We only utilize bouncycastle JCE by default OOB [0][1]. Consult "Security" section at the bottom of [2] to enable alternate JCE providers.
Regards, Ryan Goulding [0] https://github.com/opendaylight/odlparent/blob/master/karaf/opendaylight-karaf-resources/src/main/resources/etc/custom.properties#L20-#L21 [1] https://github.com/opendaylight/odlparent/blob/2ae333d76c457d40227b7fc7619b7a2e1cf43830/karaf/opendaylight-karaf-resources/pom.xml#L119-#L121 [2] https://karaf.apache.org/manual/latest/security On Tue, Dec 19, 2017 at 4:10 AM, A Vamsikrishna <[email protected] > wrote: > Hi Mohamed, > > > > I am using java 8 and I see in [0] that > *TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 > *is enabled by default. > > > > Just to confirm is this the expected behavior ( Caused by: > javax.net.ssl.SSLHandshakeException: > no cipher suites in common ) ? > > > > If not, can you please help me how to make it working ? > > > > [0] https://docs.oracle.com/javase/8/docs/technotes/ > guides/security/SunProviders.html > > > > Also any idea why is it working with TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > but not with *TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ?* > > > > > > Thanks, > > Vamsi > > > > *From:* Mohamed El-Serngawy [mailto:[email protected]] > *Sent:* Monday, December 18, 2017 9:14 PM > *To:* A Vamsikrishna <[email protected]> > *Cc:* [email protected] > *Subject:* Re: [openflowplugin-dev] [Openflow] TLS cipher suite cannot > support exception > > > > Hi, > > > > So simply, what is the java version you use ? if you are not using java 8 > this cipher suits is not supported in previous java version. check the > available cipher suites in java per version at [0] > > > > [0] https://docs.oracle.com/javase/8/docs/technotes/ > guides/security/SunProviders.html > > > > BR > > > > > > On Mon, Dec 18, 2017 at 5:35 AM, A Vamsikrishna < > [email protected]> wrote: > > Hi All, > > > > All below scenarios looks fine > > > > > > with no ciphers > > (or) > > <cipher-suites>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</cipher-suites> > > (or) > > <cipher-suites>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</cipher-suites> > > <cipher-suites>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</cipher-suites > > > (or) > > <cipher-suites>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</cipher-suites> > > <cipher-suites>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</cipher-suites> > > > > stack@devcontrol:~/devstack$ > > stack@devcontrol:~/devstack$ sudo tail -5 /var/log/openvswitch/ovs- > vswitchd.log > > 2017-11-21T15:17:16.417Z|02158|rconn|WARN|br-int<->ssl:192.168.56.1:6653: > connection dropped (Connection refused) > > 2017-11-21T15:17:24.437Z|02159|rconn|WARN|br-int<->ssl:192.168.56.1:6653: > connection dropped (Connection refused) > > 2017-11-21T15:17:32.383Z|02160|rconn|WARN|br-int<->ssl:192.168.56.1:6653: > connection dropped (Connection refused) > > 2017-11-21T15:17:40.915Z|02161|*rconn|INFO|br-int<->ssl:192.168.56.1:6653 > <http://192.168.56.1:6653>: connected* > > 2017-11-21T15:17:54.279Z|02162|connmgr|INFO|br-int<->ssl:192.168.56.1:6653: > 38 flow_mods 10 s ago (38 adds) > > stack@devcontrol:~/devstack$ > > stack@devcontrol:~/devstack$ > > > > stack@devcontrol:~/devstack$ sudo ovs-vsctl show > > 9191393d-55e3-49c8-82e0-ea597b611ec0 > > Manager "tcp:192.168.56.1:6640" > > is_connected: true > > *Bridge br-int* > > * Controller "ssl:192.168.56.1:6653 <http://192.168.56.1:6653>"* > > * is_connected: true* > > fail_mode: secure > > Port br-int > > Interface br-int > > type: internal > > Bridge br-ext > > Port br-ext > > Interface br-ext > > type: internal > > ovs_version: "2.6.1" > > stack@devcontrol:~/devstack$ > > > > > > only with below cipher suite alone it's not working > > > > <cipher-suites>*TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256*</cipher-suites> > > > > > > stack@devcontrol:~/devstack$ sudo tail -5 /var/log/openvswitch/ovs- > vswitchd.log > > 2017-11-21T15:10:28.370Z|02089|rconn|WARN|br-int<->ssl:192.168.56.1:6653: > connection dropped (Protocol error) > > 2017-11-21T15:10:36.343Z|02090|stream_ssl|WARN|SSL_connect: > error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake > failure > > 2017-11-21T15:10:36.344Z|02091|rconn|WARN|br-int<->ssl:192.168.56.1:6653: > connection dropped (Protocol error) > > 2017-11-21T15:10:44.343Z|02092|stream_ssl|WARN|SSL_connect: > error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake > failure > > 2017-11-21T15:10:44.343Z|02093|rconn|WARN|br-int<->ssl:192.168.56.1:6653: > connection dropped (Protocol error) > > stack@devcontrol:~/devstack$ > > stack@devcontrol:~/devstack$ > > stack@devcontrol:~/devstack$ sudo ovs-vsctl show > > 9191393d-55e3-49c8-82e0-ea597b611ec0 > > Manager "tcp:192.168.56.1:6640" > > is_connected: true > > Bridge br-int > > Controller "ssl:192.168.56.1:6653" > > fail_mode: secure > > Port br-int > > Interface br-int > > type: internal > > Bridge br-ext > > Port br-ext > > > > > > Caused by: > javax.net.ssl.SSLHandshakeException: > no cipher suites in common > > at sun.security.ssl.Handshaker.checkThrown(Handshaker.java: > 1478)[:1.8.0_131] > > at sun.security.ssl.SSLEngineImpl.checkTaskThrown( > SSLEngineImpl.java:535)[:1.8.0_131] > > at sun.security.ssl.SSLEngineImpl.readNetRecord( > SSLEngineImpl.java:813)[:1.8.0_131] > > at sun.security.ssl.SSLEngineImpl.unwrap( > SSLEngineImpl.java:781)[:1.8.0_131] > > at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)[:1.8.0_131] > > at io.netty.handler.ssl.SslHandler$SslEngineType$2. > unwrap(SslHandler.java:223)[97:io.netty.handler:4.1.8.Final] > > at io.netty.handler.ssl.SslHandler.unwrap(SslHandler. > java:1117)[97:io.netty.handler:4.1.8.Final] > > at io.netty.handler.ssl.SslHandler.decode(SslHandler. > java:1039)[97:io.netty.handler:4.1.8.Final] > > at io.netty.handler.codec.ByteToMessageDecoder.callDecode( > ByteToMessageDecoder.java:411)[94:io.netty.codec:4.1.8.Final] > > ... 25 more > > Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common > > at sun.security.ssl.Alerts.getSSLException(Alerts.java: > 192)[:1.8.0_131] > > at sun.security.ssl.SSLEngineImpl.fatal( > SSLEngineImpl.java:1666)[:1.8.0_131] > > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)[: > 1.8.0_131] > > at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:292)[: > 1.8.0_131] > > at sun.security.ssl.ServerHandshaker.chooseCipherSuite( > ServerHandshaker.java:1045)[:1.8.0_131] > > at sun.security.ssl.ServerHandshaker.clientHello( > ServerHandshaker.java:741)[:1.8.0_131] > > at sun.security.ssl.ServerHandshaker.processMessage( > ServerHandshaker.java:224)[:1.8.0_131] > > at sun.security.ssl.Handshaker.processLoop(Handshaker.java: > 1026)[:1.8.0_131] > > at sun.security.ssl.Handshaker$1.run(Handshaker.java:966)[:1.8. > 0_131] > > at sun.security.ssl.Handshaker$1.run(Handshaker.java:963)[:1.8. > 0_131] > > at java.security.AccessController.doPrivileged(Native > Method)[:1.8.0_131] > > at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker. > java:1416)[:1.8.0_131] > > at io.netty.handler.ssl.SslHandler.runDelegatedTasks( > SslHandler.java:1256)[97:io.netty.handler:4.1.8.Final] > > at io.netty.handler.ssl.SslHandler.unwrap(SslHandler. > java:1169)[97:io.netty.handler:4.1.8.Final] > > ... 27 more > > > > > > Any thoughts on this ? > > > > Thanks, > > Vamsi > > > > > > *From:* A Vamsikrishna > *Sent:* Thursday, December 14, 2017 7:17 PM > *To:* '[email protected]' < > [email protected]> > > > *Subject:* [Openflow] TLS cipher suite cannot support exception > > > > Hi All, > > > > I am working on OFJ to allow users to configure cipher-suites to use with > > SSLEngine. (https://git.opendaylight.org/gerrit/#/c/34942/). > > > > I am trying to test it by configuring the cipher suites supported by > > SunProvider 1.8, for e.g. TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384. ( > > http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html > > ). > > However, I see an IllegalArgumentException exception indicating that the > > cipher suite is not supported. > > > > Can you please help me with this issue ? > > > > > > Here is the stacktrace --> > > > > > > 2016-02-23 12:16:34,802 | WARN | entLoopGroup-9-2 | TcpChannelInitializer > > | 262 - org.opendaylight.openflowjava.openflow-protocol-impl - > > 0.8.0.SNAPSHOT | Failed to initialize channel > > java.lang.IllegalArgumentException: Cannot support > > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 with currently installed providers > > at > > sun.security.ssl.CipherSuiteList.<init>(CipherSuiteList.java:92)[:1.8.0_60] > > at > > sun.security.ssl.SSLEngineImpl.setEnabledCipherSuites(SSLEngineImpl.java:2038)[:1.8.0_60] > > at > > org.opendaylight.openflowjava.protocol.impl.core.TcpChannelInitializer.initChannel(TcpChannelInitializer.java:91)[262:org.opendaylight.openflowjava.openflow-protocol-impl:0.8.0.SNAPSHOT] > > at > > org.opendaylight.openflowjava.protocol.impl.core.TcpChannelInitializer.initChannel(TcpChannelInitializer.java:32)[262:org.opendaylight.openflowjava.openflow-protocol-impl:0.8.0.SNAPSHOT] > > at > > io.netty.channel.ChannelInitializer.channelRegistered(ChannelInitializer.java:68)[125:io.netty.transport:4.0.33.Final] > > at > > io.netty.channel.AbstractChannelHandlerContext.invokeChannelRegistered(AbstractChannelHandlerContext.java:143)[125:io.netty.transport:4.0.33.Final] > > at > > io.netty.channel.AbstractChannelHandlerContext.fireChannelRegistered(AbstractChannelHandlerContext.java:129)[125:io.netty.transport:4.0.33.Final] > > at > > io.netty.channel.DefaultChannelPipeline.fireChannelRegistered(DefaultChannelPipeline.java:733)[125:io.netty.transport:4.0.33.Final] > > at > > io.netty.channel.AbstractChannel$AbstractUnsafe.register0(AbstractChannel.java:450)[125:io.netty.transport:4.0.33.Final] > > at > > io.netty.channel.AbstractChannel$AbstractUnsafe.access$100(AbstractChannel.java:378)[125:io.netty.transport:4.0.33.Final] > > at > > io.netty.channel.AbstractChannel$AbstractUnsafe$1.run(AbstractChannel.java:424)[125:io.netty.transport:4.0.33.Final] > > at > > io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:329)[124:io.netty.common:4.0.33.Final] > > at > > io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:350)[125:io.netty.transport:4.0.33.Final] > > at > > io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:112)[124:io.netty.common:4.0.33.Final] > > at > > io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:137)[124:io.netty.common:4.0.33.Final] > > at java.lang.Thread.run(Thread.java:745)[:1.8.0_60] > > > > I have tried to update the JCE policy files to include jars that provide > unlimited > > cryptographic strength: > > http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html > > > > But it did not work out even after my ODL restart (System:shutdown) > > > > Any thoughts ? > > > > > > > > Thanks, > > Vamsi > > > > > _______________________________________________ > openflowplugin-dev mailing list > [email protected] > https://lists.opendaylight.org/mailman/listinfo/openflowplugin-dev > > > > _______________________________________________ > openflowplugin-dev mailing list > [email protected] > https://lists.opendaylight.org/mailman/listinfo/openflowplugin-dev > >
_______________________________________________ openflowplugin-dev mailing list [email protected] https://lists.opendaylight.org/mailman/listinfo/openflowplugin-dev
