javax.net.ssl.SSLException: Server selected improper ciphersuite SSL_RSA_WITH_DES_CBC_SHA

Question

When applet is served through HTTPS connection I am getting following exception.

This problem is experienced at Java 1.7.0_25 but not at java 1.6.

when i look at the chipersuit supported by java (http://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#PLUG) i see SSL_RSA_WITH_DES_CBC_SHA in list.

Is there any one experiencing this error? and What should i do to deal with this error?

Java Plug-in 10.25.2.15
Using JRE version 1.7.0_25-b15 Java HotSpot(TM) 64-Bit Server VM
User home directory = /home/mithat
----------------------------------------------------
network: Cache entry not found [url: https://mytest.domain.tr/LoginWeb/myapplet.jar,     version: null]
network: Connecting https://mytest.domain.tr/LoginWeb/myapplet.jar with proxy=DIRECT
network: Connecting http://mytest.domain.tr:443/ with proxy=DIRECT
javax.net.ssl.SSLException: Server selected improper ciphersuite SSL_RSA_WITH_DES_CBC_SHA
   at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
   at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1886)
   at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
   at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:266)
   at sun.security.ssl.ClientHandshaker.serverHello(ClientHandshaker.java:464)
   at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:143)
   at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
   at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
   at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
   at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
   at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
   at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
   at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:515)
   at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
   at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
   at sun.plugin.PluginURLJarFileCallBack.connect(Unknown Source)
   at sun.plugin.PluginURLJarFileCallBack.retrieve(Unknown Source)
   at sun.net.www.protocol.jar.URLJarFile.retrieve(URLJarFile.java:205)
   at sun.net.www.protocol.jar.URLJarFile.getJarFile(URLJarFile.java:71)
   at sun.net.www.protocol.jar.JarFileFactory.get(JarFileFactory.java:88)
   at sun.net.www.protocol.jar.JarURLConnection.connect(JarURLConnection.java:122)
network: Cache entry not found [url: https://mytest.domain.tr/LoginWeb/myapplet.jar, version: null]
...
network: Cache entry not found [url:   https://mytest.domain.tr/LoginWeb/test/AppletTest.class, version: null]
network: Connecting https://mytest.domain.tr/LoginWeb/test/AppletTest.class with proxy=DIRECT
network: Connecting http://mytest.domain.tr:443/ with proxy=DIRECT
java.lang.ClassNotFoundException: test.AppletTest
   at sun.plugin2.applet.Applet2ClassLoader.findClass(Unknown Source)
   at sun.plugin2.applet.Plugin2ClassLoader.loadClass0(Unknown Source)
   at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
   at sun.plugin2.applet.Plugin2ClassLoader.loadClass(Unknown Source)
   at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
   at sun.plugin2.applet.Plugin2ClassLoader.loadCode(Unknown Source)
   at sun.plugin2.applet.Plugin2Manager.initAppletAdapter(Unknown Source)
   at sun.plugin2.applet.Plugin2Manager$AppletExecutionRunnable.run(Unknown Source)
   at java.lang.Thread.run(Thread.java:724)
   ...
security: Reset deny session certificate store
basic: Dialog type is not candidate for embedding

Answer 1

Most likely the issue could be related to reverse proxy setup. For example in apache you have to set below parameters.

ProxyPass /foo http://foo.example.com/bar
ProxyPassReverse /foo http://foo.example.com/bar

You can find similar option for other reverse proxy servers.

Answer 2

We examined the network by means of Wireshark and we found out the server chooses mentioned chipher suite which is actually not in client-hello and disabled at Java8. After change SSL module of network device problem is resolved. You can find default supported chipher suites in java here.