users@glassfish.java.net

[gf-users] Glassfish SSL broken by renew

From: the outsider <openindiana_at_out-side.nl>
Date: Sun, 16 Aug 2015 13:25:00 +0200

I had to renew a SLL certificate on a Glassfish 3.1.2 server. It worked
before but for some d@^@%m reason I have broken it.

 

I renewed my certificate in a new jks keystore and already tried several
things. But for some reason the keystore or the certificate isn't loaded.

 

The server config has following lines for the keystore and alias:

 

        <jvm-options>-Djavax.net.debug=all,ssl</jvm-options>

 
<jvm-options>-Dcom.sun.enterprise.security.httpsOutboundKeyAlias=mykey</jvm-
options>

 
<jvm-options>-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/myk
eystore.jks</jvm-options>

 
<jvm-options>-Djavax.net.ssl.trustStore=${com.sun.aas.instanceRoot}/config/c
acerts.jks</jvm-options>

 

      <network-config>

        <protocols>

          <protocol name="http-listener-1">

            <http xpowered-by="false" default-virtual-server="server"
max-connections="250" server-name="">

              <file-cache></file-cache>

            </http>

             <ssl key-store="mykeystore.jks"
ssl3-tls-ciphers="+SSL_RSA_WITH_RC4_128_MD5,+SSL_RSA_WITH_RC4_128_SHA,+TLS_R
SA_WITH_AES_128_CBC_SHA,+SSL_RSA_WITH_3DES_EDE_CBC_SHA,+SSL_RSA_WITH_DES_CBC
_SHA,+SSL_RSA_EXPORT_WITH_RC4_40_MD5,+SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,+SSL
_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,+SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"
ssl3-enabled="false"
classname="com.sun.enterprise.security.ssl.GlassfishSSLImpl"
trust-store="cacerts.jks" cert-nickname="mykey"></ssl>

          </protocol>

          <protocol security-enabled="true" name="http-listener-2">

            <http xpowered-by="false" default-virtual-server="server"
max-connections="250" compression="on">

              <file-cache enabled="true"></file-cache>

            </http>

            <ssl key-store="mykeystore.jks"
ssl3-tls-ciphers="+SSL_RSA_WITH_RC4_128_MD5,+SSL_RSA_WITH_RC4_128_SHA,+TLS_R
SA_WITH_AES_128_CBC_SHA,+SSL_RSA_WITH_3DES_EDE_CBC_SHA,+SSL_RSA_WITH_DES_CBC
_SHA,+SSL_RSA_EXPORT_WITH_RC4_40_MD5,+SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,+SSL
_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,+SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"
ssl3-enabled="false"
classname="com.sun.enterprise.security.ssl.GlassfishSSLImpl"
trust-store="cacerts.jks" cert-nickname="mykey"></ssl>

          </protocol>

 

 

I already tried with and without the SSL3-TLS-CIPHERS but nothing seems to
work

 

The startup log:

[#|2015-08-16T12:22:14.164+0100|INFO|glassfish3.1.2|javax.enterprise.system.
container.web.com.sun.enterprise.web|_ThreadID=1;_ThreadName=Thread-2;|WEB01
69: Created HTTP listener [http-listener-1] on host/port [0.0.0.0:80]|#]

 

[#|2015-08-16T12:22:14.195+0100|INFO|glassfish3.1.2|javax.enterprise.system.
std.com.sun.enterprise.server.logging|_ThreadID=1;_ThreadName=Thread-2;|keyS
tore is : C:\webserver\glassfish-3.1.2\domains\domain1/config/fortop.jks|#]

 

[#|2015-08-16T12:22:14.195+0100|INFO|glassfish3.1.2|javax.enterprise.system.
std.com.sun.enterprise.server.logging|_ThreadID=1;_ThreadName=Thread-2;|keyS
tore type is : jks|#]

 

[#|2015-08-16T12:22:14.195+0100|INFO|glassfish3.1.2|javax.enterprise.system.
std.com.sun.enterprise.server.logging|_ThreadID=1;_ThreadName=Thread-2;|keyS
tore provider is : |#]

 

[#|2015-08-16T12:22:14.195+0100|INFO|glassfish3.1.2|javax.enterprise.system.
std.com.sun.enterprise.server.logging|_ThreadID=1;_ThreadName=Thread-2;|init
keystore|#]

 

[#|2015-08-16T12:22:14.211+0100|INFO|glassfish3.1.2|javax.enterprise.system.
std.com.sun.enterprise.server.logging|_ThreadID=1;_ThreadName=Thread-2;|init
keymanager of type SunX509|#]

 

[#|2015-08-16T12:22:14.211+0100|INFO|glassfish3.1.2|javax.enterprise.system.
std.com.sun.enterprise.server.logging|_ThreadID=1;_ThreadName=Thread-2;|trus
tStore is:
C:\webserver\glassfish-3.1.2\domains\domain1\config\cacerts.jks|#]

 

[#|2015-08-16T12:22:14.211+0100|INFO|glassfish3.1.2|javax.enterprise.system.
std.com.sun.enterprise.server.logging|_ThreadID=1;_ThreadName=Thread-2;|trus
tStore type is : jks|#]

 

[#|2015-08-16T12:22:14.211+0100|INFO|glassfish3.1.2|javax.enterprise.system.
std.com.sun.enterprise.server.logging|_ThreadID=1;_ThreadName=Thread-2;|trus
tStore provider is : |#]

 

[#|2015-08-16T12:22:14.211+0100|INFO|glassfish3.1.2|javax.enterprise.system.
std.com.sun.enterprise.server.logging|_ThreadID=1;_ThreadName=Thread-2;|init
truststore|#]

 

* SNIP * loading all certificates from cacerts.jks is printed

 

Then somewhere these lines pop-up

 

[#|2015-08-16T12:22:27.164+0100|INFO|glassfish3.1.2|javax.enterprise.system.
std.com.sun.enterprise.server.logging|_ThreadID=52;_ThreadName=Thread-2;|tri
gger seeding of SecureRandom|#]

 

[#|2015-08-16T12:22:27.164+0100|INFO|glassfish3.1.2|javax.enterprise.system.
std.com.sun.enterprise.server.logging|_ThreadID=52;_ThreadName=Thread-2;|don
e seeding SecureRandom|#]

 

[#|2015-08-16T12:22:27.179+0100|INFO|glassfish3.1.2|javax.enterprise.system.
std.com.sun.enterprise.server.logging|_ThreadID=52;_ThreadName=Thread-2;|Usi
ng SSLEngineImpl.|#]

 

[#|2015-08-16T12:22:27.179+0100|WARNING|glassfish3.1.2|com.sun.grizzly.confi
g.GrizzlyServiceListener|_ThreadID=52;_ThreadName=Thread-2;|GRIZZLY0010:
Unrecognized cipher [SSL_RSA_WITH_DES_CBC_SHA].|#]

 

[#|2015-08-16T12:22:27.179+0100|WARNING|glassfish3.1.2|com.sun.grizzly.confi
g.GrizzlyServiceListener|_ThreadID=52;_ThreadName=Thread-2;|GRIZZLY0010:
Unrecognized cipher [SSL_RSA_EXPORT_WITH_RC4_40_MD5].|#]

 

[#|2015-08-16T12:22:27.179+0100|WARNING|glassfish3.1.2|com.sun.grizzly.confi
g.GrizzlyServiceListener|_ThreadID=52;_ThreadName=Thread-2;|GRIZZLY0010:
Unrecognized cipher [SSL_RSA_EXPORT_WITH_DES40_CBC_SHA].|#]

 

[#|2015-08-16T12:22:27.179+0100|WARNING|glassfish3.1.2|com.sun.grizzly.confi
g.GrizzlyServiceListener|_ThreadID=52;_ThreadName=Thread-2;|GRIZZLY0010:
Unrecognized cipher [SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA].|#]

 

[#|2015-08-16T12:22:27.179+0100|WARNING|glassfish3.1.2|com.sun.grizzly.confi
g.GrizzlyServiceListener|_ThreadID=52;_ThreadName=Thread-2;|GRIZZLY0010:
Unrecognized cipher [SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA].|#]

 

[#|2015-08-16T12:22:27.179+0100|INFO|glassfish3.1.2|javax.enterprise.system.
std.com.sun.enterprise.server.logging|_ThreadID=52;_ThreadName=Thread-2;|Usi
ng SSLEngineImpl.|#]

 

[#|2015-08-16T12:22:27.195+0100|INFO|glassfish3.1.2|javax.enterprise.system.
std.com.sun.enterprise.server.logging|_ThreadID=52;_ThreadName=Thread-2;|All
ow unsafe renegotiation: false

Allow legacy hello messages: true

Is initial handshake: true

Is secure renegotiation: false|#]

 

[#|2015-08-16T12:22:27.195+0100|INFO|glassfish3.1.2|javax.enterprise.system.
std.com.sun.enterprise.server.logging|_ThreadID=52;_ThreadName=Thread-2;|[Ra
w read]: length = 5|#]

 

[#|2015-08-16T12:22:27.195+0100|INFO|glassfish3.1.2|javax.enterprise.system.
std.com.sun.enterprise.server.logging|_ThreadID=52;_ThreadName=Thread-2;|000
0: |#]

 

[#|2015-08-16T12:22:27.195+0100|INFO|glassfish3.1.2|javax.enterprise.system.
std.com.sun.enterprise.server.logging|_ThreadID=52;_ThreadName=Thread-2;|16
|#]

 

[#|2015-08-16T12:22:27.195+0100|INFO|glassfish3.1.2|javax.enterprise.system.
std.com.sun.enterprise.server.logging|_ThreadID=52;_ThreadName=Thread-2;|03
|#]

 

[#|2015-08-16T12:22:27.195+0100|INFO|glassfish3.1.2|javax.enterprise.system.
std.com.sun.enterprise.server.logging|_ThreadID=52;_ThreadName=Thread-2;|01
|#]

 

[#|2015-08-16T12:22:27.195+0100|INFO|glassfish3.1.2|javax.enterprise.system.
std.com.sun.enterprise.server.logging|_ThreadID=52;_ThreadName=Thread-2;|00
|#]

 

[#|2015-08-16T12:22:27.195+0100|INFO|glassfish3.1.2|javax.enterprise.system.
std.com.sun.enterprise.server.logging|_ThreadID=52;_ThreadName=Thread-2;|95
|#]

 

Ending in a lot of empty lines:

 

[#|2015-08-16T12:22:52.617+0100|INFO|glassfish3.1.2|javax.enterprise.system.
std.com.sun.enterprise.server.logging|_ThreadID=69;_ThreadName=Thread-2;|%%
Initialized: [Session-5, SSL_NULL_WITH_NULL_NULL]|#]

 

[#|2015-08-16T12:22:52.617+0100|INFO|glassfish3.1.2|javax.enterprise.system.
std.com.sun.enterprise.server.logging|_ThreadID=69;_ThreadName=Thread-2;|htt
p-thread-pool-8181(5), fatal error: 40: no cipher suites in common

javax.net.ssl.SSLHandshakeException: no cipher suites in common|#]

 

[#|2015-08-16T12:22:52.617+0100|INFO|glassfish3.1.2|javax.enterprise.system.
std.com.sun.enterprise.server.logging|_ThreadID=69;_ThreadName=Thread-2;|%%
Invalidated: [Session-5, SSL_NULL_WITH_NULL_NULL]|#]

 

[#|2015-08-16T12:22:52.617+0100|INFO|glassfish3.1.2|javax.enterprise.system.
std.com.sun.enterprise.server.logging|_ThreadID=69;_ThreadName=Thread-2;|htt
p-thread-pool-8181(5)|#]

 

[#|2015-08-16T12:22:52.617+0100|INFO|glassfish3.1.2|javax.enterprise.system.
std.com.sun.enterprise.server.logging|_ThreadID=69;_ThreadName=Thread-2;|,
SEND TLSv1 ALERT: |#]

 

[#|2015-08-16T12:22:52.617+0100|INFO|glassfish3.1.2|javax.enterprise.system.
std.com.sun.enterprise.server.logging|_ThreadID=69;_ThreadName=Thread-2;|fat
al, |#]

 

[#|2015-08-16T12:22:52.617+0100|INFO|glassfish3.1.2|javax.enterprise.system.
std.com.sun.enterprise.server.logging|_ThreadID=69;_ThreadName=Thread-2;|des
cription = handshake_failure|#]

 

[#|2015-08-16T12:22:52.617+0100|INFO|glassfish3.1.2|javax.enterprise.system.
std.com.sun.enterprise.server.logging|_ThreadID=69;_ThreadName=Thread-2;|htt
p-thread-pool-8181(5), WRITE: TLSv1 Alert, length = 2|#]

 

[#|2015-08-16T12:22:52.617+0100|INFO|glassfish3.1.2|javax.enterprise.system.
std.com.sun.enterprise.server.logging|_ThreadID=69;_ThreadName=Thread-2;|htt
p-thread-pool-8181(5), fatal: engine already closed. Rethrowing
javax.net.ssl.SSLHandshakeException: no cipher suites in common|#]

 

 

 
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.