Re: ERR_SSL_VERSION_OR_CIPHER_MISMATCH Solr 8.1.0
On 5/16/2019 10:16 AM, Younge, Kent A - Norman, OK - Contractor wrote: I have upgraded one of our boxes to Solr 8.1.0 on RHEL 7.6 with Java 12.0.1. I also had a certificate up for renewal and I went through my regular process of creating the certificate and key. Now I get a ERR_SSL_VERSION_OR_CIPHER_MISMATCH error. I have gotten this before however, that was due to me adding the certificate into the keystore. Here are the list of cmds I that have run. My research says that's a browser error, and it's something of a generic error that covers a lot of SSL problems. The browser should have further details about what happened. You may have to click on something to see that information. If you share those details, we may be able to offer some insight. If I'm wrong and that error is showing up somewhere else, then you'll need to tell us exactly where you saw it and what else you can see. One thing I can say after looking at your commands is that you should not be including the root certificate in the keystore. The keystore should contain the server certificate and all certificates in the chain *except* the root certificate. The root cert is probably already in the client software. For situations where the certificate does not trace back to a public CA, the root cert might need to be added to the browser or client software -- not to the server. Putting the root certificate in the keystore won't cause any problems that I know of, but it doesn't help things work, and it doesn't increase security. In a later message, you are running an openssl client command. This part of that output sounds like there aren't actually any certificates available to the Jetty in Solr: --- no peer certificate available --- If I run a similar command that connects to a webserver (that has nothing to do with Solr) I get very different output, that starts off with this and then prints the details of the two certs returned by the web server: root@bilbo:~# openssl s_client -showcerts -connect localhost:443 < /dev/null CONNECTED(0003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = elyograg.org verify return:1 --- Certificate chain 0 s:/CN=elyograg.org i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 -BEGIN CERTIFICATE- I personally haven't used SSL with Solr myself. I can say that dealing with certificates in Java programs can be a painful process. I wish Java would work with the same PEM certificate format that most other software does. The last 'keytool' command your message contains has the same filename for both the source and the destination. I see a very similar command in our documentation ... but that command has different filenames for source and destination. I have no idea what would happen with the same filename in both source and destination, but it seems wrong, and one of the side effects I can imagine from that is producing an empty keystore ... which might match up with your openssl output. Presumably you have read through the following documentation: https://lucene.apache.org/solr/guide/7_7/enabling-ssl.html Thanks, Shawn
RE: ERR_SSL_VERSION_OR_CIPHER_MISMATCH Solr 8.1.0
Also when I run openssl I get the following: openssl s_client -showcerts -connect solrsite.com:8983 solr-ssl.p12 keytool -importkeystore -srckeystore solr-ssl.keystore.jks -destkeystore solr-ssl.keystore.jks -deststoretype pkcs12 solr.in.sh # Enables HTTPS. It is implictly true if you set SOLR_SSL_KEY_STORE. Use this config # to enable https module with custom jetty configuration. #SOLR_SSL_ENABLED=true # Uncomment to set SSL-related system properties # Be sure to update the paths to the correct keystore for your environment SOLR_SSL_KEY_STORE=/opt/solr-8.1.0/solr-ssl.keystore.jks SOLR_SSL_KEY_STORE_PASSWORD=password SOLR_SSL_TRUST_STORE=/opt/solr-8.1.0/solr-ssl.keystore.jks SOLR_SSL_TRUST_STORE_PASSWORD=password # Require clients to authenticate SOLR_SSL_NEED_CLIENT_AUTH=false # Enable clients to authenticate (but not require) SOLR_SSL_WANT_CLIENT_AUTH=false # SSL Certificates contain host/ip "peer name" information that is validated by default. Setting # this to false can be useful to disable these checks when re-using a certificate on many hosts #SOLR_SSL_CHECK_PEER_NAME=true # Override Key/Trust Store types if necessary SOLR_SSL_KEY_STORE_TYPE=JKS SOLR_SSL_TRUST_STORE_TYPE=JKS Thank you, Kent Younge Systems Engineer
RE: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
New Solr Box built Getting Cipher mismatch. Where are the Solr Java Cipher's located? -Original Message- From: Younge, Kent A - Norman, OK - Contractor [mailto:kent.a.you...@usps.gov.INVALID] Sent: Thursday, September 07, 2017 6:42 AM To: solr-user@lucene.apache.org Subject: RE: ERR_SSL_VERSION_OR_CIPHER_MISMATCH Still receiving the same issue. I have cloned another machine and it has the same issue. Not sure what to do next. Last resort build machine from scratch and see if it has the same issue if it does then I have no clue what is going on. -Original Message- From: Younge, Kent A - Norman, OK - Contractor [mailto:kent.a.you...@usps.gov.INVALID] Sent: Tuesday, September 05, 2017 6:54 AM To: solr-user@lucene.apache.org Subject: RE: ERR_SSL_VERSION_OR_CIPHER_MISMATCH The new box is a clone of all the boxes so nothing should have changed other than the certificates and the keystore. That is why I am at such a loss on this issue. Java is the same across five servers all settings are the same across five servers. I will look into the JVM security and see if it is the same across all the boxes. -Original Message- From: Chris Hostetter [mailto:hossman_luc...@fucit.org] Sent: Friday, September 01, 2017 5:46 PM To: solr-user@lucene.apache.org Subject: Re: ERR_SSL_VERSION_OR_CIPHER_MISMATCH all of the low level SSL code used by Solr comes from the JVM. double check which version of java you are using and make sure it's consistent on all of your servers -- if you disable SSL on the affected server you can use the Solr Admin UI to be 100% certain of exactly which version of java is being used... https://lucene.apache.org/solr/guide/6_6/overview-of-the-solr-admin-ui.html If the JVM Runtime *versions* are identicle, the next thing to check would be the the JVM security settings which control which ciphers are used. For Oracle JVMs this file is named "java.security" -- compare that file between your functional/non-functional servers. There are lots of docs out there on SSL protocol and cipher configuration in java's java.security file, here's a quick one that links deep into the details of enabling/disabling protocols... http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSE_Protocols ...but the bottomline is: you probably want to fix your broken server to match your working servers, and unless the JVM versions are different, that means someone/thing must have modified the JVM security settings on one of your servers -- find out who & why. -Hoss http://www.lucidworks.com/
RE: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Still receiving the same issue. I have cloned another machine and it has the same issue. Not sure what to do next. Last resort build machine from scratch and see if it has the same issue if it does then I have no clue what is going on. -Original Message- From: Younge, Kent A - Norman, OK - Contractor [mailto:kent.a.you...@usps.gov.INVALID] Sent: Tuesday, September 05, 2017 6:54 AM To: solr-user@lucene.apache.org Subject: RE: ERR_SSL_VERSION_OR_CIPHER_MISMATCH The new box is a clone of all the boxes so nothing should have changed other than the certificates and the keystore. That is why I am at such a loss on this issue. Java is the same across five servers all settings are the same across five servers. I will look into the JVM security and see if it is the same across all the boxes. -Original Message- From: Chris Hostetter [mailto:hossman_luc...@fucit.org] Sent: Friday, September 01, 2017 5:46 PM To: solr-user@lucene.apache.org Subject: Re: ERR_SSL_VERSION_OR_CIPHER_MISMATCH all of the low level SSL code used by Solr comes from the JVM. double check which version of java you are using and make sure it's consistent on all of your servers -- if you disable SSL on the affected server you can use the Solr Admin UI to be 100% certain of exactly which version of java is being used... https://lucene.apache.org/solr/guide/6_6/overview-of-the-solr-admin-ui.html If the JVM Runtime *versions* are identicle, the next thing to check would be the the JVM security settings which control which ciphers are used. For Oracle JVMs this file is named "java.security" -- compare that file between your functional/non-functional servers. There are lots of docs out there on SSL protocol and cipher configuration in java's java.security file, here's a quick one that links deep into the details of enabling/disabling protocols... http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSE_Protocols ...but the bottomline is: you probably want to fix your broken server to match your working servers, and unless the JVM versions are different, that means someone/thing must have modified the JVM security settings on one of your servers -- find out who & why. -Hoss http://www.lucidworks.com/
RE: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
The java.security files are the same. I even copied over the files from a machine that is working and renamed the security files and it still did not work.. I am getting the same error. -Original Message- From: Younge, Kent A - Norman, OK - Contractor [mailto:kent.a.you...@usps.gov.INVALID] Sent: Tuesday, September 05, 2017 6:54 AM To: solr-user@lucene.apache.org Subject: RE: ERR_SSL_VERSION_OR_CIPHER_MISMATCH The new box is a clone of all the boxes so nothing should have changed other than the certificates and the keystore. That is why I am at such a loss on this issue. Java is the same across five servers all settings are the same across five servers. I will look into the JVM security and see if it is the same across all the boxes. -Original Message- From: Chris Hostetter [mailto:hossman_luc...@fucit.org] Sent: Friday, September 01, 2017 5:46 PM To: solr-user@lucene.apache.org Subject: Re: ERR_SSL_VERSION_OR_CIPHER_MISMATCH all of the low level SSL code used by Solr comes from the JVM. double check which version of java you are using and make sure it's consistent on all of your servers -- if you disable SSL on the affected server you can use the Solr Admin UI to be 100% certain of exactly which version of java is being used... https://lucene.apache.org/solr/guide/6_6/overview-of-the-solr-admin-ui.html If the JVM Runtime *versions* are identicle, the next thing to check would be the the JVM security settings which control which ciphers are used. For Oracle JVMs this file is named "java.security" -- compare that file between your functional/non-functional servers. There are lots of docs out there on SSL protocol and cipher configuration in java's java.security file, here's a quick one that links deep into the details of enabling/disabling protocols... http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSE_Protocols ...but the bottomline is: you probably want to fix your broken server to match your working servers, and unless the JVM versions are different, that means someone/thing must have modified the JVM security settings on one of your servers -- find out who & why. -Hoss http://www.lucidworks.com/
RE: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
The new box is a clone of all the boxes so nothing should have changed other than the certificates and the keystore. That is why I am at such a loss on this issue. Java is the same across five servers all settings are the same across five servers. I will look into the JVM security and see if it is the same across all the boxes. Thank you, Kent Younge Systems Engineer USPS MTSC IT Support 600 W. Rock Creek Rd, Norman, OK 73069-8357 O:405 573 2273 -Original Message- From: Chris Hostetter [mailto:hossman_luc...@fucit.org] Sent: Friday, September 01, 2017 5:46 PM To: solr-user@lucene.apache.org Subject: Re: ERR_SSL_VERSION_OR_CIPHER_MISMATCH all of the low level SSL code used by Solr comes from the JVM. double check which version of java you are using and make sure it's consistent on all of your servers -- if you disable SSL on the affected server you can use the Solr Admin UI to be 100% certain of exactly which version of java is being used... https://lucene.apache.org/solr/guide/6_6/overview-of-the-solr-admin-ui.html If the JVM Runtime *versions* are identicle, the next thing to check would be the the JVM security settings which control which ciphers are used. For Oracle JVMs this file is named "java.security" -- compare that file between your functional/non-functional servers. There are lots of docs out there on SSL protocol and cipher configuration in java's java.security file, here's a quick one that links deep into the details of enabling/disabling protocols... http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSE_Protocols ...but the bottomline is: you probably want to fix your broken server to match your working servers, and unless the JVM versions are different, that means someone/thing must have modified the JVM security settings on one of your servers -- find out who & why. -Hoss http://www.lucidworks.com/
Re: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
all of the low level SSL code used by Solr comes from the JVM. double check which version of java you are using and make sure it's consistent on all of your servers -- if you disable SSL on the affected server you can use the Solr Admin UI to be 100% certain of exactly which version of java is being used... https://lucene.apache.org/solr/guide/6_6/overview-of-the-solr-admin-ui.html If the JVM Runtime *versions* are identicle, the next thing to check would be the the JVM security settings which control which ciphers are used. For Oracle JVMs this file is named "java.security" -- compare that file between your functional/non-functional servers. There are lots of docs out there on SSL protocol and cipher configuration in java's java.security file, here's a quick one that links deep into the details of enabling/disabling protocols... http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSE_Protocols ...but the bottomline is: you probably want to fix your broken server to match your working servers, and unless the JVM versions are different, that means someone/thing must have modified the JVM security settings on one of your servers -- find out who & why. -Hoss http://www.lucidworks.com/
Re: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Sorry I am not using Tomcat. This is a fresh build of solr. Sent from my iPhone > On Sep 1, 2017, at 3:33 PM, Rick Leirwrote: > > Kent, > Did you say you are using Tomcat? Solr does not use Tomcat by default, so you > will need to tell us more about your configuration. > > But first, think of what you might have changed just before it stopped > working. > Cheers -- Rick > >> On September 1, 2017 11:55:47 AM EDT, "Younge, Kent A - Norman, OK - >> Contractor" wrote: >> >> Hello, >> >> I am getting an error ERR_SSL_VERSION_OR_CIPHER_MISMATCH on one of my >> Solr servers. The details show that it's an Unsupported protocol: >> The client and server don't support a common SSL protocol version or >> cipher suite. I have changed my browser settings and nothing seems to >> work. If I comment out the SSL configuration in the solr.in.sh and use >> HTTP the site Admin site comes up fine. I have searched for where the >> ciphers might be but, I am unsuccessful as I am not sure that they are >> the ciphers in TOMCAT or do they get written somewhere else? I've gone >> over the certs several times I have compared it to a working Solr >> server and nothing seems different. Other than this one does not work. >> >> >> >> >> >> >> Thank you, >> >> Kent > > -- > Sorry for being brief. Alternate email is rickleir at yahoo dot com
Re: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Kent, Did you say you are using Tomcat? Solr does not use Tomcat by default, so you will need to tell us more about your configuration. But first, think of what you might have changed just before it stopped working. Cheers -- Rick On September 1, 2017 11:55:47 AM EDT, "Younge, Kent A - Norman, OK - Contractor"wrote: > >Hello, > >I am getting an error ERR_SSL_VERSION_OR_CIPHER_MISMATCH on one of my >Solr servers. The details show that it's an Unsupported protocol: >The client and server don't support a common SSL protocol version or >cipher suite. I have changed my browser settings and nothing seems to >work. If I comment out the SSL configuration in the solr.in.sh and use >HTTP the site Admin site comes up fine. I have searched for where the >ciphers might be but, I am unsuccessful as I am not sure that they are >the ciphers in TOMCAT or do they get written somewhere else? I've gone >over the certs several times I have compared it to a working Solr >server and nothing seems different. Other than this one does not work. > > > > > > >Thank you, > >Kent -- Sorry for being brief. Alternate email is rickleir at yahoo dot com