SSL certificate error - no cipher suites in common

security

(Christoffer Vig) #1

Using an SSL certificate issued by Comodo, I get this error

[2015-08-13 09:10:41,902][WARN ][shield.transport.netty   ] [-es-1] exception caught on transport layer [[id: 0xcc16773e, /10.87.80.15:58445 => /10.87.80.15:9300]], closing connection
javax.net.ssl.SSLHandshakeException: no cipher suites in common
	at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1348)
	at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:519)
	at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:796)
	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:764)
	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)

I used the procedure as described here.
https://www.elastic.co/guide/en/shield/current/ssl-tls.html#_install_the_newly_signed_certificate

  keytool -importcert -keystore test2.jks -file domain.com_2015.crt

Any idea on how to fix the cipher suites?
Best regards,
Christoffer


No Cipher suites in common || SSLv3 not enabled or not supported
(Mike Simos) #2

Is this a free cert or one you paid for? Also how did you generate your key & CSR? Did you use the command here:

https://www.elastic.co/guide/en/shield/current/ssl-tls.html#generate-csr

keytool -certreq                   \
        -alias      node01         \ 
        -keystore   node01.jks     \
        -file       node01.csr     \
        -keyalg     rsa            \
        -ext san=dns:node01.example.com,ip:192.168.1.1

(Jay Modi) #4

That exception can be very misleading as it more commonly has to do with an issue in the keystore setup rather than there being no cipher suites in common on both sides.

Can you provide the output of keytool -list -v -keystore test2.jks and can you also see what gets output if you use openssl s_client -connect 10.87.80.15:9300?


(Christoffer Vig) #5

Thanks Mike and Jay.
I suspect there is something wrong with the certificate. Will look closer on it next week.


(Christoffer Vig) #6

It got it working after receiving a new certficate, with the full chain.


(John) #7

Hi,

I am receiving quite similar exception like Christopher.

[2015-11-01 16:01:15,324][WARN ][shield.transport.netty ] [node01] Caught exception while handling client http traffic, closing connection [id: 0x5479d43a, /127.0.0.1:33934 => /127.0.0.1:9200]
javax.net.ssl.SSLHandshakeException: no cipher suites in common
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431)
.
.
.
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:292)
.
.
.
And downsomewhere in the trace i have the following exception:
Caused by: javax.net.ssl.SSLHandshakeException: Client requested protocol SSLv3 not enabled or not supported

when I run the following curl command
curl -u es_admin -XGET 'https://127.0.0.1:9200'

Output is:
Enter host password for user 'es_admin': (I Provide the correct password)
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake fail

Output for: openssl s_client -connect 127.0.0.1:9300
CONNECTED(00000003)
139800579409568:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:762:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 7 bytes and written 317 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

It seems like there's something wrong with the certificate only. I created my own CA anf followed steps on:

https://www.elastic.co/guide/en/shield/current/certificate-authority.html
https://www.elastic.co/guide/en/shield/current/ssl-tls.html


(Mark Walkom) #8

Please start your own thread.


(John) #9

Done. Thanks for correcting me. I thought it would be ok if I would share my similar problem here.


(system) #10