Handshake failure OpenWebStart

The public knowledge pool and discussion forum of the OWS community. Do not post confidential information here!
Janak Mulani
Posts: 40
Joined: 24 Mar 2020, 13:37

Handshake failure OpenWebStart

Post by Janak Mulani »

On this moment we are testing OpenWebStart (1.1.6 and 1.1.7) on some PCs. Buth we have some handshake failure issues and hope you guys can help me about this.

The following cipher suites are supported by the Server:
TLSv1.2:
ciphers:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1)

With Wireshark I can see OpenWebStart do a client hello with the following Cipher suites:
Cipher Suites (14 suites)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 (0xc07b)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (0x00c0)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 (0xc07a)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (0x00ba)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)

Is it possible to configure OpenWebStart to send the TLS_ECDHE ciphers to the server?

I tried to disable the TLS_RSA ciphers with the setting jdk.tls.disabledAlgorithms in java.security, but OpenWebStart still sending the TLS_RSA ciphers to the server.
And I also played around with many other configurations like jdk.jar.disabledAlgorithms, jdk.tls.legacyAlgorithms and crypto.policy. But the OpenWebStart client still sending the TLS_RSA ciphers.

Janak Mulani
Posts: 40
Joined: 24 Mar 2020, 13:37

Re: Handshake failure OpenWebStart

Post by Janak Mulani »

Edited the java.security in C:\Users\tsangk\.cache\icedtea-web\jvm-cache\Zulu Community Edition-11.0.6\conf\security

For test I changed the setting crypto.policy from unlimited to limited, the client hello will now sent 8 suites in stead of 14, this setting seems to work. But when i add the ciphers I want to disable in jdk.tls.disabledAlgorithms, the client still sending the old ciphers, see screenshot and java.security.

The SAP server only accept TLS_ECDHE_RSA cipher suites, but I have no idea how to disable the old ciphers and enable the TLS_ECDHE_RSA.

Janak Mulani
Posts: 40
Joined: 24 Mar 2020, 13:37

Re: Handshake failure OpenWebStart

Post by Janak Mulani »

Yes I think OWS can’t do the handshake with the server, because the cipher mismatch. This same problem also exist in Oracle JRE, but OWS performed much better and will continue in the future, so that why I changed to OWS.

No there is no proxy, all the traffic is on LAN.

Janak Mulani
Posts: 40
Joined: 24 Mar 2020, 13:37

Re: Handshake failure OpenWebStart

Post by Janak Mulani »

Hi

Can you please try few things:

1. In javaws.vmoptions file specify the following argument and then send the log to us:

-Djavax.net.debug=ssl,handshake

2. Try specifying the settings in the java.security at <OpenWebStart Install Dir>/jre/lib/security? OWS bundles an AdoptOpen JDK 8 to start itself.

Also you must have seen : https://www.java.com/en/configure_crypto.html. It has some sections on disabling cipher suites.

I also came across https://stackoverflow.com/questions/319 ... ux-machine

Thanks

Janak

Th3WalkingDad
Posts: 16
Joined: 01 Jun 2020, 14:20

Re: Handshake failure OpenWebStart

Post by Th3WalkingDad »

Hi,

Small tip:
The few I've experienced with ciphering+java makes me conclude that this is mostly dependent on the JRE/JDK implementation.

Did you give a try with another JDK ?

For example with AdoptOpenJDK 11.0.6 (+OWS 1.1.7) and below java.security, I get 3 compatibles ciphering with your list. Well it looks like.
Image

Th3WalkingDad
Posts: 16
Joined: 01 Jun 2020, 14:20

Re: Handshake failure OpenWebStart

Post by Th3WalkingDad »

Re-up of image !
AdoptOpenJDK11.0.6-1_Cipher.gif
AdoptOpenJDK11.0.6-1_Cipher.gif (81.87 KiB) Viewed 169 times

Post Reply