I'm struggling to run Jenkins 2.91 (RPM version) using its embedded mode on Centos 7.2 with OpenJDK (1.8.0_65)
However I'm getting the "ssl_error_no_cypher_overlap" error when I connect with Firefox 38.1.0 over HTTPS
This problem does not occur when running Jenkins with Oracle JDK 1.8.0_144, only with OpenJDK.
I've tried various options such as the following without success
JENKINS_JAVA_OPTIONS="-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2"
I came across bug 1167153, however the fix of applying jdk.tls.disabledAlgorithms=EC,ECDHE,ECDH already appears to be in place in /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.65-3.b17.el7.x86_64/jre/lib/security/java.security.
I've also tried using openssl to see what protocols are reported
openssl s_client -connect localhost:8443
>>>
New, TLSv1/SSLv3, Cipher is AES256-SHA256
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-SHA256
I enabled logging using -Djavax.net.debug=ssl,handshake however this meant another fault was reported - ssl internal error - apparently due to bug - NoSuchAlgorithmException: EC AlgorithmParameters not available if SSL logs enabled
I managed to resolve this by installing bouncycastle. It seems OpenJDK doesn't ship with a ECC provider.
Download a bouncycastle provider from https://www.bouncycastle.org/latest_releases.html. e.g bcprov-ext-jdk15on-158.jar
Copy into /usr/lib/jvm/java-1.8.0-openjdk-<version>/jre/lib/ext
Add a provider to the end of the list in /usr/lib/jvm/java-1.8.0-openjdk-<version>/jre/lib/security/java.security
security.provider.9=org.bouncycastle.jce.provider.BouncyCastleProvider
Re-enabled ECC algorithms, line previously ended: , EC, ECDHE, ECDH
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
Restart jenkins
Related
Does Azure IoT Edge works with Zscaler proxy AND SSL inspection
Indeed, we need to check header information from IoT Edge for security reason which require to decrypt .
IoT Edge run in CentOS or Ubuntu ESX VM and Zscaler certificat can be uploaded in the OS file system
regards
You will need the Zscaler root certificate added to list of root certificates that are trusted by OpenSSL in both the edgeAgent and edgeHub modules. Without that the TLS negotiation will fail with not trusting the certificate chain from any server that they attempt to negotiation a TLS connection with. I have done this. It will work.
Im trying to establisch a mqtt connection to test.mosquitto.org using MQTT.fx.
Im on Windows 10.
Selecting TLSv1.2 as my Protocol works fine.
But using TLSv1.3 the connection fails. "TSLv1.3 SSLContext not available"
Is TLSv1.3 just not jet supported on MQTT.fx?
I could not find anything else regarding that promlem using MQTT.fx.
As of version 1.7.1, MQTT.fx is bundled with JRE 1.8.0_18.
TLSv1.3 is supported from JDK 8u261 (source).
Hence, the used JRE does not support TLSv1.3.
I reported the issue and hope for a quick update.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH -
Unsupported protocol
The client and server don't support a common SSL protocol version or cipher suite
All I could find online regarding this error is that this may relate to RSA/DSA. I've checked this out and could not find any conflicts so I'm not sure why the error still occurs. I am using keytool to install this certificate on a Jenkins server. How can I resolve this error and install my certificate?
I have a setup as follows to inspect traffic from a device.
Device <---> MitmProxy (Transparent Proxy mode) + Wireshark <---> Internet
Command used to invoke MitmProxy: SSLKEYLOGFILE="$PWD/mitmproxy/sslkeylogfile.txt" mitmweb --mode transparent --showhost
MitmProxy supports logging SSL/TLS master keys which allows Wireshark to decrypt the corresponding TLS traffic.
However, I noticed that the contents of my SSLKEYLOGFILE contained only lines of CLIENT_RANDOM which decrypts TLS 1.2 traffic.
To decrypt TLS 1.3 traffic, I understand that 4 secrets - CLIENT_HANDSHAKE_TRAFFIC_SECRET, SERVER_HANDSHAKE_TRAFFIC_SECRET, CLIENT_TRAFFIC_SECRET and SERVER_TRAFFIC_SECRET are needed, all of which are absent from my SSLKEYLOGFILE.
How may I proceed with decrypting TLS 1.3 in this setup?
This currently is a known bug in mitmproxy, see https://github.com/mitmproxy/mitmproxy/issues/3994. We're waiting for upstream to expose the new OpenSSL hooks.
I'm running grails on my local dev box (Mac OS 10.8) to host a web service over SSL using a self-signed certificate and the WeakSSL grails plugin. The problem is I'm connecting to this server through an Xcode iPhone simulator, and it's giving me an untrusted certificate error.
I've found instructions on how to install a certificate to the phone/simulator, but my question is how do I find this certificate on my machine to install?
I think if you are using grails 2.2.x you won't see the directory in ~.grails/. To find the keystore, the plugin uses a Pattern matched to Grails version 1.3.x and 2.0.x - 2.1.x.
Ideally you should see the certificates stored in ~./grails/${grailsVersion}
Have a look a the plugin code where certificates are found.
Created JIRA defect for the same.
Pattern matcher will not work for Grails version 2.2.x and above because of the below code.
import java.util.regex.Pattern
Pattern V2X = Pattern.compile("2.[01].\\d+?")
assert !V2X.matcher("2.2.0").find()
Also, consider using openssl to get the key directly from the running grails server with a command like this:
openssl s_client -connect localhost:8443
AFTER starting grails with something like this:
grails run-app -https
The output of the openssl command will have the self signed certificate that you can add to your clients trusted certificates.