[Openflow] TLS - No cipher suites in common issue


A Vamsikrishna
 

Hi All,

 

I am using java1.8 & following below wiki :

 

https://wiki.opendaylight.org/view/OpenDaylight_OpenFlow_Plugin:_TLS_Support

 

Does below commands from above wiki make use of RSA as a default algorithm ?

 

 

sudo ovs-pki req+sign sc switch

sudo ovs-pki req+sign ctl controller

 

 

Is it causing the problem ?

 

And I using below cipher which is based on ECDSA :

 

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

 

If yes, how to create certificates that makes use of ECDSA algorithm ?

 

Thanks,

Vamsi

 

 

From: A Vamsikrishna
Sent: Monday, December 18, 2017 4:05 PM
To: 'openflowjava-dev@...' <openflowjava-dev@...>
Subject: [Openflow] TLS cipher suite cannot support exception

 

Hi All,

 

All below scenarios looks fine

 

 

 with no ciphers

(or)

<cipher-suites>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</cipher-suites>

(or)

<cipher-suites>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</cipher-suites>

<cipher-suites>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</cipher-suites           

 (or)

<cipher-suites>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</cipher-suites>

<cipher-suites>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</cipher-suites>

 

 stack@devcontrol:~/devstack$

stack@devcontrol:~/devstack$ sudo tail -5 /var/log/openvswitch/ovs-vswitchd.log

2017-11-21T15:17:16.417Z|02158|rconn|WARN|br-int<->ssl:192.168.56.1:6653: connection dropped (Connection refused)

2017-11-21T15:17:24.437Z|02159|rconn|WARN|br-int<->ssl:192.168.56.1:6653: connection dropped (Connection refused)

2017-11-21T15:17:32.383Z|02160|rconn|WARN|br-int<->ssl:192.168.56.1:6653: connection dropped (Connection refused)

2017-11-21T15:17:40.915Z|02161|rconn|INFO|br-int<->ssl:192.168.56.1:6653: connected

2017-11-21T15:17:54.279Z|02162|connmgr|INFO|br-int<->ssl:192.168.56.1:6653: 38 flow_mods 10 s ago (38 adds)

stack@devcontrol:~/devstack$

stack@devcontrol:~/devstack$

 

stack@devcontrol:~/devstack$ sudo ovs-vsctl show

9191393d-55e3-49c8-82e0-ea597b611ec0

    Manager "tcp:192.168.56.1:6640"

        is_connected: true

    Bridge br-int

        Controller "ssl:192.168.56.1:6653"

            is_connected: true

        fail_mode: secure

        Port br-int

            Interface br-int

                type: internal

    Bridge br-ext

        Port br-ext

            Interface br-ext

                type: internal

    ovs_version: "2.6.1"

stack@devcontrol:~/devstack$

 

 

 only with below cipher suite alone it's not working

 

 <cipher-suites>TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256</cipher-suites>

 

 

 stack@devcontrol:~/devstack$ sudo tail -5 /var/log/openvswitch/ovs-vswitchd.log

2017-11-21T15:10:28.370Z|02089|rconn|WARN|br-int<->ssl:192.168.56.1:6653: connection dropped (Protocol error)

2017-11-21T15:10:36.343Z|02090|stream_ssl|WARN|SSL_connect: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

2017-11-21T15:10:36.344Z|02091|rconn|WARN|br-int<->ssl:192.168.56.1:6653: connection dropped (Protocol error)

2017-11-21T15:10:44.343Z|02092|stream_ssl|WARN|SSL_connect: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

2017-11-21T15:10:44.343Z|02093|rconn|WARN|br-int<->ssl:192.168.56.1:6653: connection dropped (Protocol error)

stack@devcontrol:~/devstack$

stack@devcontrol:~/devstack$

stack@devcontrol:~/devstack$ sudo ovs-vsctl show

9191393d-55e3-49c8-82e0-ea597b611ec0

    Manager "tcp:192.168.56.1:6640"

        is_connected: true

    Bridge br-int

        Controller "ssl:192.168.56.1:6653"

        fail_mode: secure

        Port br-int

            Interface br-int

                type: internal

    Bridge br-ext

        Port br-ext

                               

                               

                                Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common

        at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1478)[:1.8.0_131]

        at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)[:1.8.0_131]

        at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)[:1.8.0_131]

        at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)[:1.8.0_131]

        at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)[:1.8.0_131]

        at io.netty.handler.ssl.SslHandler$SslEngineType$2.unwrap(SslHandler.java:223)[97:io.netty.handler:4.1.8.Final]

        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1117)[97:io.netty.handler:4.1.8.Final]

        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1039)[97:io.netty.handler:4.1.8.Final]

        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411)[94:io.netty.codec:4.1.8.Final]

        ... 25 more

Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common

        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)[:1.8.0_131]

        at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)[:1.8.0_131]

        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)[:1.8.0_131]

        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:292)[:1.8.0_131]

        at sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:1045)[:1.8.0_131]

        at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:741)[:1.8.0_131]

        at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:224)[:1.8.0_131]

        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)[:1.8.0_131]

        at sun.security.ssl.Handshaker$1.run(Handshaker.java:966)[:1.8.0_131]

        at sun.security.ssl.Handshaker$1.run(Handshaker.java:963)[:1.8.0_131]

        at java.security.AccessController.doPrivileged(Native Method)[:1.8.0_131]

        at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416)[:1.8.0_131]

        at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1256)[97:io.netty.handler:4.1.8.Final]

        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1169)[97:io.netty.handler:4.1.8.Final]

        ... 27 more

 

 

Any thoughts on this ?

 

Thanks,

Vamsi

 

 

From: A Vamsikrishna
Sent: Thursday, December 14, 2017 7:21 PM
To: 'openflowjava-dev@...' <openflowjava-dev@...>
Subject: [Openflow] TLS cipher suite cannot support exception

 

 

Hi All,

 

I am working on OFJ to allow users to configure cipher-suites to use with
SSLEngine. (https://git.opendaylight.org/gerrit/#/c/34942/).
 
I am trying to test it by configuring the cipher suites supported by
SunProvider 1.8, for e.g. TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384. (
http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html
).
However, I see an IllegalArgumentException exception indicating that the
cipher suite is not supported.
 
Can you please help me with this issue ?
 
 
Here is the stacktrace -->
 
 
2016-02-23 12:16:34,802 | WARN  | entLoopGroup-9-2 | TcpChannelInitializer
           | 262 - org.opendaylight.openflowjava.openflow-protocol-impl -
0.8.0.SNAPSHOT | Failed to initialize channel
java.lang.IllegalArgumentException: Cannot support
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 with currently installed providers
at
sun.security.ssl.CipherSuiteList.<init>(CipherSuiteList.java:92)[:1.8.0_60]
at
sun.security.ssl.SSLEngineImpl.setEnabledCipherSuites(SSLEngineImpl.java:2038)[:1.8.0_60]
at
org.opendaylight.openflowjava.protocol.impl.core.TcpChannelInitializer.initChannel(TcpChannelInitializer.java:91)[262:org.opendaylight.openflowjava.openflow-protocol-impl:0.8.0.SNAPSHOT]
at
org.opendaylight.openflowjava.protocol.impl.core.TcpChannelInitializer.initChannel(TcpChannelInitializer.java:32)[262:org.opendaylight.openflowjava.openflow-protocol-impl:0.8.0.SNAPSHOT]
at
io.netty.channel.ChannelInitializer.channelRegistered(ChannelInitializer.java:68)[125:io.netty.transport:4.0.33.Final]
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRegistered(AbstractChannelHandlerContext.java:143)[125:io.netty.transport:4.0.33.Final]
at
io.netty.channel.AbstractChannelHandlerContext.fireChannelRegistered(AbstractChannelHandlerContext.java:129)[125:io.netty.transport:4.0.33.Final]
at
io.netty.channel.DefaultChannelPipeline.fireChannelRegistered(DefaultChannelPipeline.java:733)[125:io.netty.transport:4.0.33.Final]
at
io.netty.channel.AbstractChannel$AbstractUnsafe.register0(AbstractChannel.java:450)[125:io.netty.transport:4.0.33.Final]
at
io.netty.channel.AbstractChannel$AbstractUnsafe.access$100(AbstractChannel.java:378)[125:io.netty.transport:4.0.33.Final]
at
io.netty.channel.AbstractChannel$AbstractUnsafe$1.run(AbstractChannel.java:424)[125:io.netty.transport:4.0.33.Final]
at
io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:329)[124:io.netty.common:4.0.33.Final]
at
io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:350)[125:io.netty.transport:4.0.33.Final]
at
io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:112)[124:io.netty.common:4.0.33.Final]
at
io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:137)[124:io.netty.common:4.0.33.Final]
at java.lang.Thread.run(Thread.java:745)[:1.8.0_60]

 

I have tried to update the JCE policy files to include jars that provide unlimited
cryptographic strength:
http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

 

But it did not work out even after my ODL restart (System:shutdown)

 

Any thoughts ?

 

 

 

Thanks,

Vamsi

 

Join z.archive.openflowjava-dev@lists.opendaylight.org to automatically receive all group messages.