Hi Mathieu,
Did Girish's answer help? (thanks Girish)
Jacques
Le 04/03/2019 à 08:09, Girish Vasmatkar a écrit :
Hi Mathieu
Perhaps it will help if you could enable SSL debugging (either in your
browser or in OFBiz (-Djavax.net.debug=ssl)) and provide details how the
SSL handshake happened. Specifically, it would be interesting to see what
all protocols your browser presented to OFBiz.
It looks like the two could not agree on the cipher suites to use for
encryption unless your browser only supports SSL 2.0 which is outdated or TLS
1.3 which is fairly new . I may be saying obvious here but it will help if
you can turn on SSL debugging and provide details of the SSL handshake. It
will help what ClientHello message looked like when browser initiated
communication with OFBiz. For example, here are the details of connection
to localhost OFBiz on my machine -
Cipher Suite used - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Protocol used - TLS 1.2.
What I think happened is that both client and server agreed on SSL version
but the server does not support any of the list of cipher suites browser
supports. Please launch OFBiz JVM with javax.net.debug=ssl and that should
help.
Thanks and Regards,
Girish
On Mon, Mar 4, 2019 at 3:54 AM Jacques Le Roux <[email protected]>
wrote:
Hi Mathieu,
Hold on, I think I can help you but not before tomorrow evening
Hopefully someone will beat me on it...
Jacques
Le 03/03/2019 à 19:00, Mathieu Lirzin a écrit :
Hello,
I am facing a rather annoying issue when using OFBiz trunk on localhost
which prevents me from using my preferred Web browsers.
The issue is that some of the browsers I use or more precisely the
library used by those browsers to do the TLS handshake seems to not
accept the default certificate provided by OFBiz. Here is the specific
error I get on Chromium:
--8<---------------cut here---------------start------------->8---
This site can’t provide a secure connection localhost uses an
unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Unsupported protocol
The client and server don't support a common SSL protocol version or
cipher suite.
--8<---------------cut here---------------end--------------->8---
Which is similar to what I have on GNU Icecat (→ Firefox)
--8<---------------cut here---------------start------------->8---
Secure Connection Failed
An error occurred during a connection to localhost:8443. Cannot
communicate securely with peer: no common encryption algorithm(s). Error
code: SSL_ERROR_NO_CYPHER_OVERLAP
The page you are trying to view cannot be shown because the
authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
--8<---------------cut here---------------end--------------->8---
I am using a rather exotic GNU/Linux distribution which is GuixSD so it
might be difficult for any of you to reproduce the issue. However my
guess is that the format of the OFBiz certificate is considered outdated
on my machine. As a consequence I would like to try to upgrade that
certificate to a more recent format version. Unfortunately I don't know
much about SSL/TLS and in particular I don't know what is the proper way
to regenerate the OFBiz certificate.
The README in “framework/base/config/” mentions the details of that
certificate but does not mention the command which has been used to
generate it. Does anyone know how I could achieve the regeneration of
tha certificate?
Thanks.
