It works fine for me. Are you sure your certificate is ECDSA? gencert.san.ec from https://gist.github.com/dcommander/fc608434735026dd8215
shows how to generate one (at least, as far as I determine. I'm not an expert on this stuff.) The error you're still getting would occur if, for instance, your certificate is RSA but you're trying to use it with an ECDSA cipher. On 7/18/19 10:23 AM, Andy wrote: > Ah I gotcha - So I went and > installed > https://s3.amazonaws.com/turbovnc-pr/master/linux/turbovnc-2.2.3.x86_64.rpm > and I can see the ciphers fine from both sides. > However I think the openssl and Java TLS implementations don't think > ECDHE-ECDSA-AES256-GCM-SHA384 == TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384. > I haven't done allot of research into the ciphers so maybe theirs a > chance that they are different? Or maybe theirs a typo in comparing them? > > Here's the logs /config - > *Server :* > > permitted-cipher-suites = > ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384 > > > 18/07/2019 11:10:14 Available cipher suites: > ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384 > 18/07/2019 11:10:14 Deferring TLS handshake > 18/07/2019 11:10:14 SSL_accept() failed: error:1408A0C1:SSL > routines:ssl3_get_client_hello:no shared cipher (336109761) > 18/07/2019 11:10:14 Client 127.0.0.1 gone > > Client > > > > JAVA_TOOL_OPTIONS='-Dturbovnc.ciphersuites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384' > > > SecurityTLS: Not using X.509 CRL > CSecurityTLS: Available cipher suites: > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 > com.turbovnc.rdr.SystemException: javax.net.ssl.SSLException: Received > fatal alert: handshake_failure > > Thanks again for the help > > On Wednesday, July 17, 2019 at 7:31:28 PM UTC-4, DRC wrote: > > The latest commit in master reverses the TurboVNC Server's search > order for OpenSSL DSOs, so it should now pull the DSO from the > newest installed version of OpenSSL rather than the oldest. That > means you shouldn't need to move OpenSSL 0.9.8e out of the way anymore. > > As far as why Java isn't picking up the newer algorithms, that > appears to be because you are using the 3.0 alpha build of the > TurboVNC Viewer. Please use the 2.2.x stable build. The embedded > JRE in 3.0 alpha isn't providing those ciphers for some reason, and > I need to look into why (it may simply be that I didn't include the > necessary module when building the JRE), but I just tested the 2.2.x > build (with OpenJDK 1.8.0), and it works fine. > > > On 7/17/19 3:56 PM, Andy wrote: >> Hey so you were right. >> >> Apparently I had a ilbssl.so.0.9.8e.so >> <http://ilbssl.so.0.9.8e.so> floating around. >> >> So I moved all of the stuff relating to that out of the directory >> and now I get the ECDHE ciphers that i was looking for on the >> server side. >> >> Do you know how I would go about adding them to JAVA and the >> client side? >> From the vncviewer script the only ciphers I have available are : >> >> CSecurityTLS: Available cipher suites: TLS_AES_128_GCM_SHA256, >> TLS_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, >> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, >> TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, >> TLS_RSA_WITH_AES_128_GCM_SHA256, >> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, >> TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, >> TLS_RSA_WITH_AES_256_CBC_SHA256, >> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, >> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, >> TLS_DHE_RSA_WITH_AES_256_CBC_SHA, >> TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, >> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, >> TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, >> TLS_DHE_RSA_WITH_AES_128_CBC_SHA, >> TLS_DHE_DSS_WITH_AES_128_CBC_SHA, >> TLS_DH_anon_WITH_AES_256_GCM_SHA384, >> TLS_DH_anon_WITH_AES_128_GCM_SHA256, >> TLS_DH_anon_WITH_AES_256_CBC_SHA256, >> TLS_DH_anon_WITH_AES_256_CBC_SHA, >> TLS_DH_anon_WITH_AES_128_CBC_SHA256, TLS_DH_anon_WITH_AES_128_CBC_SHA >> >> - It's missing the TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher >> that I'm looking for >> >> Thanks again for the help! >> >> On Wednesday, July 17, 2019 at 5:20:47 AM UTC-4, Andy wrote: >> >> Hey sorry, yeah let me do some digging when I get back to my >> dev box and I'll let you know. Thanks again for all the help! >> >> -- >> You received this message because you are subscribed to the Google >> Groups "TurboVNC User Discussion/Support" group. >> To unsubscribe from this group and stop receiving emails from it, >> send an email to [email protected] <javascript:>. >> To view this discussion on the web visit >> >> https://groups.google.com/d/msgid/turbovnc-users/9cd4cde5-a186-4980-9d5e-e36bd538a643%40googlegroups.com >> >> <https://groups.google.com/d/msgid/turbovnc-users/9cd4cde5-a186-4980-9d5e-e36bd538a643%40googlegroups.com?utm_medium=email&utm_source=footer>. >> For more options, visit https://groups.google.com/d/optout >> <https://groups.google.com/d/optout>. > > -- > You received this message because you are subscribed to the Google > Groups "TurboVNC User Discussion/Support" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] > <mailto:[email protected]>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/turbovnc-users/adb0fbe2-8dbe-4c84-86e5-692a5c8429d4%40googlegroups.com > <https://groups.google.com/d/msgid/turbovnc-users/adb0fbe2-8dbe-4c84-86e5-692a5c8429d4%40googlegroups.com?utm_medium=email&utm_source=footer>. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "TurboVNC User Discussion/Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/turbovnc-users/4422f9b7-b0f3-c2cd-921d-5453b1d3111b%40virtualgl.org. For more options, visit https://groups.google.com/d/optout.
