Hi Mathieu Perhaps it will help if you could enable SSL debugging (either in your browser or in OFBiz (-Djavax.net.debug=ssl)) and provide details how the SSL handshake happened. Specifically, it would be interesting to see what all protocols your browser presented to OFBiz.
It looks like the two could not agree on the cipher suites to use for encryption unless your browser only supports SSL 2.0 which is outdated or TLS 1.3 which is fairly new . I may be saying obvious here but it will help if you can turn on SSL debugging and provide details of the SSL handshake. It will help what ClientHello message looked like when browser initiated communication with OFBiz. For example, here are the details of connection to localhost OFBiz on my machine - Cipher Suite used - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 Protocol used - TLS 1.2. What I think happened is that both client and server agreed on SSL version but the server does not support any of the list of cipher suites browser supports. Please launch OFBiz JVM with javax.net.debug=ssl and that should help. Thanks and Regards, Girish On Mon, Mar 4, 2019 at 3:54 AM Jacques Le Roux <[email protected]> wrote: > Hi Mathieu, > > Hold on, I think I can help you but not before tomorrow evening > > Hopefully someone will beat me on it... > > Jacques > > Le 03/03/2019 à 19:00, Mathieu Lirzin a écrit : > > Hello, > > > > I am facing a rather annoying issue when using OFBiz trunk on localhost > > which prevents me from using my preferred Web browsers. > > > > The issue is that some of the browsers I use or more precisely the > > library used by those browsers to do the TLS handshake seems to not > > accept the default certificate provided by OFBiz. Here is the specific > > error I get on Chromium: > > > > --8<---------------cut here---------------start------------->8--- > > This site can’t provide a secure connection localhost uses an > unsupported protocol. > > ERR_SSL_VERSION_OR_CIPHER_MISMATCH > > Unsupported protocol > > The client and server don't support a common SSL protocol version or > cipher suite. > > --8<---------------cut here---------------end--------------->8--- > > > > Which is similar to what I have on GNU Icecat (→ Firefox) > > > > --8<---------------cut here---------------start------------->8--- > > Secure Connection Failed > > > > An error occurred during a connection to localhost:8443. Cannot > communicate securely with peer: no common encryption algorithm(s). Error > code: SSL_ERROR_NO_CYPHER_OVERLAP > > > > The page you are trying to view cannot be shown because the > authenticity of the received data could not be verified. > > Please contact the website owners to inform them of this problem. > > --8<---------------cut here---------------end--------------->8--- > > > > I am using a rather exotic GNU/Linux distribution which is GuixSD so it > > might be difficult for any of you to reproduce the issue. However my > > guess is that the format of the OFBiz certificate is considered outdated > > on my machine. As a consequence I would like to try to upgrade that > > certificate to a more recent format version. Unfortunately I don't know > > much about SSL/TLS and in particular I don't know what is the proper way > > to regenerate the OFBiz certificate. > > > > The README in “framework/base/config/” mentions the details of that > > certificate but does not mention the command which has been used to > > generate it. Does anyone know how I could achieve the regeneration of > > tha certificate? > > > > Thanks. > > >
