SSL23_GET_SERVER_HELLO Error while reconciling OpenIDM and OpenDJ

Tagged: , , , ,

This topic has 7 replies, 4 voices, and was last updated 6 years, 10 months ago by jean.austin.

  • Author
    Posts
  • #1596
     jean.austin
    Participant

    I am trying the OpenIDM-OpenDJ example as per this tutorial.
    I have set OpenIDM and OpenDJ up and able to start OpenIDM and also import the users into OpenDJ and verify them on the OpenDJ control panel.

    But, When I run any of the below curl commands like :
    curl -k -u "openidm-admin:openidm-admin" "https://localhost:8443/openidm/managed/user?_queryId=query-all-ids&_prettyPrint=true"
    or
    curl -k -H "Content-type: application/json" -u "openidm-admin:openidm-admin" -X POST "https://localhost:8443/openidm/recon?_action=recon&mapping=systemLdapAccounts_managedUser"

    I get the below error:
    curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error

    I have read that this can be resolved by updating the cipher list and not sure how do I do it for the internal jetty server on OpenIDM.

    Can someone please help with detailed steps to resolve this.

    Thanks.

    #1601
     Aron Kozak
    Spectator

    I’m looking into who is best suited to answering this, we’ll get back to you soon.

    #1603
     tim.sedlack
    Participant

    There’s a suggestion here on updating ciphers for Jetty: http://blog.techstacks.com/2010/03/3-common-causes-of-unknown-ssl-protocol-errors-with-curl.html (See #2).

    Perhaps that can help. It sure looks like a cipher issue.

    Let us know if that corrects the issue.

    HTH,
    Tim

    #1716
     jean.austin
    Participant

    Hi Tim,

    I have come across the link you provided but I could not figure out how i can do this for OpenAM. The Jetty being embedded inside, I am not sure how do I go about achieving updating the ciphers.
    If you could help me with steps, would be very helpful.

    Thanks,
    Jean

    #1718
     Mike Jang
    Spectator

    Hi Jean,

    I assume you’re talking about OpenIDM and not OpenAM — and specifically OpenIDM 3.1. (If so, I’ll move this discussion to the OpenIDM subforum.)

    I suggest that you look at this section of the Integrator’s Guide: http://docs.forgerock.org/en/openidm/3.1.0/integrators-guide/index.html#disabling-protocols

    Essentially, if you include the noted code block in the Jetty configuration file, you can exclude the ciphers of your choice.

    Thanks,
    Mike

    #1785
     jean.austin
    Participant

    Hi Mike,

    Many thanks.
    Yes this is an OpenIDM Issue and we can move this thread. Apologies for posting it here.

    I tried including the below in the jetty.xml :

    <Set name="ExcludeProtocols">
          <Array type="java.lang.String">
            <Item>SSL</Item>  
            <Item>SSLv2</Item>
            <Item>SSLv2Hello</Item>
            <Item>SSLv3</Item>
          </Array>
        </Set>
    

    Below is my jetty.xml:

    
    <?xml version="1.0"?>
    <!DOCTYPE Configure PUBLIC "-//Mort Bay Consulting//
    DTD Configure//EN" "http://jetty.mortbay.org/configure.dtd">
    
    <Configure class="org.eclipse.jetty.server.Server">
    
        <!-- =========================================================== -->
        <!-- Set connectors                                              -->
        <!-- =========================================================== -->
        <!-- One of each type!                                           -->
        <!-- =========================================================== -->
    
        <Call name="addConnector">
            <Arg>
                <New class="org.eclipse.jetty.server.nio.SelectChannelConnector">
                    <Set name="host"><Property name="jetty.host" /></Set>
                    <Set name="port"><Call class="org.forgerock.openidm.jetty.Param"  name="getProperty"><Arg>openidm.port.http</Arg></Call></Set>
                    <Set name="maxIdleTime">300000</Set>
                    <Set name="Acceptors">2</Set>
                    <Set name="statsOn">false</Set>
                    <Set name="confidentialPort">
                        <Call class="org.forgerock.openidm.jetty.Param"  name="getProperty">
                            <Arg>openidm.port.https</Arg>
                        </Call>
                    </Set>
                </New>
            </Arg>
        </Call>
    
        <Call name="addConnector">
            <Arg>
                <New class="org.eclipse.jetty.server.ssl.SslSocketConnector">
                    <Arg>
                        <New class="org.eclipse.jetty.http.ssl.SslContextFactory">
                            <Set name="keyStore"><Get class="org.forgerock.openidm.jetty.Param" name="keystoreLocation"/></Set>
                            <Set name="keyStorePassword"><Get class="org.forgerock.openidm.jetty.Param" name="keystorePassword"/></Set>
                            <Set name="keyStoreType"><Get class="org.forgerock.openidm.jetty.Param" name="keystoreType"/></Set>
                            <Set name="trustStore"><Get class="org.forgerock.openidm.jetty.Param" name="truststoreLocation"/></Set>
                            <Set name="trustStorePassword"><Get class="org.forgerock.openidm.jetty.Param" name="truststorePassword"/></Set>
                            <Set name="wantClientAuth">true</Set>
                            <Set name="needClientAuth">false</Set>
                            <Set name="certAlias"><Get class="org.forgerock.openidm.jetty.Param" name="certAlias"/></Set>
                        </New>
                    </Arg>
                    <Set name="Port"><Call class="org.forgerock.openidm.jetty.Param"  name="getProperty"><Arg>openidm.port.https</Arg></Call></Set>
                    <Set name="maxIdleTime">30000</Set>
    
      <Set name="ExcludeProtocols">
          <Array type="java.lang.String">
            <Item>SSL</Item>  
            <Item>SSLv2</Item>
            <Item>SSLv2Hello</Item>
            <Item>SSLv3</Item>
          </Array>
        </Set>
    
                    <Set name="ExcludeCipherSuites">
                        <Array type="java.lang.String">
    
                            <!-- EXP-RC4-MD5  -->
                            <Item>SSL23_GET_SERVER_HELLO</Item>
                            <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
                            <Item>SSL_DH_anon_EXPORT_WITH_RC4_40_MD5</Item>
                            <Item>TLS_KRB5_EXPORT_WITH_RC4_40_MD5</Item>
    
                            <!-- EXP-EDH-RSA-DES-CBC-SHA or EXP-DHE-RSA-DES-CBC-SHA  -->
                            <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
    
                            <!-- EXP-DES-CBC-SHA -->
                            <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
                            <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
                            <Item>SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA	</Item>
                            <Item>TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA</Item>
    
                            <!-- DES-CBC-SHA -->
                            <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
                            <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
                            <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
                            <Item>SSL_DH_anon_WITH_DES_CBC_SHA</Item>
                            <Item>TLS_KRB5_WITH_DES_CBC_SHA</Item>
    
                            <!--
                            EDH-RSA-DES-CBC-SHA or DHE-RSA-DES-CBC-SHA is excluded above
                            <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
                            -->
    
                            <!-- RC4-MD5 -->
                            <Item>SSL_RSA_WITH_RC4_128_MD5</Item>
                            <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
                            <Item>SSL_DH_anon_WITH_RC4_128_MD5</Item>
                            <Item>SSL_DH_anon_EXPORT_WITH_RC4_40_MD5</Item>
                            <Item>TLS_KRB5_WITH_RC4_128_MD5</Item>
                            <Item>TLS_KRB5_EXPORT_WITH_RC4_40_MD5</Item>
    
                            <!-- RC4-SHA  -->
                            <Item>SSL_RSA_WITH_RC4_128_SHA</Item>
                            <Item>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</Item>
                            <Item>TLS_ECDH_RSA_WITH_RC4_128_SHA</Item>
                            <Item>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</Item>
                            <Item>TLS_ECDHE_RSA_WITH_RC4_128_SHA</Item>
                            <Item>TLS_ECDH_anon_WITH_RC4_128_SHA</Item>
                            <Item>TLS_KRB5_WITH_RC4_128_SHA</Item>
                            <Item>TLS_KRB5_EXPORT_WITH_RC4_40_SHA</Item>
    
                            <!--
                            ECDHE-RSA-RC4-SHA is excluded above
                            <Item>TLS_ECDHE_RSA_WITH_RC4_128_SHA</Item>
                            -->
    
                        </Array>
                    </Set>
                </New>
            </Arg>
        </Call>
    
        <Call name="addConnector">
            <Arg>
                <New class="org.eclipse.jetty.server.ssl.SslSocketConnector" id="MutualAuthPort">
                    <Set name="Port"><Call class="org.forgerock.openidm.jetty.Param"  name="getProperty"><Arg>openidm.port.mutualauth</Arg></Call></Set>
                    <Set name="maxIdleTime">30000</Set>
                    <Set name="keystoreType"><Get class="org.forgerock.openidm.jetty.Param" name="keystoreType"/></Set>
                    <Set name="keystore"><Get class="org.forgerock.openidm.jetty.Param" name="keystoreLocation"/></Set>
                    <Set name="password"><Get class="org.forgerock.openidm.jetty.Param" name="keystorePassword"/></Set>
                    <Set name="keyPassword"><Get class="org.forgerock.openidm.jetty.Param" name="keystoreKeyPassword"/></Set>
                    <Set name="truststore"><Get class="org.forgerock.openidm.jetty.Param" name="truststoreLocation"/></Set>
                    <Set name="trustPassword"><Get class="org.forgerock.openidm.jetty.Param" name="truststorePassword"/></Set>
                    <Set name="wantClientAuth">true</Set>
                    <Set name="needClientAuth">true</Set>
                    <Call class="org.forgerock.openidm.jetty.DisableOpenIDMAuth" name="add">
                        <Arg>
                            <Ref id="MutualAuthPort"/>
                        </Arg>
                    </Call>
    
                  <Set name="ExcludeProtocols">
                      <Array type="java.lang.String">
                        <Item>SSL</Item>  
                        <Item>SSLv2</Item>
                        <Item>SSLv2Hello</Item>
                        <Item>SSLv3</Item>
                      </Array>
                    </Set>
    
     
                    <Set name="ExcludeCipherSuites">
                        <Array type="java.lang.String">
    
                            <!-- EXP-RC4-MD5  -->
                            <Item>SSL23_GET_SERVER_HELLO</Item>
                            <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
                            <Item>SSL_DH_anon_EXPORT_WITH_RC4_40_MD5</Item>
                            <Item>TLS_KRB5_EXPORT_WITH_RC4_40_MD5</Item>
    
                            <!-- EXP-EDH-RSA-DES-CBC-SHA or EXP-DHE-RSA-DES-CBC-SHA  -->
                            <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
    
                            <!-- EXP-DES-CBC-SHA -->
                            <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
                            <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
                            <Item>SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA	</Item>
                            <Item>TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA</Item>
    
                            <!-- DES-CBC-SHA -->
                            <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
                            <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
                            <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
                            <Item>SSL_DH_anon_WITH_DES_CBC_SHA</Item>
                            <Item>TLS_KRB5_WITH_DES_CBC_SHA</Item>
    
                            <!--
                            EDH-RSA-DES-CBC-SHA or DHE-RSA-DES-CBC-SHA is excluded above
                            <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
                            -->
    
                            <!-- RC4-MD5 -->
                            <Item>SSL_RSA_WITH_RC4_128_MD5</Item>
                            <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
                            <Item>SSL_DH_anon_WITH_RC4_128_MD5</Item>
                            <Item>SSL_DH_anon_EXPORT_WITH_RC4_40_MD5</Item>
                            <Item>TLS_KRB5_WITH_RC4_128_MD5</Item>
                            <Item>TLS_KRB5_EXPORT_WITH_RC4_40_MD5</Item>
    
                            <!-- RC4-SHA  -->
                            <Item>SSL_RSA_WITH_RC4_128_SHA</Item>
                            <Item>TLS_ECDH_ECDSA_WITH_RC4_128_SHA</Item>
                            <Item>TLS_ECDH_RSA_WITH_RC4_128_SHA</Item>
                            <Item>TLS_ECDHE_ECDSA_WITH_RC4_128_SHA</Item>
                            <Item>TLS_ECDHE_RSA_WITH_RC4_128_SHA</Item>
                            <Item>TLS_ECDH_anon_WITH_RC4_128_SHA</Item>
                            <Item>TLS_KRB5_WITH_RC4_128_SHA</Item>
                            <Item>TLS_KRB5_EXPORT_WITH_RC4_40_SHA</Item>
    
                            <!--
                            ECDHE-RSA-RC4-SHA is excluded above
                            <Item>TLS_ECDHE_RSA_WITH_RC4_128_SHA</Item>
                            -->
    
                        </Array>
                    </Set>
                </New>
            </Arg>
        </Call>
    
    </Configure>

    Restarted the OpenIDM and tried few combinations of values that are included in the ExcludeProtocols. But, it is not reflecting or resolving the issue and I always get the below list in the log:

    INFO: Enabled Protocols [SSLv2Hello, SSLv3, TLSv1] of [SSLv2Hello, SSLv3, TLSv1]
    FINE: Enabled Ciphers   [TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] of [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, SSL_RSA_WITH_NULL_MD5, SSL_RSA_WITH_NULL_SHA, TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS_ECDH_RSA_WITH_NULL_SHA, TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS_ECDHE_RSA_WITH_NULL_SHA, SSL_DH_anon_WITH_RC4_128_MD5, TLS_DH_anon_WITH_AES_128_CBC_SHA, TLS_DH_anon_WITH_AES_256_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, TLS_ECDH_anon_WITH_RC4_128_SHA, TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS_ECDH_anon_WITH_AES_256_CBC_SHA, TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, TLS_ECDH_anon_WITH_NULL_SHA, TLS_KRB5_WITH_RC4_128_SHA, TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_3DES_EDE_CBC_SHA, TLS_KRB5_WITH_3DES_EDE_CBC_MD5, TLS_KRB5_WITH_DES_CBC_SHA, TLS_KRB5_WITH_DES_CBC_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_MD5, TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA, TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5]

    What could I be doing wrong here ?

    Many thanks,
    Jean

    #1827
     Mike Jang
    Spectator

    Hi Jean,

    Could you try moving your ExcludeProtocols block a bit?

    Here’s an excerpt from my <Call name=”addConnector”> block:

        <Call name="addConnector">
            <Arg>
                <New class="org.eclipse.jetty.server.ssl.SslSocketConnector">
                    <Arg>
                        <New class="org.eclipse.jetty.http.ssl.SslContextFactory">
                            <Set name="keyStore"><Get class="org.forgerock.openidm.jetty.Param" name="keystoreLocation"/></Set>
                            <Set name="keyStorePassword"><Get class="org.forgerock.openidm.jetty.Param" name="keystorePassword"/></Set>
                            <Set name="keyStoreType"><Get class="org.forgerock.openidm.jetty.Param" name="keystoreType"/></Set>
                            <Set name="trustStore"><Get class="org.forgerock.openidm.jetty.Param" name="truststoreLocation"/></Set>
                            <Set name="trustStorePassword"><Get class="org.forgerock.openidm.jetty.Param" name="truststorePassword"/></Set>
                            <Set name="wantClientAuth">true</Set>
                            <Set name="needClientAuth">false</Set>
                            <Set name="certAlias"><Get class="org.forgerock.openidm.jetty.Param" name="certAlias"/></Set>
                            <Set name="ExcludeProtocols">
                                <Array type="java.lang.String">
                                    <Item>SSLv3</Item>
                                </Array>
                            </Set>
                        </New>
                    </Arg>
    

    I then start OpenIDM, and run the following commands:

    $ cd /path/to/openidm/logs
    $ grep Enabled openidm0.log.0

    I see the following output, as described in http://openidm.forgerock.org/doc/integrators-guide/index.html#disabling-protocols

    INFO: Enabled Protocols [SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2] of [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]

    Note the difference; SSLv3 is not included in the list of “Enabled Protocols”.

    Let us know if that helps.

    Thanks,
    Mike

    • This reply was modified 6 years, 10 months ago by Mike Jang.
    • This reply was modified 6 years, 10 months ago by Mike Jang.
    • This reply was modified 6 years, 10 months ago by Mike Jang.
    #2002
     jean.austin
    Participant

    I was using 3.0.0 and upgraded to 3.1.0 and it is resolved now.

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?