ERR_SSL_VERSION_OR_CIPHER_MISMATCH Solr 8.1.0

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

ERR_SSL_VERSION_OR_CIPHER_MISMATCH Solr 8.1.0

Younge, Kent A - Norman, OK - Contractor

Hello,

I have upgraded one of our boxes to Solr 8.1.0 on RHEL 7.6 with Java 12.0.1.  I also had a certificate up for renewal and I went through my regular process of creating the certificate and key.  Now I get a ERR_SSL_VERSION_OR_CIPHER_MISMATCH error.  I have gotten this before however, that was due to me adding the certificate into the keystore.   Here are the list of cmds I that have run.

keytool -import -trustcacerts -alias root -file RootCA.cer -keystore solr-ssl.keystore.jks
keytool -import -trustcacerts -alias POL1 -file Pol1CA.cer -keystore solr-ssl.keystore.jks
keytool -import -trustcacerts -alias SUB1 -file Sub1CA.cer -keystore solr-ssl.keystore.jks
keytool -import -trustcacerts -alias SUB2 -file Sub2CA.cer -keystore solr-ssl.keystore.jks


openssl pkcs12 -export -in solr.cer -inkey solrpk.key > solr-ssl.p12


keytool -importkeystore -srckeystore solr-ssl.keystore.jks -destkeystore solr-ssl.keystore.jks -deststoretype pkcs12

solr.in.sh

# Enables HTTPS. It is implictly true if you set SOLR_SSL_KEY_STORE. Use this config
# to enable https module with custom jetty configuration.
#SOLR_SSL_ENABLED=true
# Uncomment to set SSL-related system properties
# Be sure to update the paths to the correct keystore for your environment
SOLR_SSL_KEY_STORE=/opt/solr-8.1.0/solr-ssl.keystore.jks
SOLR_SSL_KEY_STORE_PASSWORD=password
SOLR_SSL_TRUST_STORE=/opt/solr-8.1.0/solr-ssl.keystore.jks
SOLR_SSL_TRUST_STORE_PASSWORD=password
# Require clients to authenticate
SOLR_SSL_NEED_CLIENT_AUTH=false
# Enable clients to authenticate (but not require)
SOLR_SSL_WANT_CLIENT_AUTH=false
# SSL Certificates contain host/ip "peer name" information that is validated by default. Setting
# this to false can be useful to disable these checks when re-using a certificate on many hosts
#SOLR_SSL_CHECK_PEER_NAME=true
# Override Key/Trust Store types if necessary
SOLR_SSL_KEY_STORE_TYPE=JKS
SOLR_SSL_TRUST_STORE_TYPE=JKS




Thank you,

Kent Younge
Systems Engineer
Reply | Threaded
Open this post in threaded view
|

ERR_SSL_VERSION_OR_CIPHER_MISMATCH Solr 8.1.0

Younge, Kent A - Norman, OK - Contractor
Hello,

I have upgraded one of our boxes to Solr 8.1.0 on RHEL 7.6 with Java 12.0.1.  I also had a certificate up for renewal and I went through my regular process of creating the certificate and key.  Now I get a ERR_SSL_VERSION_OR_CIPHER_MISMATCH error.  I have gotten this before however, that was due to me adding the certificate into the keystore.   Here are the list of cmds I that have run.

keytool -import -trustcacerts -alias root -file RootCA.cer -keystore solr-ssl.keystore.jks
keytool -import -trustcacerts -alias POL1 -file Pol1CA.cer -keystore solr-ssl.keystore.jks
keytool -import -trustcacerts -alias SUB1 -file Sub1CA.cer -keystore solr-ssl.keystore.jks
keytool -import -trustcacerts -alias SUB2 -file Sub2CA.cer -keystore solr-ssl.keystore.jks


openssl pkcs12 -export -in solr.cer -inkey solrpk.key > solr-ssl.p12


keytool -importkeystore -srckeystore solr-ssl.keystore.jks -destkeystore solr-ssl.keystore.jks -deststoretype pkcs12

solr.in.sh

# Enables HTTPS. It is implictly true if you set SOLR_SSL_KEY_STORE. Use this config
# to enable https module with custom jetty configuration.
#SOLR_SSL_ENABLED=true
# Uncomment to set SSL-related system properties
# Be sure to update the paths to the correct keystore for your environment
SOLR_SSL_KEY_STORE=/opt/solr-8.1.0/solr-ssl.keystore.jks
SOLR_SSL_KEY_STORE_PASSWORD=password
SOLR_SSL_TRUST_STORE=/opt/solr-8.1.0/solr-ssl.keystore.jks
SOLR_SSL_TRUST_STORE_PASSWORD=password
# Require clients to authenticate
SOLR_SSL_NEED_CLIENT_AUTH=false
# Enable clients to authenticate (but not require)
SOLR_SSL_WANT_CLIENT_AUTH=false
# SSL Certificates contain host/ip "peer name" information that is validated by default. Setting
# this to false can be useful to disable these checks when re-using a certificate on many hosts
#SOLR_SSL_CHECK_PEER_NAME=true
# Override Key/Trust Store types if necessary
SOLR_SSL_KEY_STORE_TYPE=JKS
SOLR_SSL_TRUST_STORE_TYPE=JKS









Thank you,

Kent Younge
Systems Engineer

Reply | Threaded
Open this post in threaded view
|

RE: ERR_SSL_VERSION_OR_CIPHER_MISMATCH Solr 8.1.0

Younge, Kent A - Norman, OK - Contractor
Also when I run openssl I get the following:

openssl s_client -showcerts -connect solrsite.com:8983 </dev/null
CONNECTED(00000003)
140323576973200:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1558094602
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)


Subject: [EXTERNAL] ERR_SSL_VERSION_OR_CIPHER_MISMATCH Solr 8.1.0

Hello,

I have upgraded one of our boxes to Solr 8.1.0 on RHEL 7.6 with Java 12.0.1.  I also had a certificate up for renewal and I went through my regular process of creating the certificate and key.  Now I get a ERR_SSL_VERSION_OR_CIPHER_MISMATCH error.  I have gotten this before however, that was due to me adding the certificate into the keystore.   Here are the list of cmds I that have run.

keytool -import -trustcacerts -alias root -file RootCA.cer -keystore solr-ssl.keystore.jks keytool -import -trustcacerts -alias POL1 -file Pol1CA.cer -keystore solr-ssl.keystore.jks keytool -import -trustcacerts -alias SUB1 -file Sub1CA.cer -keystore solr-ssl.keystore.jks keytool -import -trustcacerts -alias SUB2 -file Sub2CA.cer -keystore solr-ssl.keystore.jks


openssl pkcs12 -export -in solr.cer -inkey solrpk.key > solr-ssl.p12


keytool -importkeystore -srckeystore solr-ssl.keystore.jks -destkeystore solr-ssl.keystore.jks -deststoretype pkcs12

solr.in.sh

# Enables HTTPS. It is implictly true if you set SOLR_SSL_KEY_STORE. Use this config # to enable https module with custom jetty configuration.
#SOLR_SSL_ENABLED=true
# Uncomment to set SSL-related system properties # Be sure to update the paths to the correct keystore for your environment SOLR_SSL_KEY_STORE=/opt/solr-8.1.0/solr-ssl.keystore.jks
SOLR_SSL_KEY_STORE_PASSWORD=password
SOLR_SSL_TRUST_STORE=/opt/solr-8.1.0/solr-ssl.keystore.jks
SOLR_SSL_TRUST_STORE_PASSWORD=password
# Require clients to authenticate
SOLR_SSL_NEED_CLIENT_AUTH=false
# Enable clients to authenticate (but not require) SOLR_SSL_WANT_CLIENT_AUTH=false # SSL Certificates contain host/ip "peer name" information that is validated by default. Setting # this to false can be useful to disable these checks when re-using a certificate on many hosts #SOLR_SSL_CHECK_PEER_NAME=true # Override Key/Trust Store types if necessary SOLR_SSL_KEY_STORE_TYPE=JKS SOLR_SSL_TRUST_STORE_TYPE=JKS









Thank you,

Kent Younge
Systems Engineer

Reply | Threaded
Open this post in threaded view
|

Re: ERR_SSL_VERSION_OR_CIPHER_MISMATCH Solr 8.1.0

Shawn Heisey-2
In reply to this post by Younge, Kent A - Norman, OK - Contractor
On 5/16/2019 10:16 AM, Younge, Kent A - Norman, OK - Contractor wrote:
> I have upgraded one of our boxes to Solr 8.1.0 on RHEL 7.6 with Java 12.0.1.  I also had a certificate up for renewal and I went through my regular process of creating the certificate and key.  Now I get a ERR_SSL_VERSION_OR_CIPHER_MISMATCH error.  I have gotten this before however, that was due to me adding the certificate into the keystore.   Here are the list of cmds I that have run.

My research says that's a browser error, and it's something of a generic
error that covers a lot of SSL problems.  The browser should have
further details about what happened.  You may have to click on something
to see that information.  If you share those details, we may be able to
offer some insight.

If I'm wrong and that error is showing up somewhere else, then you'll
need to tell us exactly where you saw it and what else you can see.

One thing I can say after looking at your commands is that you should
not be including the root certificate in the keystore.  The keystore
should contain the server certificate and all certificates in the chain
*except* the root certificate.  The root cert is probably already in the
client software.  For situations where the certificate does not trace
back to a public CA, the root cert might need to be added to the browser
or client software -- not to the server.

Putting the root certificate in the keystore won't cause any problems
that I know of, but it doesn't help things work, and it doesn't increase
security.

In a later message, you are running an openssl client command.  This
part of that output sounds like there aren't actually any certificates
available to the Jetty in Solr:

---
no peer certificate available
---

If I run a similar command that connects to a webserver (that has
nothing to do with Solr) I get very different output, that starts off
with this and then prints the details of the two certs returned by the
web server:

root@bilbo:~# openssl s_client -showcerts -connect localhost:443 < /dev/null
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = elyograg.org
verify return:1
---
Certificate chain
  0 s:/CN=elyograg.org
    i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
<snip>

I personally haven't used SSL with Solr myself.  I can say that dealing
with certificates in Java programs can be a painful process.  I wish
Java would work with the same PEM certificate format that most other
software does.

The last 'keytool' command your message contains has the same filename
for both the source and the destination.  I see a very similar command
in our documentation ... but that command has different filenames for
source and destination.  I have no idea what would happen with the same
filename in both source and destination, but it seems wrong, and one of
the side effects I can imagine from that is producing an empty keystore
... which might match up with your openssl output.

Presumably you have read through the following documentation:

https://lucene.apache.org/solr/guide/7_7/enabling-ssl.html

Thanks,
Shawn