Update: I traced the session with Wireshark. The SSL client hello from openssl lists 26 ciphersuites (which I can't work out how to copy/paste from Wireshark!)
When I put the first of these, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, into the enabled-ciphersuites attribute, the session works. If I don't specify a ciphersuite, according to the documentation, the server should accept every ciphersuite available to Java. Yet it is the Java side that is reporting "no matching ciphersuite", and sending the SSL alert in response to the client hello. I don't want to tune the server configuration to this specific client, because I don't have control over what clients my users will have. I'd welcome any comments anyone has. On 26 January 2011 15:44, John Hartnup <[email protected]> wrote: > I'm running ftpserver on J2SE 1.5 on Windows, and trying to connect to it > using the ftp-ssl client on Debian Linux. > > On the server side I have: > <ssl protocol="TLS" client-authentication="NONE" > > <keystore file="test.jks" password="password" /> > </ssl> > > On the client side I have: > ftp -z certrequired -z cipher-ALL -z secure -z cert=client.pem -z > key=client.pem > > The connection fails, logging: > Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common > at > com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:997) > at > com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:459) > at > com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1058) > at > com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1030) > at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:411) > at > org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:502) > > I believe the client is OK -- it works with other servers. > > If I specify enabled-ciphersuites in the ssl element of the server config, > I find that many of the ciphersuites listed here - > http://download.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#AppA > - > cause the server to report an unavailable ciphersuite. I have not found a > ciphersuite I can use which satisfies the client, even basic ones such as > SSL_RSA_EXPORT_WITH_RC4_40_MD5 > > Any ideas? > > Thanks, > John > -- > "There is no way to peace; peace is the way" > -- "There is no way to peace; peace is the way"
