EC ciphers should now work in the 3.0 alpha build as well, once Travis finishes spinning it. As suspected, the custom embedded JRE was missing the necessary modules to implement those ciphers.
DRC On 7/18/19 1:41 PM, Andy wrote: > Oh woops I'm silly. That was it. Generated some EC certs with openssl > and now it works! > > > Thanks so much ! > > On Thursday, July 18, 2019 at 12:44:14 PM UTC-4, DRC wrote: > > It works fine for me. Are you sure your certificate is ECDSA? > > gencert.san.ec <http://gencert.san.ec> from > https://gist.github.com/dcommander/fc608434735026dd8215 > <https://gist.github.com/dcommander/fc608434735026dd8215> > > shows how to generate one (at least, as far as I determine. I'm > not an > expert on this stuff.) The error you're still getting would occur > if, > for instance, your certificate is RSA but you're trying to use it > with > an ECDSA cipher. > > On 7/18/19 10:23 AM, Andy wrote: > > Ah I gotcha - So I went and > > > installed > https://s3.amazonaws.com/turbovnc-pr/master/linux/turbovnc-2.2.3.x86_64.rpm > > <https://s3.amazonaws.com/turbovnc-pr/master/linux/turbovnc-2.2.3.x86_64.rpm> > > > and I can see the ciphers fine from both sides. > > However I think the openssl and Java TLS implementations don't > think > > ECDHE-ECDSA-AES256-GCM-SHA384 == > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384. > > I haven't done allot of research into the ciphers so maybe theirs a > > chance that they are different? Or maybe theirs a typo in > comparing them? > > > > Here's the logs /config - > > *Server :* > > > > permitted-cipher-suites = > > ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384 > > > > > > 18/07/2019 11:10:14 Available cipher suites: > > ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384 > > 18/07/2019 11:10:14 Deferring TLS handshake > > 18/07/2019 11:10:14 SSL_accept() failed: error:1408A0C1:SSL > > routines:ssl3_get_client_hello:no shared cipher (336109761) > > 18/07/2019 11:10:14 Client 127.0.0.1 gone > > > > Client > > > > > > > > JAVA_TOOL_OPTIONS='-Dturbovnc.ciphersuites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384' > > > > > > > SecurityTLS: Not using X.509 CRL > > CSecurityTLS: Available cipher suites: > > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, > > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 > > com.turbovnc.rdr.SystemException: javax.net.ssl.SSLException: > Received > > fatal alert: handshake_failure > > > > Thanks again for the help > > > > On Wednesday, July 17, 2019 at 7:31:28 PM UTC-4, DRC wrote: > > > > The latest commit in master reverses the TurboVNC Server's > search > > order for OpenSSL DSOs, so it should now pull the DSO from the > > newest installed version of OpenSSL rather than the oldest. > That > > means you shouldn't need to move OpenSSL 0.9.8e out of the > way anymore. > > > > As far as why Java isn't picking up the newer algorithms, that > > appears to be because you are using the 3.0 alpha build of the > > TurboVNC Viewer. Please use the 2.2.x stable build. The > embedded > > JRE in 3.0 alpha isn't providing those ciphers for some > reason, and > > I need to look into why (it may simply be that I didn't > include the > > necessary module when building the JRE), but I just tested > the 2.2.x > > build (with OpenJDK 1.8.0), and it works fine. > > > > > > On 7/17/19 3:56 PM, Andy wrote: > >> Hey so you were right. > >> > >> Apparently I had a ilbssl.so.0.9.8e.so > <http://ilbssl.so.0.9.8e.so> > >> <http://ilbssl.so.0.9.8e.so> floating around. > >> > >> So I moved all of the stuff relating to that out of the > directory > >> and now I get the ECDHE ciphers that i was looking for on the > >> server side. > >> > >> Do you know how I would go about adding them to JAVA and the > >> client side? > >> From the vncviewer script the only ciphers I have available > are : > >> > >> CSecurityTLS: Available cipher suites: TLS_AES_128_GCM_SHA256, > >> TLS_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, > >> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, > >> TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, > >> TLS_RSA_WITH_AES_128_GCM_SHA256, > >> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, > >> TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, > >> TLS_RSA_WITH_AES_256_CBC_SHA256, > >> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, > >> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, > TLS_RSA_WITH_AES_256_CBC_SHA, > >> TLS_DHE_RSA_WITH_AES_256_CBC_SHA, > >> TLS_DHE_DSS_WITH_AES_256_CBC_SHA, > TLS_RSA_WITH_AES_128_CBC_SHA256, > >> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, > >> TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, > TLS_RSA_WITH_AES_128_CBC_SHA, > >> TLS_DHE_RSA_WITH_AES_128_CBC_SHA, > >> TLS_DHE_DSS_WITH_AES_128_CBC_SHA, > >> TLS_DH_anon_WITH_AES_256_GCM_SHA384, > >> TLS_DH_anon_WITH_AES_128_GCM_SHA256, > >> TLS_DH_anon_WITH_AES_256_CBC_SHA256, > >> TLS_DH_anon_WITH_AES_256_CBC_SHA, > >> TLS_DH_anon_WITH_AES_128_CBC_SHA256, > TLS_DH_anon_WITH_AES_128_CBC_SHA > >> > >> - It's missing the TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 > cipher > >> that I'm looking for > >> > >> Thanks again for the help! > >> > >> On Wednesday, July 17, 2019 at 5:20:47 AM UTC-4, Andy wrote: > >> > >> Hey sorry, yeah let me do some digging when I get back > to my > >> dev box and I'll let you know. Thanks again for all the > help! > >> > >> -- > >> You received this message because you are subscribed to the > Google > >> Groups "TurboVNC User Discussion/Support" group. > >> To unsubscribe from this group and stop receiving emails > from it, > >> send an email to [email protected] <javascript:>. > >> To view this discussion on the web visit > >> > > https://groups.google.com/d/msgid/turbovnc-users/9cd4cde5-a186-4980-9d5e-e36bd538a643%40googlegroups.com > > <https://groups.google.com/d/msgid/turbovnc-users/9cd4cde5-a186-4980-9d5e-e36bd538a643%40googlegroups.com> > > >> > > <https://groups.google.com/d/msgid/turbovnc-users/9cd4cde5-a186-4980-9d5e-e36bd538a643%40googlegroups.com?utm_medium=email&utm_source=footer > > <https://groups.google.com/d/msgid/turbovnc-users/9cd4cde5-a186-4980-9d5e-e36bd538a643%40googlegroups.com?utm_medium=email&utm_source=footer>>. > > >> For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout> > >> <https://groups.google.com/d/optout > <https://groups.google.com/d/optout>>. > > > > -- > > You received this message because you are subscribed to the Google > > Groups "TurboVNC User Discussion/Support" group. > > To unsubscribe from this group and stop receiving emails from > it, send > > an email to [email protected] <javascript:> > > <mailto:[email protected] <javascript:>>. > > To view this discussion on the web visit > > > > https://groups.google.com/d/msgid/turbovnc-users/adb0fbe2-8dbe-4c84-86e5-692a5c8429d4%40googlegroups.com > > <https://groups.google.com/d/msgid/turbovnc-users/adb0fbe2-8dbe-4c84-86e5-692a5c8429d4%40googlegroups.com> > > > > > <https://groups.google.com/d/msgid/turbovnc-users/adb0fbe2-8dbe-4c84-86e5-692a5c8429d4%40googlegroups.com?utm_medium=email&utm_source=footer > > <https://groups.google.com/d/msgid/turbovnc-users/adb0fbe2-8dbe-4c84-86e5-692a5c8429d4%40googlegroups.com?utm_medium=email&utm_source=footer>>. > > > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. > > -- > You received this message because you are subscribed to the Google > Groups "TurboVNC User Discussion/Support" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] > <mailto:[email protected]>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/turbovnc-users/f9f427de-36e8-46c1-bb15-fdb8bcc0c048%40googlegroups.com > <https://groups.google.com/d/msgid/turbovnc-users/f9f427de-36e8-46c1-bb15-fdb8bcc0c048%40googlegroups.com?utm_medium=email&utm_source=footer>. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "TurboVNC User Discussion/Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/turbovnc-users/36996e38-66c4-8eb6-26ae-bb6c38bb81fb%40virtualgl.org.
