Problem with SSL certificate TLS_RSA_WITH_AES_128_CBC_SHA
Hy there, I'm currently trying to fix a problem in a dropwizard project. The project runs on a CentOS server and serves as a test log viewer. With an old version of the project everything is fine (compiled with 0.9.2) , but with a new version (compiled with 1.1.2) I get SSL_ERROR_NO_CYPHER_OVERLAP if I try to get data from the Server backend (front end httpd server delivers the SSL certificate just fine). My certificate is issued with TLS_RSA_WITH_AES_128_CBC_SHA (not officialy enabled in jetty) In the configuration yaml this cipher is explicitly allowed. Part of the config yaml: server: ... applicationConnectors: ... supportedCipherSuites: [TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA] ... On another server that has a certificate with TLS_RSA_WITH_AES_128_GCM_SHA (officialy enabled in jetty) the old and the new version of the project are working fine. Has anybody seen something like that before? Could this be a bug? Thanks in advance. Greetings from Germany, Aaron Dietz -- You received this message because you are subscribed to the Google Groups "dropwizard-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to dropwizard-dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: Problem with SSL certificate TLS_RSA_WITH_AES_128_CBC_SHA
I ran a analyze with sslyze. I explizitly allowed supportedProtocols: [TLSv1, TLSv1.1, TLSv1.2] supportedCipherSuites: [TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA] in the config yaml. It seems like the config is simply ignored. Results: SCAN RESULTS FOR *OLD_VERSION*:8443 -- * TLSV1_2 Cipher Suites: Forward SecrecyOK - Supported RC4OK - Not Supported Preferred: None - Server followed client cipher suite preference. Accepted: TLS_RSA_WITH_AES_128_CBC_SHA - 128 bits TLS_RSA_WITH_AES_128_CBC_SHA256 - 128 bits TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDH-256 bits 128 bits TLS_ECDHE_RSA_WITH_AES_128_CBC_SHAECDH-256 bits 128 bits * TLSV1_1 Cipher Suites: Forward SecrecyOK - Supported RC4OK - Not Supported Preferred: None - Server followed client cipher suite preference. Accepted: TLS_RSA_WITH_AES_128_CBC_SHA - 128 bits TLS_ECDHE_RSA_WITH_AES_128_CBC_SHAECDH-256 bits 128 bits * TLSV1 Cipher Suites: Forward SecrecyOK - Supported RC4OK - Not Supported Preferred: None - Server followed client cipher suite preference. Accepted: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHAECDH-256 bits 128 bits TLS_RSA_WITH_AES_128_CBC_SHA - 128 bits SCAN RESULTS FOR *NEW_VERSION*:18443 --- * TLSV1_1 Cipher Suites: Server rejected all cipher suites. * TLSV1 Cipher Suites: Server rejected all cipher suites. * TLSV1_2 Cipher Suites: Forward SecrecyOK - Supported RC4OK - Not Supported Preferred: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDH-256 bits 128 bits Accepted: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDH-256 bits 128 bits TLS_RSA_WITH_AES_128_CBC_SHA256 - 128 bits -- You received this message because you are subscribed to the Google Groups "dropwizard-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to dropwizard-dev+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
