FF 37 - ssl_error_no_cypher_overlap with java SSL and java generated self-signed certificates

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

FF 37 - ssl_error_no_cypher_overlap with java SSL and java generated self-signed certificates

Stefano Fornari
Hi All,
it seems the latest update to FF37 has broken some SSL functionality. I am not able to access any more a java server running HTTPS. The implementation is based on standard Java SSL and I generated the certificates myself (being an internal server). It seems the problem is not in the certificates, as far as I understand the handshake is not able to find a common cypher. Is anyone having the same issue? is it a bug?

thanks in advance.
stefano
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: FF 37 - ssl_error_no_cypher_overlap with java SSL and java generated self-signed certificates

Gervase Markham
Hi Stefano,

On 02/04/15 22:06, [hidden email] wrote:
> Hi All, it seems the latest update to FF37 has broken some SSL
> functionality.

Are you sure the problem has begun in 37, and not 36, or 35, or an
earlier version?

Are you able to see how many connection attempts Firefox makes? (We have
a fallback connection if the first one fails; it might be useful to see
if it's triggered.)

> I am not able to access any more a java server running
> HTTPS. The implementation is based on standard Java SSL and I

Which version of Java?

> generated the certificates myself (being an internal server). It

What hash algorithm does your certificate use, and how many bits is the
RSA key?

Can you post the exact error you get?

Gerv
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: FF 37 - ssl_error_no_cypher_overlap with java SSL and java generated self-signed certificates

Hanno Böck-4
In reply to this post by Stefano Fornari
On Thu, 2 Apr 2015 14:06:32 -0700 (PDT)
[hidden email] wrote:

> it seems the latest update to FF37 has broken some SSL functionality.
> I am not able to access any more a java server running HTTPS. The
> implementation is based on standard Java SSL and I generated the
> certificates myself (being an internal server). It seems the problem
> is not in the certificates, as far as I understand the handshake is
> not able to find a common cypher. Is anyone having the same issue? is
> it a bug?

Are you using DSA? Firefox removed DSA recently (which is good - almost
nobody uses it and it's a quite fragile algorithm when it comes to
random numbers).

--
Hanno Böck
http://hboeck.de/

mail/jabber: [hidden email]
GPG: BBB51E42

--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto

attachment0 (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: FF 37 - ssl_error_no_cypher_overlap with java SSL and java generated self-signed certificates

Gervase Markham
In reply to this post by Stefano Fornari
On 07/04/15 17:32, Hanno Böck wrote:
> Are you using DSA? Firefox removed DSA recently (which is good - almost
> nobody uses it and it's a quite fragile algorithm when it comes to
> random numbers).

Hanno's probably hit the nail on the head here.
https://bugzilla.mozilla.org/show_bug.cgi?id=1073867 was fixed in
Firefox 37.

Gerv

--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: FF 37 - ssl_error_no_cypher_overlap with java SSL and java generated self-signed certificates

Brian Smith-19
Gervase Markham <[hidden email]> wrote:
> On 07/04/15 17:32, Hanno Böck wrote:
>> Are you using DSA? Firefox removed DSA recently (which is good - almost
>> nobody uses it and it's a quite fragile algorithm when it comes to
>> random numbers).
>
> Hanno's probably hit the nail on the head here.
> https://bugzilla.mozilla.org/show_bug.cgi?id=1073867 was fixed in
> Firefox 37.

The removal of the DSS-based *cipher suites* was
https://bugzilla.mozilla.org/show_bug.cgi?id=1107787, which was also
done in Firefox 37.

Cheers,
Brian
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto