Loading

How to diagnose and fix SSL handshake error: no cipher suites in common

Fecha de publicación: Mar 2, 2024
Solución

SYMPTOM

This error happens when a client tries to connect to an HTTP Listener configured to use the HTTPS protocol: 
ERROR 2018-09-20 11:30:03,583 [[my-app].HTTPS_Listener_Configuration.worker.01] org.mule.module.http.internal.listener.grizzly.MuleSslFilter: SSL handshake error: no cipher suites in common

CAUSE

This error is usually caused by two reasons:
  1. The keystore in the HTTPS Listener does not contain the private key required for setting up HTTPS server side.
  2. The client requests to use a cipher suite that is not allowed by the HTTPS Listener.

SOLUTION

1. First, ensure that the keystore used contains a private key. You can inspect the keystore with the keytool command.
Example: 
$ keytool -list -keystore keystore.jks -storepass test
...
mule, Dec 3, 2014, PrivateKeyEntry, 
Certificate fingerprint (SHA1): A4:FD:C4:...
....
Note how above listing contains an entry tagged PrivateKeyEntry.
As an example, the following keystore only contains a certificate and it is not valid for use in an HTTPS Listener: 
keytool -list -keystore cert-only.jks -storepass test
...
localhost, Sep 20, 2018, trustedCertEntry, 
Certificate fingerprint (SHA1): 6E:B9:07:...

2. Once the keystore configuration has been validated, you can use Java SSL Debug log to troubleshoot which cipher suites are being sent by the client. See Article How to enable SSL debug logging in Mulesoft Products for instructions.
Once enabled you can find the ClientHello and ServerHello sections to compare cipher suites: 
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 418314803 bytes = { 105, 102, 33, 3, 207, 61, 226, 190, 94, 19, 230, 14, 73, 232, 146, 155, 232, 252, 22, 56, 19, 26, 22, 174, 201, 85, 186, 105 }
Session ID:  {}
Cipher Suites: [Unknown 0xcc:0x14, Unknown 0xcc:0x13, Unknown 0xcc:0x15, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, Unknown 0xff:0x85, TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256, TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256, TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, Unknown 0x0:0x81, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256, TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256, TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256, TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
...
*** ServerHello, TLSv1.2
RandomCookie:  GMT: 1520697416 bytes = { 66, 63, 240, 202, 251, 174, 26, 131, 31, 130, 178, 89, 5, 67, 222, 143, 201, 56, 157, 102, 15, 215, 235, 108, 65, 43, 226, 172 }
Session ID:  {91, 164, 0, 72, 101, 104, 21, 14, 56, 169, 154, 183, 30, 92, 118, 42, 141, 243, 79, 241, 209, 93, 189, 191, 253, 200, 130, 82, 171, 35, 191, 76}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
In this case, the server -the HTTP Listener- was able to match one of the cipher suites proposed by the client.
If there are no coincidences you will need to ask the client to send a supported cipher suite.
You could add a missing cipher suite to the Mule Runtime, however, note that usually, cipher suites that are not enabled have security vulnerabilities. For instructions see the documentation for TLS configurations.

Note-1: Enabling additional cipher suites in a Mule Runtime could expose you to security risks.

Note-2: In addition to checking and configuring the ciphers supported by Mule Runtime, note that the private key configured will also impact what ciphers are supported. For example, a 1024-bit DSA key and a 2048-bit RSA key will result in the Mule Runtime supporting a different set of ciphers.
Número del artículo de conocimiento

001117976

 
Cargando
Salesforce Help | Article