Support Questions

Find answers, ask questions, and share your expertise

Knox starts but fails to handshake no cipher suites in common

avatar
Expert Contributor

Hi there,

We have knox version 2.4.2.0-258 deployed in two environments. (say Prod-A and Prod-B). Everything was working fine, when you start through Ambari but when I try to connect to Knox it doesn't work.

Checked in the gateway.jsk under knox/data/security/keystore, it has a valid chain of certs.

2016-08-02 15:29:23,969 DEBUG nio.ssl (SslConnection.java:wrap(475)) - SCEP@fe16e5{l(/IP1:35840)<->r(/IP2:8444),s=1,open=true,ishut=false,oshut=false,rb=false,wb=false,w=true,i=1r}-{SslConnection@4ddce8ac SSL NEED_WRAP i/o/u=0/0/0 ishut=false oshut=false {AsyncHttpConnection@20993ce7,g=HttpGenerator{s=0,h=-1,b=-1,c=-1},p=HttpParser{s=-14,l=0,c=0},r=0}}
javax.net.ssl.SSLHandshakeException: no cipher suites in common
        at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431)
        at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
        at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214)
        at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186)
        at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
        at org.eclipse.jetty.io.nio.SslConnection.wrap(SslConnection.java:460)
        at org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:386)
        at org.eclipse.jetty.io.nio.SslConnection.access$900(SslConnection.java:48)
        at org.eclipse.jetty.io.nio.SslConnection$SslEndPoint.fill(SslConnection.java:678)
        at org.eclipse.jetty.http.HttpParser.fill(HttpParser.java:1044)
        at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:280)
        at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
        at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
        at org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196)
        at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:667)
        at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
        at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:292)
        at sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:1035)
        at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:738)
        at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:221)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:919)
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:916)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369)
        at org.eclipse.jetty.io.nio.SslConnection.process(SslConnection.java:375)
        ... 12 more

Here is the command(s) I used to import Host specific certificate in the jks. All following are tried but I get the same error.

keytool -import -alias gateway-identity -keyalg RSA -keystore gateway.jks -trustcacerts -file /etc/pki/tls/certs/Prod-A-HostFQDN.cer -storepass JKSP@ssword
keytool -import -alias gateway-identity -keyalg RSA -keystore gateway.jks -file /etc/pki/tls/certs/Prod-A-HostFQDN.cer -storepass JKSP@ssword
keytool -import -alias gateway-identity -keystore gateway.jks -file /etc/pki/tls/certs/Prod-A-HostFQDN.cer -storepass JKSP@ssword

Can anyone say what is the issue and how to go about this?

Regsrds

1 ACCEPTED SOLUTION

avatar

There could be a problem with the certificate itself. I recommend regenerating it and trying again. You can follow instructions in the Apache Knox Users Guide to generate a self-signed certificate:

http://knox.apache.org/books/knox-0-6-0/user-guide.html#Generating+a+self-signed+cert+for+use+in+tes...

If you want to use a more legitimate certificate you can generate and sign it yourself with OpenSSL or from a CA, and follow the steps in the next section of the guide, Using a CA Signed Key Pair.

View solution in original post

4 REPLIES 4

avatar
Expert Contributor

avatar

Can you provide more details about how you're attempting to connect, and with which client? If you're using curl, specify the exact command (masking the user password if you want), and the exact version of curl + OS

avatar
Expert Contributor

Thanks fro getting back .

@Alex Miller Here is the connect using Curl to connect the Knox server:

curl -i -k -u admin:P@ssword 'https://<Knox_SERVER_Hostname>:<KNOX_PORT>/gateway/default/templeton/v1/status'

RHEL : Oracle Linux Server release 6.7

Curl Version : 7.19.7

JDK :

openjdk version "1.8.0_71"

OpenJDK Runtime Environment (build 1.8.0_71-b15)

avatar

There could be a problem with the certificate itself. I recommend regenerating it and trying again. You can follow instructions in the Apache Knox Users Guide to generate a self-signed certificate:

http://knox.apache.org/books/knox-0-6-0/user-guide.html#Generating+a+self-signed+cert+for+use+in+tes...

If you want to use a more legitimate certificate you can generate and sign it yourself with OpenSSL or from a CA, and follow the steps in the next section of the guide, Using a CA Signed Key Pair.