We're Hiring!

sslv3 alert handshake failure when user attempts to log in

Having a problem deploying OMERO? Please ask new questions at https://forum.image.sc/tags/omero
Please note:
Historical discussions about OMERO. Please look for and ask new questions at https://forum.image.sc/tags/omero

The OMERO.server installation documentation begins here and you can find OMERO.web deployment documentation here.

Re: sslv3 alert handshake failure when user attempts to log

Postby jburel » Thu Jun 08, 2017 11:39 am

Hi Jacques

I managed to reproduce the issue. That's a start!!
I will do further investigation

Cheers
Jmarie
User avatar
jburel
Team Member
 
Posts: 348
Joined: Thu May 21, 2009 6:38 pm
Location: dundee

Re: sslv3 alert handshake failure when user attempts to log

Postby jacques2020 » Thu Jun 08, 2017 12:27 pm

Hi Jean-Marie,
Great. Thanks for investigating.
So I keep my install and will rather make a backup server elsewhere.
Cheers
Jacques
jacques2020
 
Posts: 102
Joined: Fri Jul 15, 2011 7:46 am

Re: sslv3 alert handshake failure when user attempts to log

Postby jburel » Sat Jun 10, 2017 6:16 pm

Hi Jacques

I did a bit of digging
Debian 9 will come with open SSL 1.1.0
and ADH ciphers are no longer available
https://www.openssl.org/docs/man1.1.0/apps/ciphers.html
Those ciphers are "used" in https://github.com/openmicroscopy/openm ... s.xml#L478
I have tried various options but so far nothing has worked
A downgrade to openssl 1.0.2k did not help either
An option could be to enable weaker ciphers but this is not ideal

So far not a positive outcome.

Cheers

Jmarie
User avatar
jburel
Team Member
 
Posts: 348
Joined: Thu May 21, 2009 6:38 pm
Location: dundee

Re: sslv3 alert handshake failure when user attempts to log

Postby jacques2020 » Mon Jun 12, 2017 6:25 am

Dear Jean-Marie,

Thank you so much.
I preserve the server and will be able to test any fix.
In the meantimes I set up a backup server using 5.2.7 to be able to wait.
Cheers

Jacques
jacques2020
 
Posts: 102
Joined: Fri Jul 15, 2011 7:46 am

Re: sslv3 alert handshake failure when user attempts to log

Postby carandraug » Wed Jun 14, 2017 3:23 pm

jburel wrote:Hi Jacques
Debian 9 will come with open SSL 1.1.0
and ADH ciphers are no longer available
https://www.openssl.org/docs/man1.1.0/apps/ciphers.html
Those ciphers are "used" in https://github.com/openmicroscopy/openm ... s.xml#L478
I have tried various options but so far nothing has worked
A downgrade to openssl 1.0.2k did not help either


The removed cyphers were 'aDH' and not 'ADH'. The 'ADH' cyphers are still present in OpenSSl 1.1.0 and in Debian 9:

Code: Select all
$ cat /etc/debian_version
9.0
$ openssl version
OpenSSL 1.1.0f  25 May 2017
$ openssl ciphers ADH
ADH-AES256-GCM-SHA384:ADH-AES128-GCM-SHA256:ADH-AES256-SHA256:ADH-CAMELLIA256-SHA256:ADH-AES128-SHA256:ADH-CAMELLIA128-SHA256:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ADH-AES128-SHA:ADH-SEED-SHA:ADH-CAMELLIA128-SHA
$ openssl ciphers aDH
Error in cipher list
140255844652288:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:../ssl/ssl_lib.c:2018:
carandraug
 
Posts: 15
Joined: Mon Sep 06, 2010 8:50 pm

Re: sslv3 alert handshake failure when user attempts to log

Postby jburel » Wed Jun 14, 2017 3:48 pm

My mistake I misread the page
but we still have issue connecting
This requires further investigation
If you have time to help, that will be great

Cheers
jmarie
User avatar
jburel
Team Member
 
Posts: 348
Joined: Thu May 21, 2009 6:38 pm
Location: dundee

Re: sslv3 alert handshake failure when user attempts to log

Postby carandraug » Wed Jun 14, 2017 3:58 pm

jacques2020 wrote:To complete my answer:
PS: If the debugging appears too complex, let me know. I can also bring everything back to 5.2.7 and wait for a few month it meant to be solved (I have backups). The only issue that pushed me to upgrade is that cleanse is not working on 5.2.7 so we accumulate data without being able to clean the up.


Note that if you don't run cleanse, data should still not accumulate. cleanse is only needed if there was an issue with the system that prevented the file from being removed (there is a page on the docs that says otherwise but seems to be incorrect). See http://lists.openmicroscopy.org.uk/pipe ... 06520.html
carandraug
 
Posts: 15
Joined: Mon Sep 06, 2010 8:50 pm

Re: sslv3 alert handshake failure when user attempts to log

Postby jburel » Wed Jun 14, 2017 6:52 pm

Hi
For clarification,
the ADH ciphers will be in the list of ciphers but if you execute for example
Code: Select all
openssl s_client -cipher "$cipher" -connect localhost:4064

where $cipher is any ADH cipher. An error will be returned indicating "no ciphers available".
This is obviously not the case in previous versions.
We will have to find what is the correct value to specify.

Cheers
Jmarie
User avatar
jburel
Team Member
 
Posts: 348
Joined: Thu May 21, 2009 6:38 pm
Location: dundee

Re: sslv3 alert handshake failure when user attempts to log

Postby jacques2020 » Thu Jun 15, 2017 6:06 am

Dear Jean-Marie,

thank you so much for all these detailed indication. No problem to give a hand in fixing this issue although I cannot promise a lot of time... (I have a team to lead and no computer engineer or tech unfortunately).

Cheers

Jacques
jacques2020
 
Posts: 102
Joined: Fri Jul 15, 2011 7:46 am

Re: sslv3 alert handshake failure when user attempts to log

Postby mtbc » Thu Jun 15, 2017 9:06 am

cleanse is not working on 5.2.7
- it isn't? I hadn't realized. Not to hijack this thread but can you point me to a bug report? Maybe I can investigate.

Cheers,
Mark
User avatar
mtbc
Team Member
 
Posts: 282
Joined: Tue Oct 23, 2012 10:59 am
Location: Dundee, Scotland

PreviousNext

Return to Installation and Deployment

Who is online

Users browsing this forum: No registered users and 1 guest

cron