Re: ERR_SSL_VERSION_OR_CIPHER_MISMATCH Solr 8.1.0

[Shawn Heisey]

On 5/16/2019 10:16 AM, Younge, Kent A - Norman, OK - Contractor wrote:

I have upgraded one of our boxes to Solr 8.1.0 on RHEL 7.6 with Java 12.0.1.  I 
also had a certificate up for renewal and I went through my regular process of 
creating the certificate and key.  Now I get a 
ERR_SSL_VERSION_OR_CIPHER_MISMATCH error.  I have gotten this before however, 
that was due to me adding the certificate into the keystore.   Here are the 
list of cmds I that have run.


My research says that's a browser error, and it's something of a generic 
error that covers a lot of SSL problems.  The browser should have 
further details about what happened.  You may have to click on something 
to see that information.  If you share those details, we may be able to 
offer some insight.


If I'm wrong and that error is showing up somewhere else, then you'll 
need to tell us exactly where you saw it and what else you can see.


One thing I can say after looking at your commands is that you should 
not be including the root certificate in the keystore.  The keystore 
should contain the server certificate and all certificates in the chain 
*except* the root certificate.  The root cert is probably already in the 
client software.  For situations where the certificate does not trace 
back to a public CA, the root cert might need to be added to the browser 
or client software -- not to the server.


Putting the root certificate in the keystore won't cause any problems 
that I know of, but it doesn't help things work, and it doesn't increase 
security.


In a later message, you are running an openssl client command.  This 
part of that output sounds like there aren't actually any certificates 
available to the Jetty in Solr:


---
no peer certificate available
---

If I run a similar command that connects to a webserver (that has 
nothing to do with Solr) I get very different output, that starts off 
with this and then prints the details of the two certs returned by the 
web server:


root@bilbo:~# openssl s_client -showcerts -connect localhost:443 < /dev/null
CONNECTED(0003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = elyograg.org
verify return:1
---
Certificate chain
 0 s:/CN=elyograg.org
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-BEGIN CERTIFICATE-


I personally haven't used SSL with Solr myself.  I can say that dealing 
with certificates in Java programs can be a painful process.  I wish 
Java would work with the same PEM certificate format that most other 
software does.


The last 'keytool' command your message contains has the same filename 
for both the source and the destination.  I see a very similar command 
in our documentation ... but that command has different filenames for 
source and destination.  I have no idea what would happen with the same 
filename in both source and destination, but it seems wrong, and one of 
the side effects I can imagine from that is producing an empty keystore 
... which might match up with your openssl output.


Presumably you have read through the following documentation:

https://lucene.apache.org/solr/guide/7_7/enabling-ssl.html

Thanks,
Shawn

RE: ERR_SSL_VERSION_OR_CIPHER_MISMATCH Solr 8.1.0

[Younge, Kent A - Norman, OK - Contractor]

Also when I run openssl I get the following: 

openssl s_client -showcerts -connect solrsite.com:8983  solr-ssl.p12


keytool -importkeystore -srckeystore solr-ssl.keystore.jks -destkeystore 
solr-ssl.keystore.jks -deststoretype pkcs12

solr.in.sh

# Enables HTTPS. It is implictly true if you set SOLR_SSL_KEY_STORE. Use this 
config # to enable https module with custom jetty configuration.
#SOLR_SSL_ENABLED=true
# Uncomment to set SSL-related system properties # Be sure to update the paths 
to the correct keystore for your environment 
SOLR_SSL_KEY_STORE=/opt/solr-8.1.0/solr-ssl.keystore.jks
SOLR_SSL_KEY_STORE_PASSWORD=password
SOLR_SSL_TRUST_STORE=/opt/solr-8.1.0/solr-ssl.keystore.jks
SOLR_SSL_TRUST_STORE_PASSWORD=password
# Require clients to authenticate
SOLR_SSL_NEED_CLIENT_AUTH=false
# Enable clients to authenticate (but not require) 
SOLR_SSL_WANT_CLIENT_AUTH=false # SSL Certificates contain host/ip "peer name" 
information that is validated by default. Setting # this to false can be useful 
to disable these checks when re-using a certificate on many hosts 
#SOLR_SSL_CHECK_PEER_NAME=true # Override Key/Trust Store types if necessary 
SOLR_SSL_KEY_STORE_TYPE=JKS SOLR_SSL_TRUST_STORE_TYPE=JKS









Thank you,

Kent Younge
Systems Engineer

RE: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

[Younge, Kent A - Norman, OK - Contractor]

New Solr Box built Getting Cipher mismatch.  Where are the Solr Java Cipher's 
located?






-Original Message-
From: Younge, Kent A - Norman, OK - Contractor 
[mailto:kent.a.you...@usps.gov.INVALID] 
Sent: Thursday, September 07, 2017 6:42 AM
To: solr-user@lucene.apache.org
Subject: RE: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Still receiving the same issue.  I have cloned another machine and it has the 
same issue.  Not sure what to do next.  Last resort build machine from scratch 
and see if it has the same issue if it does then I have no clue what is going 
on. 








-Original Message-
From: Younge, Kent A - Norman, OK - Contractor 
[mailto:kent.a.you...@usps.gov.INVALID] 
Sent: Tuesday, September 05, 2017 6:54 AM
To: solr-user@lucene.apache.org
Subject: RE: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

The new box is a clone of all the boxes so nothing should have changed other 
than the certificates and the keystore.  That is why I am at such a loss on 
this issue.   Java is the same across five servers all settings are the same 
across five servers.  I will look into the JVM security and see if it is the 
same across all the boxes.






-Original Message-
From: Chris Hostetter [mailto:hossman_luc...@fucit.org] 
Sent: Friday, September 01, 2017 5:46 PM
To: solr-user@lucene.apache.org
Subject: Re: ERR_SSL_VERSION_OR_CIPHER_MISMATCH


all of the low level SSL code used by Solr comes from the JVM.

double check which version of java you are using and make sure it's consistent 
on all of your servers -- if you disable SSL on the affected server you can use 
the Solr Admin UI to be 100% certain of exactly which version of java is being 
used...

https://lucene.apache.org/solr/guide/6_6/overview-of-the-solr-admin-ui.html

If the JVM Runtime *versions* are identicle, the next thing to check would be 
the the JVM security settings which control which ciphers are used.  
For Oracle JVMs this file is named "java.security" -- compare that file between 
your functional/non-functional servers.

There are lots of docs out there on SSL protocol and cipher configuration in 
java's java.security file, here's a quick one that links deep into the details 
of enabling/disabling protocols...

http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSE_Protocols

...but the bottomline is: you probably want to fix your broken server to match 
your working servers, and unless the JVM versions are different, that means 
someone/thing must have modified the JVM security settings on one of your 
servers -- find out who & why.


-Hoss
http://www.lucidworks.com/

RE: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

[Younge, Kent A - Norman, OK - Contractor]

Still receiving the same issue.  I have cloned another machine and it has the 
same issue.  Not sure what to do next.  Last resort build machine from scratch 
and see if it has the same issue if it does then I have no clue what is going 
on. 








-Original Message-
From: Younge, Kent A - Norman, OK - Contractor 
[mailto:kent.a.you...@usps.gov.INVALID] 
Sent: Tuesday, September 05, 2017 6:54 AM
To: solr-user@lucene.apache.org
Subject: RE: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

The new box is a clone of all the boxes so nothing should have changed other 
than the certificates and the keystore.  That is why I am at such a loss on 
this issue.   Java is the same across five servers all settings are the same 
across five servers.  I will look into the JVM security and see if it is the 
same across all the boxes.






-Original Message-
From: Chris Hostetter [mailto:hossman_luc...@fucit.org] 
Sent: Friday, September 01, 2017 5:46 PM
To: solr-user@lucene.apache.org
Subject: Re: ERR_SSL_VERSION_OR_CIPHER_MISMATCH


all of the low level SSL code used by Solr comes from the JVM.

double check which version of java you are using and make sure it's consistent 
on all of your servers -- if you disable SSL on the affected server you can use 
the Solr Admin UI to be 100% certain of exactly which version of java is being 
used...

https://lucene.apache.org/solr/guide/6_6/overview-of-the-solr-admin-ui.html

If the JVM Runtime *versions* are identicle, the next thing to check would be 
the the JVM security settings which control which ciphers are used.  
For Oracle JVMs this file is named "java.security" -- compare that file between 
your functional/non-functional servers.

There are lots of docs out there on SSL protocol and cipher configuration in 
java's java.security file, here's a quick one that links deep into the details 
of enabling/disabling protocols...

http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSE_Protocols

...but the bottomline is: you probably want to fix your broken server to match 
your working servers, and unless the JVM versions are different, that means 
someone/thing must have modified the JVM security settings on one of your 
servers -- find out who & why.


-Hoss
http://www.lucidworks.com/

RE: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

[Younge, Kent A - Norman, OK - Contractor]

The java.security files are the same.  I even copied over the files from a 
machine that is working and renamed the security files and it still did not 
work.. I am getting the same error.







-Original Message-
From: Younge, Kent A - Norman, OK - Contractor 
[mailto:kent.a.you...@usps.gov.INVALID] 
Sent: Tuesday, September 05, 2017 6:54 AM
To: solr-user@lucene.apache.org
Subject: RE: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

The new box is a clone of all the boxes so nothing should have changed other 
than the certificates and the keystore.  That is why I am at such a loss on 
this issue.   Java is the same across five servers all settings are the same 
across five servers.  I will look into the JVM security and see if it is the 
same across all the boxes.





-Original Message-
From: Chris Hostetter [mailto:hossman_luc...@fucit.org] 
Sent: Friday, September 01, 2017 5:46 PM
To: solr-user@lucene.apache.org
Subject: Re: ERR_SSL_VERSION_OR_CIPHER_MISMATCH


all of the low level SSL code used by Solr comes from the JVM.

double check which version of java you are using and make sure it's consistent 
on all of your servers -- if you disable SSL on the affected server you can use 
the Solr Admin UI to be 100% certain of exactly which version of java is being 
used...

https://lucene.apache.org/solr/guide/6_6/overview-of-the-solr-admin-ui.html

If the JVM Runtime *versions* are identicle, the next thing to check would be 
the the JVM security settings which control which ciphers are used.  
For Oracle JVMs this file is named "java.security" -- compare that file between 
your functional/non-functional servers.

There are lots of docs out there on SSL protocol and cipher configuration in 
java's java.security file, here's a quick one that links deep into the details 
of enabling/disabling protocols...

http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSE_Protocols

...but the bottomline is: you probably want to fix your broken server to match 
your working servers, and unless the JVM versions are different, that means 
someone/thing must have modified the JVM security settings on one of your 
servers -- find out who & why.


-Hoss
http://www.lucidworks.com/

RE: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

[Younge, Kent A - Norman, OK - Contractor]

The new box is a clone of all the boxes so nothing should have changed other 
than the certificates and the keystore.  That is why I am at such a loss on 
this issue.   Java is the same across five servers all settings are the same 
across five servers.  I will look into the JVM security and see if it is the 
same across all the boxes.






Thank you,

Kent Younge
Systems Engineer
USPS MTSC IT Support
600 W. Rock Creek Rd, Norman, OK  73069-8357
O:405 573 2273


-Original Message-
From: Chris Hostetter [mailto:hossman_luc...@fucit.org] 
Sent: Friday, September 01, 2017 5:46 PM
To: solr-user@lucene.apache.org
Subject: Re: ERR_SSL_VERSION_OR_CIPHER_MISMATCH


all of the low level SSL code used by Solr comes from the JVM.

double check which version of java you are using and make sure it's consistent 
on all of your servers -- if you disable SSL on the affected server you can use 
the Solr Admin UI to be 100% certain of exactly which version of java is being 
used...

https://lucene.apache.org/solr/guide/6_6/overview-of-the-solr-admin-ui.html

If the JVM Runtime *versions* are identicle, the next thing to check would be 
the the JVM security settings which control which ciphers are used.  
For Oracle JVMs this file is named "java.security" -- compare that file between 
your functional/non-functional servers.

There are lots of docs out there on SSL protocol and cipher configuration in 
java's java.security file, here's a quick one that links deep into the details 
of enabling/disabling protocols...

http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSE_Protocols

...but the bottomline is: you probably want to fix your broken server to match 
your working servers, and unless the JVM versions are different, that means 
someone/thing must have modified the JVM security settings on one of your 
servers -- find out who & why.


-Hoss
http://www.lucidworks.com/

Re: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

[Chris Hostetter]

all of the low level SSL code used by Solr comes from the JVM.

double check which version of java you are using and make sure it's 
consistent on all of your servers -- if you disable SSL on the affected 
server you can use the Solr Admin UI to be 100% certain of exactly which 
version of java is being used...

https://lucene.apache.org/solr/guide/6_6/overview-of-the-solr-admin-ui.html

If the JVM Runtime *versions* are identicle, the next thing to check would 
be the the JVM security settings which control which ciphers are used.  
For Oracle JVMs this file is named "java.security" -- compare that file 
between your functional/non-functional servers.

There are lots of docs out there on SSL protocol and cipher configuration 
in java's java.security file, here's a quick one that links deep into the 
details of enabling/disabling protocols...

http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSE_Protocols

...but the bottomline is: you probably want to fix your broken server to 
match your working servers, and unless the JVM versions are different, 
that means someone/thing must have modified the JVM security settings on 
one of your servers -- find out who & why.


-Hoss
http://www.lucidworks.com/

Re: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

[Younge, Kent A - Norman, OK - Contractor]

Sorry I am not using Tomcat.  This is a fresh build of solr.  

Sent from my iPhone

> On Sep 1, 2017, at 3:33 PM, Rick Leir  wrote:
> 
> Kent,
> Did you say you are using Tomcat? Solr does not use Tomcat by default, so you 
> will need to tell us more about your configuration. 
> 
> But first, think of what you might have changed just before it stopped 
> working.
> Cheers -- Rick
> 
>> On September 1, 2017 11:55:47 AM EDT, "Younge, Kent A - Norman, OK - 
>> Contractor"  wrote:
>> 
>> Hello,
>> 
>> I am getting an error ERR_SSL_VERSION_OR_CIPHER_MISMATCH on one of my
>> Solr servers.   The details show that it's an Unsupported protocol: 
>> The client and server don't support a common SSL protocol version or
>> cipher suite.  I have changed my browser settings and nothing seems to
>> work.  If I comment out the SSL configuration in the solr.in.sh and use
>> HTTP the site Admin site comes up fine.  I have searched for where the
>> ciphers might be but, I am unsuccessful as I am not sure that they are
>> the ciphers in TOMCAT or do they get written somewhere else?  I've gone
>> over the certs several times I have compared it to a working Solr
>> server and nothing seems different.  Other than this one does not work.
>> 
>> 
>> 
>> 
>> 
>> 
>> Thank you,
>> 
>> Kent
> 
> -- 
> Sorry for being brief. Alternate email is rickleir at yahoo dot com

Re: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

[Rick Leir]

Kent,
Did you say you are using Tomcat? Solr does not use Tomcat by default, so you 
will need to tell us more about your configuration. 

But first, think of what you might have changed just before it stopped working.
Cheers -- Rick

On September 1, 2017 11:55:47 AM EDT, "Younge, Kent A - Norman, OK - 
Contractor"  wrote:
>
>Hello,
>
>I am getting an error ERR_SSL_VERSION_OR_CIPHER_MISMATCH on one of my
>Solr servers.   The details show that it's an Unsupported protocol: 
>The client and server don't support a common SSL protocol version or
>cipher suite.  I have changed my browser settings and nothing seems to
>work.  If I comment out the SSL configuration in the solr.in.sh and use
>HTTP the site Admin site comes up fine.  I have searched for where the
>ciphers might be but, I am unsuccessful as I am not sure that they are
>the ciphers in TOMCAT or do they get written somewhere else?  I've gone
>over the certs several times I have compared it to a working Solr
>server and nothing seems different.  Other than this one does not work.
>
>
>
>
>
>
>Thank you,
>
>Kent

-- 
Sorry for being brief. Alternate email is rickleir at yahoo dot com