[jboss-jira] [JBoss JIRA] (ELY-1663) BC FIPS, Management Interface, ELY04001: No algorithm found matching TLS/SSL protocol selection criteria

Martin Choma (JIRA) issues at jboss.org
Tue Sep 25 08:42:00 EDT 2018 

    [ https://issues.jboss.org/browse/ELY-1663?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13638085#comment-13638085 ] 

Martin Choma commented on ELY-1663:
-----------------------------------

Thanks to ELY-1664 I now see 
{code:title=OK}
08:01:49,725 TRACE [org.wildfly.security] (MSC service thread 1-1) Provider BCJSSE version 1.0005 was added for algorithm TLS
08:01:49,725 TRACE [org.wildfly.security] (MSC service thread 1-1) Provider BCJSSE version 1.0005 was added for algorithm TLSV1.1
08:01:49,725 TRACE [org.wildfly.security] (MSC service thread 1-1) Provider BCJSSE version 1.0005 was added for algorithm TLSV1.2
08:01:49,725 TRACE [org.wildfly.security] (MSC service thread 1-1) Provider BCJSSE version 1.0005 was added for algorithm DEFAULT
08:01:49,725 TRACE [org.wildfly.security] (MSC service thread 1-1) Provider BCJSSE version 1.0005 was added for algorithm TLSV1
08:01:49,726 TRACE [org.wildfly.security] (MSC service thread 1-1) Provider openssl version 1.0 was added for algorithm openssl.TLS
08:01:49,726 TRACE [org.wildfly.security] (MSC service thread 1-1) Provider openssl version 1.0 was added for algorithm openssl.TLSv1
08:01:49,726 TRACE [org.wildfly.security] (MSC service thread 1-1) Provider openssl version 1.0 was added for algorithm openssl.TLSv1.1
08:01:49,726 TRACE [org.wildfly.security] (MSC service thread 1-1) Provider openssl version 1.0 was added for algorithm openssl.TLSv1.2
08:01:49,726 TRACE [org.wildfly.security] (MSC service thread 1-1) Provider openssl version 1.0 was added for algorithm TLS
08:01:49,726 TRACE [org.wildfly.security] (MSC service thread 1-1) Provider openssl version 1.0 was added for algorithm TLSv1
08:01:49,726 TRACE [org.wildfly.security] (MSC service thread 1-1) Provider openssl version 1.0 was added for algorithm TLSv1.1
08:01:49,726 TRACE [org.wildfly.security] (MSC service thread 1-1) Provider openssl version 1.0 was added for algorithm TLSv1.2
08:01:49,728 TRACE [org.wildfly.security] (MSC service thread 1-1) Supported protocols are: [TLSv1.2]
08:01:49,795 TRACE [org.wildfly.security] (MSC service thread 1-1) Provider openssl version 1.0 has no such protocol TLSv1.2
08:01:49,796 TRACE [org.wildfly.security] (MSC service thread 1-1) No SSLContext provided by providers in SSLUtils: [BCFIPS version 1.01, BCJSSE version 1.0005, SUN version 1.8, ApacheXMLDSig version 2.12, SunJCE version 1.8, WildFlyElytron version 1.0, TLSP version 1.0, openssl version 1.0]
08:01:49,797 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service org.wildfly.security.ssl-context.test-server-ssl-context: org.jboss.msc.service.StartException in service org.wildfly.security.ssl-context.test-server-ssl-context: java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria
	at org.wildfly.extension.elytron.SSLDefinitions$6.lambda$getValueSupplier$1(SSLDefinitions.java:982)
	at org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:53)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1738)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1700)
	at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1558)
	at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
	at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
	at java.lang.Thread.run(Thread.java:748)
Caused by: java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria
	at org.wildfly.security.ssl.SSLUtils.lambda$createSslContextFactory$1(SSLUtils.java:151)
	at org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:340)
	at org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53)
	at org.wildfly.extension.elytron.SSLDefinitions$6.lambda$getValueSupplier$1(SSLDefinitions.java:980)
	... 9 more
{code}

{code:title=NOK}
[0m07:47:38,425 TRACE [org.wildfly.security] (MSC service thread 1-3) Provider BCJSSE version 1.0005 was added for algorithm TLSV1
07:47:38,425 TRACE [org.wildfly.security] (MSC service thread 1-3) Provider BCJSSE version 1.0005 was added for algorithm TLSV1.2
07:47:38,425 TRACE [org.wildfly.security] (MSC service thread 1-3) Provider BCJSSE version 1.0005 was added for algorithm DEFAULT
07:47:38,425 TRACE [org.wildfly.security] (MSC service thread 1-3) Provider BCJSSE version 1.0005 was added for algorithm TLS
07:47:38,425 TRACE [org.wildfly.security] (MSC service thread 1-3) Provider BCJSSE version 1.0005 was added for algorithm TLSV1.1
07:47:38,425 TRACE [org.wildfly.security] (MSC service thread 1-3) Provider openssl version 1.0 was added for algorithm openssl.TLS
07:47:38,425 TRACE [org.wildfly.security] (MSC service thread 1-3) Provider openssl version 1.0 was added for algorithm openssl.TLSv1
07:47:38,425 TRACE [org.wildfly.security] (MSC service thread 1-3) Provider openssl version 1.0 was added for algorithm openssl.TLSv1.1
07:47:38,425 TRACE [org.wildfly.security] (MSC service thread 1-3) Provider openssl version 1.0 was added for algorithm openssl.TLSv1.2
07:47:38,425 TRACE [org.wildfly.security] (MSC service thread 1-3) Provider openssl version 1.0 was added for algorithm TLS
07:47:38,425 TRACE [org.wildfly.security] (MSC service thread 1-3) Provider openssl version 1.0 was added for algorithm TLSv1
07:47:38,425 TRACE [org.wildfly.security] (MSC service thread 1-3) Provider openssl version 1.0 was added for algorithm TLSv1.1
07:47:38,425 TRACE [org.wildfly.security] (MSC service thread 1-3) Provider openssl version 1.0 was added for algorithm TLSv1.2
07:47:38,425 TRACE [org.wildfly.security] (MSC service thread 1-3) Supported protocols are: [TLSV1.2]
07:47:38,426 TRACE [org.wildfly.security.tls] (MSC service thread 1-3) SSLContext initialization:
    securityDomain = null
    canAuthPeers = false
    cipherSuiteSelector = add cipher name is "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA", then add cipher name is "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", then add cipher name is "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", then add cipher name is "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", then add cipher name is "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", then add cipher name is "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", then add cipher name is "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", then add cipher name is "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", then add cipher name is "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", then add cipher name is "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", then add cipher name is "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", then add cipher name is "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", then add cipher name is "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", then add cipher name is "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", then add cipher name is "TLS_RSA_WITH_3DES_EDE_CBC_SHA", then add cipher name is "TLS_RSA_WITH_AES_128_CBC_SHA", then add cipher name is "TLS_RSA_WITH_AES_128_CBC_SHA256", then add cipher name is "TLS_RSA_WITH_AES_256_CBC_SHA", then add cipher name is "TLS_RSA_WITH_AES_256_CBC_SHA256"
    protocolSelector = add protocols (TLSv1_2)
    x509TrustManager = org.bouncycastle.jsse.provider.ProvX509ExtendedTrustManager_7 at 5cf78cec
    x509KeyManager = org.wildfly.extension.elytron.SSLDefinitions$DelegatingKeyManager at 3840d33b
    providerSupplier = org.wildfly.security.util.ProviderUtil$$Lambda$378/1963271128 at 52af0c28
    clientMode = false
    authenticationOptional = false
    sessionCacheSize = -1
    sessionTimeout = -1
    wantClientAuth = false
    needClientAuth = false
    useCipherSuitesOrder = true
    wrap = false
{code}

> BC FIPS, Management Interface, ELY04001: No algorithm found matching TLS/SSL protocol selection criteria
> --------------------------------------------------------------------------------------------------------
>
>                 Key: ELY-1663
>                 URL: https://issues.jboss.org/browse/ELY-1663
>             Project: WildFly Elytron
>          Issue Type: Bug
>          Components: SSL
>    Affects Versions: 1.6.0.Final
>            Reporter: Martin Choma
>            Priority: Critical
>
> Rarely 1:30 it happens there occures error accessing http management interface secured with TLS with BC FIPS
> {code}
> Operation {"operation" => "add","address" => [("subsystem" => "elytron"),("server-ssl-context" => "test-server-ssl-context")],"key-manager" => "key-manager-name_test-server-ssl-context","cipher-suite-filter" => "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256","trust-manager" => "trust-manager-name_test-server-ssl-context","protocols" => ["TLSv1.2"],"need-client-auth" => true} failed: {"outcome" => "failed","failure-description" => {"WFLYCTL0080: Failed services" => {"org.wildfly.security.ssl-context.test-server-ssl-context" => "java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria
>     Caused by: java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria"}},"rolled-back" => true}
> ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2) MSC000001: Failed to start service org.wildfly.security.ssl-context.test-server-ssl-context: org.jboss.msc.service.StartException in service org.wildfly.security.ssl-context.test-server-ssl-context: java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria
> 	at org.wildfly.extension.elytron.SSLDefinitions$6.lambda$getValueSupplier$1(SSLDefinitions.java:982)
> 	at org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:53)
> 	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1736)
> 	at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1698)
> 	at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1556)
> 	at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
> 	at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
> 	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
> 	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
> 	at java.lang.Thread.run(Thread.java:748)
> Caused by: java.security.NoSuchAlgorithmException: ELY04001: No algorithm found matching TLS/SSL protocol selection criteria
> 	at org.wildfly.security.ssl.SSLUtils.lambda$createSslContextFactory$1(SSLUtils.java:130)
> 	at org.wildfly.security.ssl.SSLContextBuilder.lambda$build$0(SSLContextBuilder.java:340)
> 	at org.wildfly.security.OneTimeSecurityFactory.create(OneTimeSecurityFactory.java:53)
> 	at org.wildfly.extension.elytron.SSLDefinitions$6.lambda$getValueSupplier$1(SSLDefinitions.java:980)
> 	... 9 more
> {code}
> Some facts
> * It happens only on management interface BC FIPS TLS tests
> * It does not occur on Undertow secured with BC FIPS
> * Previously there was issue with similar error but that happened everywhere https://issues.jboss.org/browse/ELY-1618 



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jboss-jira mailing list