[
https://issues.jboss.org/browse/JBWEB-292?page=com.atlassian.jira.plugin....
]
Michal Babacek commented on JBWEB-292:
--------------------------------------
Yes, JSSE names did it, this works:
{code}
<subsystem xmlns="urn:jboss:domain:web:1.5" native="false">
<connector name="https" protocol="HTTP/1.1"
socket-binding="https" scheme="https" enabled="true"
secure="true">
<ssl name="https" ca-certificate-file="/proper/ca-cert.jks"
certificate-key-file="/proper/client-cert-key.jks"
certificate-file="/proper/client-cert-key.jks" password="tomcat"
verify-client="false" key-alias="javaclient"
cipher-suite="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,!TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,!TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,!TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,!TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,!TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,!TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,!TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,!TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,!TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,!TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,!TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,!TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,!TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,!TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,!TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,!TLS_RSA_WITH_AES_128_GCM_SHA256,!TLS_RSA_WITH_AES_128_CBC_SHA256,!TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA"
protocol="TLS"/>
</connector>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
{code}
So, is this just a documentation issue then?
Http11Nio loaded, JBWEB002081: No cipher match
----------------------------------------------
Key: JBWEB-292
URL:
https://issues.jboss.org/browse/JBWEB-292
Project: JBoss Web
Issue Type: Feature Request
Security Level: Public(Everyone can see)
Affects Versions: JBossWeb-7.4.0.GA
Reporter: Michal Babacek
Assignee: Remy Maucherat
Priority: Critical
Fix For: JBossWeb-7.4.0.GA
Hi guys,
I have an SSL test that sets up the web subsystem with HTTPS connector only and uses
HTTPS with mod_cluster.
{code}
<subsystem xmlns="urn:jboss:domain:modcluster:1.2">
<mod-cluster-config advertise-socket="modcluster"
connector="https">
<dynamic-load-provider>
<load-metric type="busyness"/>
</dynamic-load-provider>
<ssl key-alias="javaclient"
password="tomcat"
certificate-key-file="/tmp/ews-eap6/client-cert-key.jks"
cipher-suite="AES128-SHA:ALL:!ADH:!LOW:!MD5:!SSLV2:!NULL"
ca-certificate-file="/tmp/ews-eap6/ca-cert.jks"
/>
</mod-cluster-config>
</subsystem>
<subsystem xmlns="urn:jboss:domain:web:1.5"
native="false">
<connector name="https" protocol="HTTP/1.1"
scheme="https" socket-binding="https" secure="true"
enabled="true">
<ssl name="https"
key-alias="javaclient"
password="tomcat"
certificate-key-file="/tmp/ews-eap6/client-cert-key.jks"
cipher-suite="AES128-SHA:ALL:!ADH:!LOW:!MD5:!SSLV2:!NULL"
protocol="TLS" verify-client="false"
certificate-file="/tmp/ews-eap6/client-cert-key.jks"
ca-certificate-file="/tmp/ews-eap6/ca-cert.jks"/>
</connector>
<virtual-server name="default-host"
enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
{code}
Notice that while EAP 6.3.0.DR1 with *jbossweb-7.3.0.Final* uses
{{org.apache.coyote.http11}}, EAP 6.3.0.DR2 with *jbossweb-7.4.0.Beta4* tries to start
{{org.apache.coyote.http11.Http11NioProtocol}}.
This causes cipher suite errors.
* EAP 6.3.0.DR1 with jbossweb-7.3.0.Final passes this test with no exceptions thrown.
* EAP 6.3.0.DR2 with jbossweb-7.4.0.Beta4 causes:
{noformat}
06:18:26,649 ERROR [org.apache.coyote.http11.Http11NioProtocol] (MSC service thread 1-17)
JBWEB003043: Error initializing endpoint: java.io.IOException: JBWEB002081: No cipher
match
at
org.apache.tomcat.util.net.jsse.NioJSSESocketChannelFactory.init(NioJSSESocketChannelFactory.java:315)
[jbossweb-7.4.0.Beta4.jar:7.4.0.Beta4]
at org.apache.tomcat.util.net.NioEndpoint.init(NioEndpoint.java:205)
[jbossweb-7.4.0.Beta4.jar:7.4.0.Beta4]
at org.apache.coyote.http11.Http11NioProtocol.init(Http11NioProtocol.java:113)
[jbossweb-7.4.0.Beta4.jar:7.4.0.Beta4]
at org.apache.catalina.connector.Connector.init(Connector.java:983)
[jbossweb-7.4.0.Beta4.jar:7.4.0.Beta4]
at org.jboss.as.web.WebConnectorService.start(WebConnectorService.java:304)
[jboss-as-web-7.4.0.Final-redhat-2.jar:7.4.0.Final-redhat-2]
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1980)
[jboss-msc-1.1.5.Final.jar:1.1.5.Final]
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1913)
[jboss-msc-1.1.5.Final.jar:1.1.5.Final]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
[rt.jar:1.7.0_51]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
[rt.jar:1.7.0_51]
at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_51]
Caused by: java.io.IOException: JBWEB002081: No cipher match
at
org.apache.tomcat.util.net.jsse.NioJSSESocketChannelFactory.getEnabledCiphers(NioJSSESocketChannelFactory.java:399)
[jbossweb-7.4.0.Beta4.jar:7.4.0.Beta4]
at
org.apache.tomcat.util.net.jsse.NioJSSESocketChannelFactory.init(NioJSSESocketChannelFactory.java:305)
[jbossweb-7.4.0.Beta4.jar:7.4.0.Beta4]
... 9 more
06:18:26,663 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread
1-39) JBAS010400: Bound data source [java:jboss/datasources/ExampleDS]
06:18:26,672 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-17) MSC000001:
Failed to start service jboss.web.connector.https: org.jboss.msc.service.StartException in
service jboss.web.connector.https: JBAS018007: Error starting web connector
at org.jboss.as.web.WebConnectorService.start(WebConnectorService.java:362)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1980)
[jboss-msc-1.1.5.Final.jar:1.1.5.Final]
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1913)
[jboss-msc-1.1.5.Final.jar:1.1.5.Final]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
[rt.jar:1.7.0_51]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
[rt.jar:1.7.0_51]
at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_51]
Caused by: LifecycleException: JBWEB000023: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.init(Connector.java:985)
at org.jboss.as.web.WebConnectorService.start(WebConnectorService.java:304)
... 5 more
{noformat}
Any ideas?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:
http://www.atlassian.com/software/jira