Re: [Handle-info] HandleException (INTERNAL_ERROR) SSLHandshakeException: no cipher suites in common, during full dump

[Robert Tupelo-Schneck <schneck@cnri.reston.va.us>]

Replication (including the initial dump) depends on the pubkey.bin/privkey.bin key of the source server (which is also in the siteinfo), as well as the replpub.bin/replpriv.bin of the replicating client.  The serverCertificate key is only used for HTTPS access.

It is very possible your system has DSA disabled in Java.  How to enable it depends on your system.  In some Linux systems, you would edit /etc/crypto-policies/back-ends/java.config and remove "DSA" from jdk.certpath.disabledAlgorithms and "DHE_DSS" from jdk.tls.disabledAlgorithms.  If you run into trouble, let me know more about your system.

Another alternative is to replace your DSA keys with RSA keys, including editing the HS_SITE and HS_PUBKEY values (and the siteinfo and possibly txnsrcsv files).

Best,

Robert

On Thu, Jan 26, 2023 at 1:20 PM Merret Buurman <buurman@dkrz.de> wrote:

Dear all,
I am trying to set up new mirrors. When I try to run the full dump, I
get errors, in the log I get messages such as these:

svr_21.14103/logs/error.log-20230115:Caused by: HandleException
(INTERNAL_ERROR) javax.net.ssl.SSLHandshakeException: no cipher suites
in common
svr_21.14103/logs/error.log-20230115:Caused by:
javax.net.ssl.SSLHandshakeException: no cipher suites in common

Can anybody help me with this? I don't know where the accepted cipher
suites are defined, nor which keys/certificates are actually the
problem, nor how I can solve this.

Some more details below, in case they're helpful.

Thanks so much,
best,
Merret


PS: I turned on ssl logging on primary and mirror, then I get many
messages like this (in the primary's error log):

javax.net.ssl|FINE|6D|pool-4-thread-5|2023-01-26 18:43:01.291
CET|X509Authentication.java:297|ALIAS private or public key is not of EC
algorithm
javax.net.ssl|FINE|6D|pool-4-thread-5|2023-01-26 18:43:01.292
CET|X509Authentication.java:297|ALIAS private or public key is not of
RSA algorithm
javax.net.ssl|FINE|6D|pool-4-thread-5|2023-01-26 18:43:01.292
CET|X509Authentication.java:297|ALIAS private or public key is not of
RSASSA-PSS algorithm

Some more details, if needed:
The primaries that fail were set up in 2017, the ones that function well
were set up in 2021. In the siteinfo.json I can see that ones that fail
contain DSA keys:
   "servers": [
     {
       "serverId": 1,
       "address": "x.x.x.49",
       "publicKey": {
         "format": "key",
         "value": {
           "kty": "DSA",
While the ones that work contain RSA keys:
   "servers": [
     {
       "serverId": 1,
       "address": "x.x.x.49",
       "publicKey": {
         "format": "key",
         "value": {
           "kty": "RSA",

However the serverCertificate.pem seems to be RSA in all of them:
[root@prim svr_1]# openssl x509 -in serverCertificate.pem -text | grep RSA
     Signature Algorithm: sha256WithRSAEncryption
     Signature Algorithm: sha256WithRSAEncryption



--
Merret Buurman
Abteilung Datenmanagement

Deutsches Klimarechenzentrum GmbH (DKRZ)
Bundesstraße 45 a • 20146 Hamburg • Germany
Phone: +49 40 460094-129

Email: buurman@dkrz.de
URL: www.dkrz.de

Geschäftsführer: Prof. Dr. Thomas Ludwig
Sitz der Gesellschaft: Hamburg
Amtsgericht Hamburg HRB 39784
_______________________________________________
Handle-Info mailing list
Handle-Info@cnri.reston.va.us
http://www.handle.net/mailman/listinfo/handle-info

_______________________________________________
Handle-Info mailing list
Handle-Info@cnri.reston.va.us
http://www.handle.net/mailman/listinfo/handle-info