Oracle JDBC: Ignore unsupported cipher suite: SSL_DH_anon_WITH_3DES_EDE_CBC_SHA for TLSv1.3

Question

Oracle JDBC: Ignore unsupported cipher suite: SSL_DH_anon_WITH_3DES_EDE_CBC_SHA for TLSv1.3

1.3k Views Asked by EMEM At 29 June 2022 at 00:20

I am trying to set up an encryption-only SSL connection to Oracle 21.3, however javax.net.debug produces a following log for any anon cipher suite:

I have removed appropriate entries from jdk.tls.disabledAlgorithms property in java.security. That enabled anon ciphers for default SSLServerSocketFactory (I am checking them with SSLServerSocketFactory::getSupportedCipherSuites()), but didn't take any effect on JDBC's SSL.

I've tried calling SSLEngine::setEnabledCipherSuites("SSL_DH_anon_WITH_3DES_EDE_CBC_SHA") while debugging JDBC, but it didn't change anything as well.

I ran out of debugging ideas for the moment, any input is highly appreciated :)

JDK: Oracle OpenJDK 11.0.15

Driver: ojdbc11:21.5.0.0

JDBC config:

javax.net.debug

avax.net.ssl|DEBUG|01|main|2022-06-29 02:12:31.643 CEST|SSLContextImpl.java:428|System property jdk.tls.client.cipherSuites is set to 'SSL_DH_anon_WITH_3DES_EDE_CBC_SHA'
javax.net.ssl|DEBUG|01|main|2022-06-29 02:12:31.653 CEST|SSLCipher.java:464|jdk.tls.keyLimits:  entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
javax.net.ssl|DEBUG|01|main|2022-06-29 02:12:31.653 CEST|SSLContextImpl.java:428|System property jdk.tls.server.cipherSuites is set to 'SSL_DH_anon_WITH_3DES_EDE_CBC_SHA'
javax.net.ssl|DEBUG|01|main|2022-06-29 02:12:31.653 CEST|TrustStoreManager.java:161|Inaccessible trust store: C:\Program Files\Java\jdk-11.0.15\lib\security\jssecacerts
javax.net.ssl|DEBUG|01|main|2022-06-29 02:12:31.653 CEST|TrustStoreManager.java:112|trustStore is: C:\Program Files\Java\jdk-11.0.15\lib\security\cacerts
trustStore type is: pkcs12
trustStore provider is: 
the last modified time is: Mon May 30 14:00:04 CEST 2022
javax.net.ssl|DEBUG|01|main|2022-06-29 02:12:31.653 CEST|TrustStoreManager.java:311|Reload the trust store
javax.net.ssl|DEBUG|01|main|2022-06-29 02:12:31.684 CEST|TrustStoreManager.java:318|Reload trust certs
javax.net.ssl|DEBUG|01|main|2022-06-29 02:12:31.684 CEST|TrustStoreManager.java:323|Reloaded 89 trust certs
javax.net.ssl|DEBUG|01|main|2022-06-29 02:12:31.715 CEST|X509TrustManagerImpl.java:79|adding as trusted certificates (
... CERTIFICATES ...
)
javax.net.ssl|ALL|01|main|2022-06-29 02:12:31.733 CEST|SSLContextImpl.java:115|trigger seeding of SecureRandom
javax.net.ssl|ALL|01|main|2022-06-29 02:12:31.733 CEST|SSLContextImpl.java:119|done seeding of SecureRandom
javax.net.ssl|DEBUG|01|main|2022-06-29 02:12:31.733 CEST|SSLConfiguration.java:457|System property jdk.tls.server.SignatureSchemes is set to 'null'
javax.net.ssl|DEBUG|01|main|2022-06-29 02:12:31.739 CEST|SSLConfiguration.java:457|System property jdk.tls.client.SignatureSchemes is set to 'null'
javax.net.ssl|DEBUG|01|main|2022-06-29 02:12:31.847 CEST|HandshakeContext.java:296|Ignore unsupported cipher suite: SSL_DH_anon_WITH_3DES_EDE_CBC_SHA for TLSv1.3
javax.net.ssl|DEBUG|01|main|2022-06-29 02:12:31.848 CEST|HandshakeContext.java:296|Ignore unsupported cipher suite: SSL_DH_anon_WITH_RC4_128_MD5 for TLSv1.3
javax.net.ssl|DEBUG|01|main|2022-06-29 02:12:31.848 CEST|HandshakeContext.java:303|No available cipher suite for TLSv1.3
javax.net.ssl|DEBUG|01|main|2022-06-29 02:12:31.855 CEST|SSLExtension.java:807|System property jdk.tls.client.disableExtensions is set to 'null'
javax.net.ssl|WARNING|01|main|2022-06-29 02:12:31.855 CEST|ServerNameExtension.java:261|Unable to indicate server name
javax.net.ssl|DEBUG|01|main|2022-06-29 02:12:31.856 CEST|SSLExtensions.java:260|Ignore, context unavailable extension: server_name
javax.net.ssl|DEBUG|01|main|2022-06-29 02:12:31.856 CEST|SupportedGroupsExtension.java:386|Ignore inactive or disabled named group: x25519
javax.net.ssl|DEBUG|01|main|2022-06-29 02:12:31.856 CEST|SupportedGroupsExtension.java:386|Ignore inactive or disabled named group: secp256r1
javax.net.ssl|DEBUG|01|main|2022-06-29 02:12:31.856 CEST|SupportedGroupsExtension.java:386|Ignore inactive or disabled named group: secp384r1
javax.net.ssl|DEBUG|01|main|2022-06-29 02:12:31.856 CEST|SupportedGroupsExtension.java:386|Ignore inactive or disabled named group: secp521r1
javax.net.ssl|DEBUG|01|main|2022-06-29 02:12:31.856 CEST|SupportedGroupsExtension.java:386|Ignore inactive or disabled named group: x448
javax.net.ssl|DEBUG|01|main|2022-06-29 02:12:31.857 CEST|ECPointFormatsExtension.java:195|Need no ec_point_formats extension
javax.net.ssl|DEBUG|01|main|2022-06-29 02:12:31.857 CEST|SSLExtensions.java:260|Ignore, context unavailable extension: ec_point_formats
javax.net.ssl|WARNING|01|main|2022-06-29 02:12:31.857 CEST|SignatureScheme.java:295|Signature algorithm, ed25519, is not supported by the underlying providers
javax.net.ssl|WARNING|01|main|2022-06-29 02:12:31.857 CEST|SignatureScheme.java:295|Signature algorithm, ed448, is not supported by the underlying providers
javax.net.ssl|ALL|01|main|2022-06-29 02:12:31.857 CEST|SignatureScheme.java:383|Ignore unsupported signature scheme: ed25519
javax.net.ssl|ALL|01|main|2022-06-29 02:12:31.857 CEST|SignatureScheme.java:383|Ignore unsupported signature scheme: ed448
javax.net.ssl|ALL|01|main|2022-06-29 02:12:31.857 CEST|SignatureScheme.java:383|Ignore unsupported signature scheme: ecdsa_sha224
javax.net.ssl|ALL|01|main|2022-06-29 02:12:31.857 CEST|SignatureScheme.java:383|Ignore unsupported signature scheme: rsa_sha224
javax.net.ssl|ALL|01|main|2022-06-29 02:12:31.857 CEST|SignatureScheme.java:383|Ignore unsupported signature scheme: dsa_sha224
javax.net.ssl|ALL|01|main|2022-06-29 02:12:31.857 CEST|SignatureScheme.java:402|Ignore disabled signature scheme: rsa_md5
javax.net.ssl|INFO|01|main|2022-06-29 02:12:31.857 CEST|AlpnExtension.java:178|No available application protocols
javax.net.ssl|DEBUG|01|main|2022-06-29 02:12:31.857 CEST|SSLExtensions.java:260|Ignore, context unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|01|main|2022-06-29 02:12:31.857 CEST|ClientHello.java:642|Produced ClientHello handshake message (
"ClientHello": {
  "client version"      : "TLSv1.2",
  "random"              : "56 30 9D 23 1A 57 5D 2E 9E 7B 6E 00 FC 1F 02 06 52 20 4B F0 DC D7 43 6C 1F 74 01 9D FE DF DC 66",
  "session id"          : "",
  "cipher suites"       : "[SSL_DH_anon_WITH_3DES_EDE_CBC_SHA(0x001B), SSL_DH_anon_WITH_RC4_128_MD5(0x0018)]",
  "compression methods" : "00",
  "extensions"          : [
    "status_request (5)": {
      "certificate status type": ocsp
      "OCSP status request": {
        "responder_id": <empty>
        "request extensions": {
          <empty>
        }
      }
    },
    "supported_groups (10)": {
      "versions": [ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
    },
    "signature_algorithms (13)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "signature_algorithms_cert (50)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "status_request_v2 (17)": {
      "cert status request": {
        "certificate status type": ocsp_multi
        "OCSP status request": {
          "responder_id": <empty>
          "request extensions": {
            <empty>
          }
        }
      }
    },
    "extended_master_secret (23)": {
      <empty>
    },
    "supported_versions (43)": {
      "versions": [TLSv1.2, TLSv1.1, TLSv1]
    },
    "renegotiation_info (65,281)": {
      "renegotiated connection": [<no renegotiated connection>]
    }
  ]
}
)
javax.net.ssl|DEBUG|01|main|2022-06-29 02:12:31.857 CEST|SSLEngineOutputRecord.java:529|WRITE: TLSv1.2 handshake, length = 183
javax.net.ssl|DEBUG|01|main|2022-06-29 02:12:31.857 CEST|SSLEngineOutputRecord.java:550|Raw write (
  0000: 16 03 03 00 B7 01 00 00   B3 03 03 56 30 9D 23 1A  ...........V0.#.
  0010: 57 5D 2E 9E 7B 6E 00 FC   1F 02 06 52 20 4B F0 DC  W]...n.....R K..
  0020: D7 43 6C 1F 74 01 9D FE   DF DC 66 00 00 04 00 1B  .Cl.t.....f.....
  0030: 00 18 01 00 00 86 00 05   00 05 01 00 00 00 00 00  ................
  0040: 0A 00 0C 00 0A 01 00 01   01 01 02 01 03 01 04 00  ................
  0050: 0D 00 22 00 20 04 03 05   03 06 03 08 04 08 05 08  ..". ...........
  0060: 06 08 09 08 0A 08 0B 04   01 05 01 06 01 04 02 02  ................
  0070: 03 02 01 02 02 00 32 00   22 00 20 04 03 05 03 06  ......2.". .....
  0080: 03 08 04 08 05 08 06 08   09 08 0A 08 0B 04 01 05  ................
  0090: 01 06 01 04 02 02 03 02   01 02 02 00 11 00 09 00  ................
  00A0: 07 02 00 04 00 00 00 00   00 17 00 00 00 2B 00 07  .............+..
  00B0: 06 03 03 03 02 03 01 FF   01 00 01 00              ............
)
javax.net.ssl|DEBUG|01|main|2022-06-29 02:12:31.955 CEST|SSLEngineInputRecord.java:177|Raw read (
  0000: 15 03 03 00 02 02 28                               ......(
)
javax.net.ssl|DEBUG|01|main|2022-06-29 02:12:31.955 CEST|SSLEngineInputRecord.java:214|READ: TLSv1.2 alert, length = 2
javax.net.ssl|DEBUG|01|main|2022-06-29 02:12:31.955 CEST|Alert.java:238|Received alert message (
"Alert": {
  "level"      : "fatal",
  "description": "handshake_failure"
}
)
javax.net.ssl|ERROR|01|main|2022-06-29 02:12:31.955 CEST|TransportContext.java:361|Fatal (HANDSHAKE_FAILURE): Received fatal alert: handshake_failure (
"throwable" : {
  javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:356)
    at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
    at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:202)
    at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
    at java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:688)
    at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:643)
    at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:461)
    at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:440)
    at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:637)
    at oracle.net.nt.SSLSocketChannel.unwrap(SSLSocketChannel.java:670)
    at oracle.net.nt.SSLSocketChannel.unwrapHandshakeMessage(SSLSocketChannel.java:623)
    at oracle.net.nt.SSLSocketChannel.doSSLHandshake(SSLSocketChannel.java:461)
    at oracle.net.nt.SSLSocketChannel.write(SSLSocketChannel.java:149)
    at oracle.net.ns.NIOPacket.writeToSocketChannel(NIOPacket.java:361)
    at oracle.net.ns.NIOConnectPacket.writeToSocketChannel(NIOConnectPacket.java:256)
    at oracle.net.ns.NSProtocolNIO.negotiateConnection(NSProtocolNIO.java:157)
    at oracle.net.ns.NSProtocol.connect(NSProtocol.java:350)
    at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:2558)
    at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:667)
    at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:1089)
    at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:90)
    at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:733)
    at oracle.jdbc.datasource.impl.OracleDataSource.getPhysicalConnection(OracleDataSource.java:681)
    at oracle.jdbc.datasource.impl.OracleDataSource.getConnection(OracleDataSource.java:375)
    at oracle.jdbc.datasource.impl.OracleDataSource.getConnectionInternal(OracleDataSource.java:2120)
    at oracle.jdbc.datasource.impl.OracleDataSource.getConnection(OracleDataSource.java:350)
    at oracle.jdbc.datasource.impl.OracleDataSource.getConnection(OracleDataSource.java:311)
    at SslOracleDataSource.query(SslOracleDataSource.java:26)
    at SslOracleDataSource.connectAnon(SslOracleDataSource.java:43)
    at App.main(App.java:17)}

)
javax.net.ssl|ALL|01|main|2022-06-29 02:12:31.965 CEST|SSLSessionImpl.java:784|Invalidated session:  Session(1656461551739|SSL_NULL_WITH_NULL_NULL)
Exception in thread "main" java.sql.SQLRecoverableException: IO Error: IO Error Received fatal alert: handshake_failure, connect lapse 119 ms., Authentication lapse 0 ms.
    at oracle.jdbc.driver.T4CConnection.handleLogonIOException(T4CConnection.java:946)
    at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:711)
    at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:1089)
    at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:90)
    at oracle.jdbc.driver.OracleDriver.connect(OracleDriver.java:733)
    at oracle.jdbc.datasource.impl.OracleDataSource.getPhysicalConnection(OracleDataSource.java:681)
    at oracle.jdbc.datasource.impl.OracleDataSource.getConnection(OracleDataSource.java:375)
    at oracle.jdbc.datasource.impl.OracleDataSource.getConnectionInternal(OracleDataSource.java:2120)
    at oracle.jdbc.datasource.impl.OracleDataSource.getConnection(OracleDataSource.java:350)
    at oracle.jdbc.datasource.impl.OracleDataSource.getConnection(OracleDataSource.java:311)
    at SslOracleDataSource.query(SslOracleDataSource.java:26)
    at SslOracleDataSource.connectAnon(SslOracleDataSource.java:43)
    at App.main(App.java:17)
Caused by: java.io.IOException: IO Error Received fatal alert: handshake_failure, connect lapse 119 ms., Authentication lapse 0 ms.
    at oracle.jdbc.driver.T4CConnection.handleLogonIOException(T4CConnection.java:941)
    ... 12 more
Caused by: java.io.IOException: IO Error Received fatal alert: handshake_failure, connect lapse 119 ms.
Caused by: java.io.IOException: IO Error Received fatal alert: handshake_failure, connect lapse 119 ms., Authentication lapse 0 ms.

    at oracle.net.ns.NSProtocolNIO.negotiateConnection(NSProtocolNIO.java:202)
    at oracle.net.ns.NSProtocol.connect(NSProtocol.java:350)
    at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:2558)
    at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:667)
    ... 11 more
Caused by: java.io.IOException: IO Error Received fatal alert: handshake_failure
    at oracle.net.nt.SSLSocketChannel.unwrap(SSLSocketChannel.java:674)
Caused by: java.io.IOException: IO Error Received fatal alert: handshake_failure, connect lapse 119 ms.

    at oracle.net.nt.SSLSocketChannel.unwrapHandshakeMessage(SSLSocketChannel.java:623)
    at oracle.net.nt.SSLSocketChannel.doSSLHandshake(SSLSocketChannel.java:461)
Caused by: java.io.IOException: IO Error Received fatal alert: handshake_failure

    at oracle.net.nt.SSLSocketChannel.write(SSLSocketChannel.java:149)
    at oracle.net.ns.NIOPacket.writeToSocketChannel(NIOPacket.java:361)
    at oracle.net.ns.NIOConnectPacket.writeToSocketChannel(NIOConnectPacket.java:256)
    at oracle.net.ns.NSProtocolNIO.negotiateConnection(NSProtocolNIO.java:157)
    ... 14 more
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:356)
    at java.base/sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293)
    at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:202)
    at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
    at java.base/sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:688)
    at java.base/sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:643)
    at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:461)
    at java.base/sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:440)
    at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:637)
    at oracle.net.nt.SSLSocketChannel.unwrap(SSLSocketChannel.java:670)
    ... 20 more

Execution failed for task ':App.main()'.
> Process 'command 'C:/Program Files/Java/jdk-11.0.15/bin/java.exe'' finished with non-zero exit value 1

Original Q&A

There are 1 best solutions below

**Eugène Adell** · Answer 1 · 2022-10-27T19:38:48.287000

The first screenshot says the two cipher suites aren't supported by TLS 1.3, which indeed aren't (TLS 1.3 Cipher Suites)

You would downgrade to TLS 1.2 by specifying -Doracle.net.ssl_version="1.2" or its API equivalent CONNECTION_PROPERTY_THIN_SSL_VERSION, and maybe try some other cipher suites which are not anon (TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA are good to start, but a more complete list is here). In the latter case, you might need to update the keystore with the server's certificate.

Oracle JDBC: Ignore unsupported cipher suite: SSL_DH_anon_WITH_3DES_EDE_CBC_SHA for TLSv1.3

There are 1 best solutions below

Related Questions in JAVA

Related Questions in SSL

Related Questions in JDBC

Related Questions in JAVA-SECURITY

Related Questions in JSSE

Trending Questions

Popular # Hahtags

Popular Questions