[ERROR] Failed to execute goal org.codehaus.mojo:tomcat-maven-plugin:1.0-beta-1:deploy (default-cli) on project fortress-rest: Cannot invoke Tomcat manager: Error writing to server -> [Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.codehaus.mojo:tomcat-maven-plugin:1.0-beta-1:deploy (default-cli) on project fortress-rest: Cannot invoke Tomcat manager
Caused by: org.apache.maven.plugin.MojoExecutionException: Cannot invoke Tomcat manager
Caused by: java.io.IOException: Error writing to server
I set up in tomcat the roles and users manager-gui (which I am able to access through http and https, hostname/manager/html) and manager-script
Changing tomcat maven plugin in pom.xml, I could deploy:
<groupId>org.apache.tomcat.maven</groupId>
<artifactId>tomcat7-maven-plugin</artifactId>
<version>2.2</version>
but after I get that error...
FAIL - Deployed application at context path [/fortress-rest] but context failed to start
Any ideas what it could be?
Using TLS or LDAPS for the connection to the LDAP server does not require a client-side certificate. You will need to create a server-side cert for the LDAP host, and add that to the OpenLDAP configuration. You also must add that server's CA certificate to the Java truststore on the client-side, i.e. the fortress runtime.
For a tutorial on how to accomplish this, checkout the Apache Fortress Demo. (Note that I am the author of this demo.)
This tutorial's scope goes beyond just creating and using certificates. The specific steps you're going to be interested in are:
http://shawnmckinney.github.io/apache-fortress-demo/apidocs/doc-files/keys.html
http://shawnmckinney.github.io/apache-fortress-demo/apidocs/doc-files/hosts.html
http://shawnmckinney.github.io/apache-fortress-demo/apidocs/doc-files/openldap-ssl.html
http://shawnmckinney.github.io/apache-fortress-demo/apidocs/doc-files/apache-fortress-core-ssl.html
My domain is: http://dev.www.triunfamos.com
I use Advanced Rest Client ( https://install.advancedrestclient.com/install ) and try to call to mentioned domain
It produced this output:
The requested URL can't be reached
The service might be temporarily down or it may have moved permanently to a new web address.
140278599439040:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO sslv3 alert handshake failure:../../vendor/node/deps/openssl/openssl/ssl/s23_clnt.c:802:
If I use this website: https://apitester.com/ to call to my URL it works fine
But with this one it fails too: https://client.restlet.com/ throwing the error:
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
My web server is nginx 1.10.3 ubuntu 16 and certbot is 0.26.1
What is the problem which dont able to use Advanced Rest Client or any others? Thanks.
The problem can be solved by the official forum: https://community.letsencrypt.org/t/cannot-use-advanced-rest-client-with-letsencrypt-websites-because-throws-sslv3-alert-handshake-failure/88104
Resume:
ARC not use TLS 1.2 and for nginx 1.10.x the ssl_ecdh_curve sentence must be removed (if I use ARC) from nginx configuration.
For nginx 1.11 the ssl_ecdh_curve must set auto
In sites which has nginx 1.10 but is working ARC is due to are using cloudflare SSL
It is adviced to install TLS 1.3 for nginx 1.11
I was hoping someone could help.
I am trying to sftp to a remote server that is behind a firewall. I have a proxy setup and can sftp via the unix terminal succesfully. However when using mulesofts SFTP connector I get a timeout. From research it looks like this is because it is run on the JVM.
Mule comes with wrapper.conf to update any jvm settings so I have set the following settings:
wrapper.java.additional.15=-DsocksProxyHost:hostname
wrapper.java.additional.16=-DsocksProxyPort=1080
When I do this the Mule service no longer runs and get the following error:
WrapperManager Error: Unexpected exception opening backend socket: java.net.SocketException: Can't connect to SOCKS proxy:Invalid argument or cannot assign requested address
Hopefully someone can assist.
Thank you.
Perhaps typo in the
-DsocksProxyHost:hostname
Should be = rather than :.
The port is unnecessary, 1080 is the default. Documentation is here, see section 2.4 for SOCKS
http://docs.oracle.com/javase/8/docs/technotes/guides/net/proxies.html