Connection Manger - no cipher suites in common

I’‘m having an issue with the Connection Manager where some clients (GAIM most notably) can’'t connect and throw various SSL related errors on the client side. On the connection manager side the following is being logged:

javax.net.ssl.SSLHandshakeException: no cipher suites in common

at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:994)

at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:4 59)

at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:10 54)

at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1026)

at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:411)

at org.jivesoftware.multiplexer.net.TLSStreamHandler.doHandshake(TLSStreamHandler. java:329)

at org.jivesoftware.multiplexer.net.TLSStreamHandler.start(TLSStreamHandler.java:2 23)

at org.jivesoftware.multiplexer.net.SocketConnection.startTLS(SocketConnection.jav a:169)

at org.jivesoftware.multiplexer.net.SocketReadingMode.negotiateTLS(SocketReadingMo de.java:69)

at org.jivesoftware.multiplexer.net.BlockingReadingMode.readStream(BlockingReading Mode.java:128)

at org.jivesoftware.multiplexer.net.BlockingReadingMode.run(BlockingReadingMode.ja va:66)

at org.jivesoftware.multiplexer.net.SocketReader.run(SocketReader.java:114)

at java.lang.Thread.run(Thread.java:595)

Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common

at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)

at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1352)

at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)

at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:164)

at com.sun.net.ssl.internal.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshake r.java:639)

at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(ServerHandshaker.java :450)

at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(ServerHandshaker.j ava:178)

at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)

at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:437)

at java.security.AccessController.doPrivileged(Native Method)

at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:932)

at org.jivesoftware.multiplexer.net.TLSStreamHandler.doTasks(TLSStreamHandler.java :380)

at org.jivesoftware.multiplexer.net.TLSStreamHandler.doHandshake(TLSStreamHandler. java:290)

… 7 more

Searching the net one hit suggests there may be a minor bug in the Connection Manager code:

http://www.realityinteractive.com/rgrzywinski/archives/000082.html

A brief quote from that page…

I was attempting to use a vanilla SSL server and client socket … but kept getting the dreaded:

javax.net.ssl.SSLException: No available certificate corresponds to the SSL cipher suites which are enabled.

The usual searches turned up a million posts about junk I already knew. The JSSE ref guide is great for people that already know what they’'re doing an is therefore self deprecating.

The long and short of it is that if you use a default SSLServerSocketFactory and create a socket then you must have an anonymous cipher suite installed.

I’‘d like to take a peek at the source for the Connection Manager to see if this hit is the cause of my problem but I haven’‘t found the download for that. Is it available? Some of my users have screwed around with GAIM and the underlying SSL libraries to the point where it works but it’'d be nice to get the most common GAIM installs connecting.

Other lines of troubleshooting I’'ve followed involved replacing my original certificates with new ones to ensure I was providing certs in both RSA & DSA flavors like the self signed certs were.

Hi,

I’‘d like to take a peek at the source for the Connection Manager to see if this hit is the cause of my problem but I haven’'t found the download for that. Is it available?

svn co http://svn.jivesoftware.org/svn/repos/connectionmanager/trunk connectionmanager

I don’'t remember exactly what the error.log looked like in my case last time, but my way of troubleshooting was to set “Force OLD SSL” in Gaim. Hope to see you hit the jackpot.

Actually now that I’‘ve beat on it again I’‘m fairly certain my problem is that depsite specifying -keyalg rsa when I generate my cert requests and subsequenty store the replies with keytool that I still end up with DSA certs which most SSL libraries that GAIM uses can’‘t work with. For now I’'m going to give up on properly signed certs and run with the self-signed certs in the default keystore that comes with the Connection Manager. These provide both RSA & DSA and thus work fine with GAIM.