webtier@glassfish.java.net

Limiting allowable SSL cipher suites in Glassfish V3 causes error

From: <webtier_at_javadesktop.org>
Date: Wed, 16 Jun 2010 05:24:19 PDT

My apologies in advance if I am posting this on the wrong forum - if so, please let me know where I should post this...

I am trying to configure Glassfish v3 to limit the acceptable SSL cipher suites that a client can use to establish an SSL (TLS) connection with a web service available at port 8181 - which corresponds to the network listener "http-listener-2".

I did what I thought was the correct procedure through the Glassfish admin console. Under Configuration | Network Config | Network Listeners | http-listener-2, I selected the SSL tab and then selected the cipher suites I wanted to allow (I am trying to force an AES 256 cipher to be used). After saving these changes, the <ssl> tag for http-listener-2 in domain.xml looks like this:

<ssl ssl3-tls-ciphers="+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA" ssl3-enabled="false" cert-nickname="s1as" />

However, after I limit the allowable cipher suites, I can no longer connect to anything on port 8181. Every time I try, I get the error below. This happens even if I allow 128-bit cipher suites. The only way connections are successful is if I allow all cipher suites. I am trying to connect with a Java client that I know has JCE installed (cipher suite strength is not limited to 128 bits).

Can somebody tell me what I'm doing wrong?

Error stack trace:
[#|2010-06-15T18:41:15.807-0400|SEVERE|glassfishv3.0|com.sun.grizzly.config.GrizzlyServiceListener|_ThreadID=30;_ThreadName=Thread-1;|ProtocolChain exception
java.lang.IllegalArgumentException: CipherSuites may not be null
        at com.sun.net.ssl.internal.ssl.CipherSuiteList.<init>(CipherSuiteList.java:58)
        at com.sun.net.ssl.internal.ssl.SSLEngineImpl.setEnabledCipherSuites(SSLEngineImpl.java:1735)
        at com.sun.grizzly.filter.SSLReadFilter.newSSLEngine(SSLReadFilter.java:358)
        at com.sun.grizzly.filter.SSLReadFilter.obtainSSLEngine(SSLReadFilter.java:394)
        at com.sun.grizzly.filter.SSLReadFilter.execute(SSLReadFilter.java:154)
        at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:135)
        at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:102)
        at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:88)
        at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:76)
        at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:53)
        at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:57)
        at com.sun.grizzly.ContextTask.run(ContextTask.java:69)
        at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:330)
        at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:309)
        at java.lang.Thread.run(Thread.java:619)
|#]
[Message sent by forum member 'davidwarren']

http://forums.java.net/jive/thread.jspa?messageID=474475
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.