We're Hiring!

SSL issue using CLI import

General user discussion about using the OMERO platform to its fullest. Please ask new questions at https://forum.image.sc/tags/omero
Please note:
Historical discussions about OMERO. Please look for and ask new questions at https://forum.image.sc/tags/omero

There are workflow guides for various OMERO functions on our help site - http://help.openmicroscopy.org

You should find answers to any basic questions about using the clients there.

SSL issue using CLI import

Postby jstitlow » Fri Apr 12, 2019 2:18 pm

Hello,

I get the following error message when running omero import file:

Code: Select all
Ice.SecurityException: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)


Any idea what the issue is?

Thanks!
Josh T

Our system:

Linux mprocessor1 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64

Full error message:

Code: Select all
2019-04-12 15:08:16,098 327        [      main] INFO          ome.formats.importer.ImportConfig - OMERO Version: 5.4.10-ice36-b105
2019-04-12 15:08:16,115 344        [      main] INFO          ome.formats.importer.ImportConfig - Bioformats version: 5.9.2 revision: 9fc607f85b8900be786813296f1eee75cc1ed883 date: 31 August 2018
2019-04-12 15:08:16,185 414        [      main] INFO   formats.importer.cli.CommandLineImporter - Log levels -- Bio-Formats: ERROR OMERO.importer: INFO
2019-04-12 15:08:16,623 852        [      main] INFO      ome.formats.importer.ImportCandidates - Depth: 4 Metadata Level: MINIMUM
2019-04-12 15:08:16,739 968        [      main] INFO      ome.formats.importer.ImportCandidates - 1 file(s) parsed into 1 group(s) with 1 call(s) to setId in 111ms. (116ms total) [0 unknowns]
2019-04-12 15:08:17,061 1290       [      main] INFO       ome.formats.OMEROMetadataStoreClient - Attempting initial SSL connection to omero1.bioch.ox.ac.uk:4064
2019-04-12 15:08:17,478 1707       [      main] ERROR  formats.importer.cli.CommandLineImporter - Error during import process.
Ice.SecurityException: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
   at IceInternal.AsyncResultI.__wait(AsyncResultI.java:276) ~[ice.jar:na]
   at Ice.ObjectPrxHelperBase.end_ice_isA(ObjectPrxHelperBase.java:310) ~[ice.jar:na]
   at Ice.ObjectPrxHelperBase.ice_isA(ObjectPrxHelperBase.java:92) ~[ice.jar:na]
   at Ice.ObjectPrxHelperBase.ice_isA(ObjectPrxHelperBase.java:69) ~[ice.jar:na]
   at Ice.ObjectPrxHelperBase.checkedCastImpl(ObjectPrxHelperBase.java:2810) ~[ice.jar:na]
   at Ice.ObjectPrxHelperBase.checkedCastImpl(ObjectPrxHelperBase.java:2770) ~[ice.jar:na]
   at Glacier2.RouterPrxHelper.checkedCast(RouterPrxHelper.java:1787) ~[glacier2.jar:na]
   at omero.client.getRouter(client.java:826) ~[blitz.jar:na]
   at omero.client.createSession(client.java:747) ~[blitz.jar:na]
   at omero.client.joinSession(client.java:682) ~[blitz.jar:na]
   at ome.formats.OMEROMetadataStoreClient.initialize(OMEROMetadataStoreClient.java:700) ~[blitz.jar:na]
   at ome.formats.importer.ImportConfig.createStore(ImportConfig.java:380) ~[blitz.jar:na]
   at ome.formats.importer.cli.CommandLineImporter.<init>(CommandLineImporter.java:170) ~[blitz.jar:na]
   at ome.formats.importer.cli.CommandLineImporter.main(CommandLineImporter.java:991) ~[blitz.jar:na]
Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
   at sun.security.ssl.Handshaker.activate(Handshaker.java:509) ~[na:1.8.0_212]
   at sun.security.ssl.SSLEngineImpl.kickstartHandshake(SSLEngineImpl.java:714) ~[na:1.8.0_212]
   at sun.security.ssl.SSLEngineImpl.beginHandshake(SSLEngineImpl.java:741) ~[na:1.8.0_212]
   at IceSSL.SSLEngine.createSSLEngine(SSLEngine.java:856) ~[ice.jar:na]
   at IceSSL.Instance.createSSLEngine(Instance.java:42) ~[ice.jar:na]
   at IceSSL.ConnectorI.connect(ConnectorI.java:30) ~[ice.jar:na]
   at IceInternal.OutgoingConnectionFactory$ConnectCallback.nextConnector(OutgoingConnectionFactory.java:1101) ~[ice.jar:na]
   at IceInternal.OutgoingConnectionFactory$ConnectCallback.access$100(OutgoingConnectionFactory.java:868) ~[ice.jar:na]
   at IceInternal.OutgoingConnectionFactory.getConnection(OutgoingConnectionFactory.java:569) ~[ice.jar:na]
   at IceInternal.OutgoingConnectionFactory.access$800(OutgoingConnectionFactory.java:14) ~[ice.jar:na]
   at IceInternal.OutgoingConnectionFactory$ConnectCallback.getConnection(OutgoingConnectionFactory.java:1048) ~[ice.jar:na]
   at IceInternal.OutgoingConnectionFactory$ConnectCallback.connectors(OutgoingConnectionFactory.java:932) ~[ice.jar:na]
   at IceInternal.EndpointHostResolver$1.run(EndpointHostResolver.java:103) ~[ice.jar:na]
   at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ~[na:1.8.0_212]
   at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ~[na:1.8.0_212]
   at java.lang.Thread.run(Thread.java:748) ~[na:1.8.0_212]
jstitlow
 
Posts: 18
Joined: Sat Feb 03, 2018 9:07 pm

Re: SSL issue using CLI import

Postby mtbc » Fri Apr 12, 2019 2:34 pm

Dear Josh,

Does CLI import start working if you use the "--skip upgrade" option?

Cheers,
Mark
User avatar
mtbc
Team Member
 
Posts: 282
Joined: Tue Oct 23, 2012 10:59 am
Location: Dundee, Scotland

Re: SSL issue using CLI import

Postby jstitlow » Fri Apr 12, 2019 5:56 pm

Yes it does work with the --skip upgrade flag.

What does that mean?

Thanks for the quick reply/solution Mark!
j
jstitlow
 
Posts: 18
Joined: Sat Feb 03, 2018 9:07 pm

Re: SSL issue using CLI import

Postby mtbc » Mon Apr 15, 2019 10:17 am

Dear Josh,

When people's Java installations got routinely updated to versions that effect JDK-8211883 by disabling anonymous cipher suites OMERO client code needed to be adjusted to reenable them again for the connection to the server. "--skip upgrade" skips the upgrade check by which OMERO clients check if there is a new version of OMERO available: unfortunately that check initializes the Java SSL engine before OMERO 5.4.10 reenables anonymous cipher suites so then that happens too late. (Our Python-based OMERO.cli import uses Java code for the actual import.) In skipping the check, the suites are reenabled before anything initializes the SSL engine so that the change does take effect for the subsequent TLS exchange. This will be fixed in OMERO 5.5.0 so the reenabling happens before the upgrade check and you won't then need the workaround.

Cheers,
Mark
User avatar
mtbc
Team Member
 
Posts: 282
Joined: Tue Oct 23, 2012 10:59 am
Location: Dundee, Scotland

Re: SSL issue using CLI import

Postby jstitlow » Mon Apr 15, 2019 12:40 pm

Excellent, thank you for the thorough explanation!
j
jstitlow
 
Posts: 18
Joined: Sat Feb 03, 2018 9:07 pm


Return to User Discussion

Who is online

Users browsing this forum: Google [Bot] and 1 guest