Ah I gotcha - So I went and installed https://s3.amazonaws.com/turbovnc-pr/master/linux/turbovnc-2.2.3.x86_64.rpm and I can see the ciphers fine from both sides. However I think the openssl and Java TLS implementations don't think ECDHE-ECDSA-AES256-GCM-SHA384 == TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384. I haven't done allot of research into the ciphers so maybe theirs a chance that they are different? Or maybe theirs a typo in comparing them?
Here's the logs /config - *Server :* permitted-cipher-suites = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384 18/07/2019 11:10:14 Available cipher suites: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384 18/07/2019 11:10:14 Deferring TLS handshake 18/07/2019 11:10:14 SSL_accept() failed: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher (336109761) 18/07/2019 11:10:14 Client 127.0.0.1 gone Client JAVA_TOOL_OPTIONS='-Dturbovnc.ciphersuites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384' SecurityTLS: Not using X.509 CRL CSecurityTLS: Available cipher suites: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 com.turbovnc.rdr.SystemException: javax.net.ssl.SSLException: Received fatal alert: handshake_failure Thanks again for the help On Wednesday, July 17, 2019 at 7:31:28 PM UTC-4, DRC wrote: > > The latest commit in master reverses the TurboVNC Server's search order > for OpenSSL DSOs, so it should now pull the DSO from the newest installed > version of OpenSSL rather than the oldest. That means you shouldn't need > to move OpenSSL 0.9.8e out of the way anymore. > > As far as why Java isn't picking up the newer algorithms, that appears to > be because you are using the 3.0 alpha build of the TurboVNC Viewer. > Please use the 2.2.x stable build. The embedded JRE in 3.0 alpha isn't > providing those ciphers for some reason, and I need to look into why (it > may simply be that I didn't include the necessary module when building the > JRE), but I just tested the 2.2.x build (with OpenJDK 1.8.0), and it works > fine. > > On 7/17/19 3:56 PM, Andy wrote: > > Hey so you were right. > > Apparently I had a ilbssl.so.0.9.8e.so floating around. > > So I moved all of the stuff relating to that out of the directory and now > I get the ECDHE ciphers that i was looking for on the server side. > > Do you know how I would go about adding them to JAVA and the client side? > From the vncviewer script the only ciphers I have available are : > > CSecurityTLS: Available cipher suites: TLS_AES_128_GCM_SHA256, > TLS_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, > TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, > TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, > TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, > TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, > TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, > TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, > TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, > TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, > TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_256_GCM_SHA384, > TLS_DH_anon_WITH_AES_128_GCM_SHA256, TLS_DH_anon_WITH_AES_256_CBC_SHA256, > TLS_DH_anon_WITH_AES_256_CBC_SHA, TLS_DH_anon_WITH_AES_128_CBC_SHA256, > TLS_DH_anon_WITH_AES_128_CBC_SHA > > - It's missing the TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher that I'm > looking for > > Thanks again for the help! > > On Wednesday, July 17, 2019 at 5:20:47 AM UTC-4, Andy wrote: >> >> Hey sorry, yeah let me do some digging when I get back to my dev box and >> I'll let you know. Thanks again for all the help! > > -- > You received this message because you are subscribed to the Google Groups > "TurboVNC User Discussion/Support" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/turbovnc-users/9cd4cde5-a186-4980-9d5e-e36bd538a643%40googlegroups.com > > <https://groups.google.com/d/msgid/turbovnc-users/9cd4cde5-a186-4980-9d5e-e36bd538a643%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > > > -- You received this message because you are subscribed to the Google Groups "TurboVNC User Discussion/Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/turbovnc-users/adb0fbe2-8dbe-4c84-86e5-692a5c8429d4%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
