Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Knox starts but fails to handshake no cipher suites in common

Solved Go to solution
Highlighted

Knox starts but fails to handshake no cipher suites in common

Expert Contributor

Hi there,

We have knox version 2.4.2.0-258 deployed in two environments. (say Prod-A and Prod-B). Everything was working fine, when you start through Ambari but when I try to connect to Knox it doesn't work.

Checked in the gateway.jsk under knox/data/security/keystore, it has a valid chain of certs.

2016-08-02 15:29:23,969 DEBUG nio.ssl (SslConnection.java:wrap(475)) - SCEP@fe16e5{l(/IP1:35840)<->r(/IP2:8444),s=1,open=true,ishut=false,oshut=false,rb=false,wb=false,w=true,i=1r}-{SslConnection@4ddce8ac SSL NEED_WRAP i/o/u=0/0/0 ishut=false oshut=false {AsyncHttpConnection@20993ce7,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=-14,l=0,c=0},r=0}}
javax.net.ssl.SSLHandshakeException: no cipher suites in common
        at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431)
        at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
        at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214)
        at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186)
        at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
        at org.eclipse.jetty.io.nio.SslConnection.wrap(SslConnection.java:460)
        at org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:386)
        at org.eclipse.jetty.io.nio.SslConnection.access$900(SslConnection.java:48)
        at org.eclipse.jetty.io.nio.SslConnection$SslEndPoint.fill(SslConnection.java:678)
        at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1044)
        at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:280)
        at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
        at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
        at org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196)
        at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:667)
        at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
        at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:292)
        at sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:1035)
        at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:738)
        at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:221)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)
        at org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:375)
        ... 12 more

Here is the command(s) I used to import Host specific certificate in the jks. All following are tried but I get the same error.

keytool -import -alias gateway-identity -keyalg RSA -keystore gateway.jks -trustcacerts -file /etc/pki/tls/certs/Prod-A-HostFQDN.cer -storepass JKSP@ssword
keytool -import -alias gateway-identity -keyalg RSA -keystore gateway.jks -file /etc/pki/tls/certs/Prod-A-HostFQDN.cer -storepass JKSP@ssword
keytool -import -alias gateway-identity -keystore gateway.jks -file /etc/pki/tls/certs/Prod-A-HostFQDN.cer -storepass JKSP@ssword

Can anyone say what is the issue and how to go about this?

Regsrds

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Knox starts but fails to handshake no cipher suites in common

There could be a problem with the certificate itself. I recommend regenerating it and trying again. You can follow instructions in the Apache Knox Users Guide to generate a self-signed certificate:

http://knox.apache.org/books/knox-0-6-0/user-guide.html#Generating+a+self-signed+cert+for+use+in+tes...

If you want to use a more legitimate certificate you can generate and sign it yourself with OpenSSL or from a CA, and follow the steps in the next section of the guide, Using a CA Signed Key Pair.

View solution in original post

4 REPLIES 4
Highlighted

Re: Knox starts but fails to handshake no cipher suites in common

Expert Contributor
Highlighted

Re: Knox starts but fails to handshake no cipher suites in common

Can you provide more details about how you're attempting to connect, and with which client? If you're using curl, specify the exact command (masking the user password if you want), and the exact version of curl + OS

Highlighted

Re: Knox starts but fails to handshake no cipher suites in common

Expert Contributor

Thanks fro getting back .

@Alex Miller Here is the connect using Curl to connect the Knox server:

curl -i -k -u admin:P@ssword 'https://<Knox_SERVER_Hostname>:<KNOX_PORT>/gateway/default/templeton/v1/status'

RHEL : Oracle Linux Server release 6.7

Curl Version : 7.19.7

JDK :

openjdk version "1.8.0_71"

OpenJDK Runtime Environment (build 1.8.0_71-b15)

Re: Knox starts but fails to handshake no cipher suites in common

There could be a problem with the certificate itself. I recommend regenerating it and trying again. You can follow instructions in the Apache Knox Users Guide to generate a self-signed certificate:

http://knox.apache.org/books/knox-0-6-0/user-guide.html#Generating+a+self-signed+cert+for+use+in+tes...

If you want to use a more legitimate certificate you can generate and sign it yourself with OpenSSL or from a CA, and follow the steps in the next section of the guide, Using a CA Signed Key Pair.

View solution in original post

Don't have an account?
Coming from Hortonworks? Activate your account here