Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

JTS SSL: Valid ciphers for server certificate? [SOLVED]

Questions
Tags
Users
Badges
Alex Bremer
(2113) edited
Nov 30 '13, 7:07 a.m.
Sorry for the long introduction but I'm not an SSL expert, so I basically have to describe what I did:

I was trying to change the server certificate for the JTS Tomcat server, even before running the initial setup. I created a new certificate using GnuTLS and signed it with my own CA. However when trying to connect to the server, I immediately got a "SSL handshake failure" from my browser which was probably because of the configured cipher suites (Tomcat server.xml) being too low. Using other tools like curl, openssl or gnutls I was able to establish a connection to the server, so the basic setup seemed to be ok.

I removed the "ciphers" line from the Tomcat connector which allowed me to successfully establish a connection to the server with firefox and start the JTS setup. However at the last step of the setup (when choosing the public URL), the setup program seems to trigger an internal connection to the server (server-to-server) which then again failed with an SSL error.

To verify that this is not a general SSL setup error, I created a new CA and server certificate using OpenSSL and a lower cipher suite. This time I was able to complete the setup step which tests the connection to the server. So I'm pretty sure that the only reason I can not complete the setup with my GnuTLS certificate is an incompatibility with the preconfigured cipher suites.

Obviously the "ciphers" parameter in the Tomcat server.xml was configured for a reason as some component of RTC does not seem to be able to deal with higher cipher suites.

So my question:
Is there a way to change this and allow cipher suites compatible with GnuTLS?

As I use GnuTLS for all my SSL needs, I would very much like to use my existing CA to create a server certificate for RTC. However I'm not sure which cipher suite I have to use or if it's possible at all (maybe my CA already uses a cipher suite which is too high for RTC). I never had problems before and the certificates created with my setup work fine for Apache HTTPD.

I'm not sure how to determine the correct ciphers as those names from the server.xml don't tell me much.

Did anyone ever successfully create a JTS server certificate using gnutls? Which parameters did you use?

1 vote

1 answer
8,167 views
1 vote

One answer

Permanent link
Alex Bremer
(2113) edited
Nov 30 '13, 7:08 a.m.
After analyzing the problem with wireshark and much trial & error, I finally figured it out. It seems that JTS can not deal with certificates which are using more than 2048 bits. While the server can handle those certificates and allows browser to connect, the server's internal connections to the webservices however will fail.

Using certificates with more than 2048 bits limits the number of algorithms which can be used and therefore the internal connections, which can only use lower grade ciphers, will get an ssl handshake error leading to a javax.net.ssl.SSLPeerUnverifiedException ("peer not authenticated") error.

1 vote

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Ask a question
Guidelines
FAQ
Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 36

Question asked: Nov 29 '13, 8:04 p.m.

Question was seen: 8,167 times

Last updated: Nov 30 '13, 7:08 a.m.

Confirmation Cancel Confirm