Karakun Support Forums

On this moment we are testing OpenWebStart (1.1.6 and 1.1.7) on some PCs. Buth we have some handshake failure issues and hope you guys can help me about this.

The following cipher suites are supported by the Server:
TLSv1.2:
ciphers:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1)

With Wireshark I can see OpenWebStart do a client hello with the following Cipher suites:
Cipher Suites (14 suites)
Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 (0xc07b)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (0x00c0)
Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 (0xc07a)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (0x00ba)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)

Is it possible to configure OpenWebStart to send the TLS_ECDHE ciphers to the server?

I tried to disable the TLS_RSA ciphers with the setting jdk.tls.disabledAlgorithms in java.security, but OpenWebStart still sending the TLS_RSA ciphers to the server.
And I also played around with many other configurations like jdk.jar.disabledAlgorithms, jdk.tls.legacyAlgorithms and crypto.policy. But the OpenWebStart client still sending the TLS_RSA ciphers.

Edited the java.security in C:\Users\tsangk\.cache\icedtea-web\jvm-cache\Zulu Community Edition-11.0.6\conf\security

For test I changed the setting crypto.policy from unlimited to limited, the client hello will now sent 8 suites in stead of 14, this setting seems to work. But when i add the ciphers I want to disable in jdk.tls.disabledAlgorithms, the client still sending the old ciphers, see screenshot and java.security.

The SAP server only accept TLS_ECDHE_RSA cipher suites, but I have no idea how to disable the old ciphers and enable the TLS_ECDHE_RSA.

Yes I think OWS can’t do the handshake with the server, because the cipher mismatch. This same problem also exist in Oracle JRE, but OWS performed much better and will continue in the future, so that why I changed to OWS.

No there is no proxy, all the traffic is on LAN.

Hi

Can you please try few things:

1. In javaws.vmoptions file specify the following argument and then send the log to us:

-Djavax.net.debug=ssl,handshake

2. Try specifying the settings in the java.security at <OpenWebStart Install Dir>/jre/lib/security? OWS bundles an AdoptOpen JDK 8 to start itself.

Also you must have seen : https://www.java.com/en/configure_crypto.html. It has some sections on disabling cipher suites.

I also came across https://stackoverflow.com/questions/319 ... ux-machine

Thanks

Janak

Hi,

Small tip:
The few I've experienced with ciphering+java makes me conclude that this is mostly dependent on the JRE/JDK implementation.

Did you give a try with another JDK ?

For example with AdoptOpenJDK 11.0.6 (+OWS 1.1.7) and below java.security, I get 3 compatibles ciphering with your list. Well it looks like.

Re-up of image !