Oh woops I'm silly. That was it. Generated some EC certs with openssl and now it works!
Thanks so much ! On Thursday, July 18, 2019 at 12:44:14 PM UTC-4, DRC wrote: > > It works fine for me. Are you sure your certificate is ECDSA? > > gencert.san.ec from > https://gist.github.com/dcommander/fc608434735026dd8215 > > shows how to generate one (at least, as far as I determine. I'm not an > expert on this stuff.) The error you're still getting would occur if, > for instance, your certificate is RSA but you're trying to use it with > an ECDSA cipher. > > On 7/18/19 10:23 AM, Andy wrote: > > Ah I gotcha - So I went and > > installed > https://s3.amazonaws.com/turbovnc-pr/master/linux/turbovnc-2.2.3.x86_64.rpm > > and I can see the ciphers fine from both sides. > > However I think the openssl and Java TLS implementations don't think > > ECDHE-ECDSA-AES256-GCM-SHA384 == > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384. > > I haven't done allot of research into the ciphers so maybe theirs a > > chance that they are different? Or maybe theirs a typo in comparing > them? > > > > Here's the logs /config - > > *Server :* > > > > permitted-cipher-suites = > > ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384 > > > > > > 18/07/2019 11:10:14 Available cipher suites: > > ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384 > > 18/07/2019 11:10:14 Deferring TLS handshake > > 18/07/2019 11:10:14 SSL_accept() failed: error:1408A0C1:SSL > > routines:ssl3_get_client_hello:no shared cipher (336109761) > > 18/07/2019 11:10:14 Client 127.0.0.1 gone > > > > Client > > > > > > > > JAVA_TOOL_OPTIONS='-Dturbovnc.ciphersuites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384' > > > > > > > > SecurityTLS: Not using X.509 CRL > > CSecurityTLS: Available cipher suites: > > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, > > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 > > com.turbovnc.rdr.SystemException: javax.net.ssl.SSLException: Received > > fatal alert: handshake_failure > > > > Thanks again for the help > > > > On Wednesday, July 17, 2019 at 7:31:28 PM UTC-4, DRC wrote: > > > > The latest commit in master reverses the TurboVNC Server's search > > order for OpenSSL DSOs, so it should now pull the DSO from the > > newest installed version of OpenSSL rather than the oldest. That > > means you shouldn't need to move OpenSSL 0.9.8e out of the way > anymore. > > > > As far as why Java isn't picking up the newer algorithms, that > > appears to be because you are using the 3.0 alpha build of the > > TurboVNC Viewer. Please use the 2.2.x stable build. The embedded > > JRE in 3.0 alpha isn't providing those ciphers for some reason, and > > I need to look into why (it may simply be that I didn't include the > > necessary module when building the JRE), but I just tested the 2.2.x > > build (with OpenJDK 1.8.0), and it works fine. > > > > > > On 7/17/19 3:56 PM, Andy wrote: > >> Hey so you were right. > >> > >> Apparently I had a ilbssl.so.0.9.8e.so > >> <http://ilbssl.so.0.9.8e.so> floating around. > >> > >> So I moved all of the stuff relating to that out of the directory > >> and now I get the ECDHE ciphers that i was looking for on the > >> server side. > >> > >> Do you know how I would go about adding them to JAVA and the > >> client side? > >> From the vncviewer script the only ciphers I have available are : > >> > >> CSecurityTLS: Available cipher suites: TLS_AES_128_GCM_SHA256, > >> TLS_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, > >> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, > >> TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, > >> TLS_RSA_WITH_AES_128_GCM_SHA256, > >> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, > >> TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, > >> TLS_RSA_WITH_AES_256_CBC_SHA256, > >> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, > >> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, > >> TLS_DHE_RSA_WITH_AES_256_CBC_SHA, > >> TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, > >> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, > >> TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, > >> TLS_DHE_RSA_WITH_AES_128_CBC_SHA, > >> TLS_DHE_DSS_WITH_AES_128_CBC_SHA, > >> TLS_DH_anon_WITH_AES_256_GCM_SHA384, > >> TLS_DH_anon_WITH_AES_128_GCM_SHA256, > >> TLS_DH_anon_WITH_AES_256_CBC_SHA256, > >> TLS_DH_anon_WITH_AES_256_CBC_SHA, > >> TLS_DH_anon_WITH_AES_128_CBC_SHA256, > TLS_DH_anon_WITH_AES_128_CBC_SHA > >> > >> - It's missing the TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher > >> that I'm looking for > >> > >> Thanks again for the help! > >> > >> On Wednesday, July 17, 2019 at 5:20:47 AM UTC-4, Andy wrote: > >> > >> Hey sorry, yeah let me do some digging when I get back to my > >> dev box and I'll let you know. Thanks again for all the help! > >> > >> -- > >> You received this message because you are subscribed to the Google > >> Groups "TurboVNC User Discussion/Support" group. > >> To unsubscribe from this group and stop receiving emails from it, > >> send an email to [email protected] <javascript:>. > >> To view this discussion on the web visit > >> > https://groups.google.com/d/msgid/turbovnc-users/9cd4cde5-a186-4980-9d5e-e36bd538a643%40googlegroups.com > > >> < > https://groups.google.com/d/msgid/turbovnc-users/9cd4cde5-a186-4980-9d5e-e36bd538a643%40googlegroups.com?utm_medium=email&utm_source=footer>. > > > >> For more options, visit https://groups.google.com/d/optout > >> <https://groups.google.com/d/optout>. > > > > -- > > You received this message because you are subscribed to the Google > > Groups "TurboVNC User Discussion/Support" group. > > To unsubscribe from this group and stop receiving emails from it, send > > an email to [email protected] <javascript:> > > <mailto:[email protected] <javascript:>>. > > To view this discussion on the web visit > > > https://groups.google.com/d/msgid/turbovnc-users/adb0fbe2-8dbe-4c84-86e5-692a5c8429d4%40googlegroups.com > > > < > https://groups.google.com/d/msgid/turbovnc-users/adb0fbe2-8dbe-4c84-86e5-692a5c8429d4%40googlegroups.com?utm_medium=email&utm_source=footer>. > > > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "TurboVNC User Discussion/Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/turbovnc-users/f9f427de-36e8-46c1-bb15-fdb8bcc0c048%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
