CIPHER Suite error after starting Registry: Could not set property enabledCipherSuites on [SSL: ServerSocket[addr=/0.0.0.0,localport=2010]]

Products

Service Virtualization

Issue/Introduction

Upgraded from DevTest 10.6.0 to 10.7.2 in a Sandbox environment and have the below property enabled in the local.properties file. It worked in 10.6.0, but not in 10.7.2:

lisa.server.https.cipher.suites=TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DH_RSA_WITH_AES_256_GCM_SHA384,TLS_DH_RSA_WITH_AES_256_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_SHA256,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,TLS_WITH_AES_256_GCM_SHA384,TLS_WITH_AES_256_SHA256,TLS_WITH_AES_256_SHA256,TLS_WITH_AES_256_GCM_SHA384

In 10.7.2 will get the below error when starting Registry

2022-06-17T17:33:43,670Z (10:33) [main] ERROR com.itko.activemq.util.IntrospectionSupport - Could not set property enabledCipherSuites on [SSL: ServerSocket[addr=/0.0.0.0,localport=2010]]
java.lang.reflect.InvocationTargetException: null
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_321]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_321]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_321]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_321]
at com.itko.activemq.util.IntrospectionSupport.setProperty(IntrospectionSupport.java:187) [itko-activemq-5.16.1.0.jar:?]
at com.itko.activemq.transport.tcp.TcpTransportServer.configureServerSocket(TcpTransportServer.java:192) [itko-activemq-5.16.1.0.jar:?]
at com.itko.activemq.transport.tcp.TcpTransportServer.bind(TcpTransportServer.java:144) [itko-activemq-5.16.1.0.jar:?]
at com.itko.activemq.transport.tcp.SslTransportServer.bind(SslTransportServer.java:105) [itko-activemq-5.16.1.0.jar:?]
at com.itko.activemq.transport.tcp.SslTransportFactory.doBind(SslTransportFactory.java:68) [itko-activemq-5.16.1.0.jar:?]
at com.itko.activemq.broker.SslBrokerService.createSslTransportServer(SslBrokerService.java:97) [itko-activemq-5.16.1.0.jar:?]
at com.itko.activemq.broker.SslBrokerService.addSslConnector(SslBrokerService.java:72) [itko-activemq-5.16.1.0.jar:?]
at com.itko.lisa.net.ActiveMQFactory.startBroker(ActiveMQFactory.java:517) [lisa-core-10.7.2.jar:?]
at com.itko.lisa.net.ActiveMQFactory.getBrokerServerQueueConnection(ActiveMQFactory.java:679) [lisa-core-10.7.2.jar:?]
at com.itko.lisa.net.RemoteRequestHandler.startRemoteServer(RemoteRequestHandler.java:237) [lisa-core-10.7.2.jar:?]
at com.itko.lisa.net.RemoteRequestHandler.startRemoteServer(RemoteRequestHandler.java:224) [lisa-core-10.7.2.jar:?]
at com.itko.lisa.net.RemoteRequestHandler.registerTarget(RemoteRequestHandler.java:100) [lisa-core-10.7.2.jar:?]
at com.itko.lisa.net.ServerRequestHandler.registerTarget(ServerRequestHandler.java:49) [lisa-core-10.7.2.jar:?]
at com.itko.lisa.coordinator.LisaServerObjectImpl.register(LisaServerObjectImpl.java:105) [lisa-core-10.7.2.jar:?]
at com.itko.lisa.coordinator.TestRegistryImpl.<init>(TestRegistryImpl.java:249) [lisa-core-10.7.2.jar:?]
at com.itko.lisa.coordinator.TestRegistryImpl.main(TestRegistryImpl.java:2173) [lisa-core-10.7.2.jar:?]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_321]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_321]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_321]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_321]
at com.exe4j.runtime.LauncherEngine.launch(LauncherEngine.java:84) [i4jruntime.jar:?]
at com.install4j.runtime.launcher.UnixLauncher.start(UnixLauncher.java:69) [i4jruntime.jar:?]
at install4j.com.itko.lisa.coordinator.TestRegistryImpl_RegistryService.main(Unknown Source) [launcher3b723c2d.jar:?]
Caused by: java.lang.IllegalArgumentException: Unsupported CipherSuite: TLS_DH_RSA_WITH_AES_256_GCM_SHA384
at sun.security.ssl.CipherSuite.validValuesOf(CipherSuite.java:1022) ~[?:1.8.0_321]
at sun.security.ssl.SSLServerSocketImpl.setEnabledCipherSuites(SSLServerSocketImpl.java:91) ~[?:1.8.0_321]
... 27 more
2022-06-17T17:33:43,677Z (10:33) [main] ERROR com.itko.lisa.net.ActiveMQFactory - Bad start
java.io.IOException: Failed to bind to server socket: ssl://0.0.0.0:2010/Registry?transport.enabledCipherSuites=TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,%20TLS_DH_RSA_WITH_AES_256_GCM_SHA384,TLS_DH_RSA_WITH_AES_256_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_SHA256,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,TLS_WITH_AES_256_GCM_SHA384,TLS_WITH_AES_256_SHA256,TLS_WITH_AES_256_SHA256,TLS_WITH_AES_256_GCM_SHA384&transport.enabledProtocols=TLSv1.2 due to: java.net.SocketException: Invalid transport options {enabledCipherSuites=TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DH_RSA_WITH_AES_256_GCM_SHA384,TLS_DH_RSA_WITH_AES_256_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_SHA256,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_SHA384,TLS_WITH_AES_256_GCM_SHA384,TLS_WITH_AES_256_SHA256,TLS_WITH_AES_256_SHA256,TLS_WITH_AES_256_GCM_SHA384}
at com.itko.activemq.util.IOExceptionSupport.create(IOExceptionSupport.java:34) ~[itko-activemq-5.16.1.0.jar:?]
at com.itko.activemq.transport.tcp.TcpTransportServer.bind(TcpTransportServer.java:146) ~[itko-activemq-5.16.1.0.jar

Environment

Release : 10.7.2

Component : DevTest Registry

Cause

Using unsupported CIPHER SUITES in list of their cipher suites these do not work with the DevTest OpenJDK:

TLS_DH_RSA_WITH_AES_256_GCM_SHA384
TLS_DH_RSA_WITH_AES_256_SHA256
TLS_ECDH_ECDSA_WITH_AES_256_SHA384
TLS_ECDH_RSA_WITH_AES_256_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_SHA384
TLS_ECDHE_RSA_WITH_AES_256_SHA384
TLS_WITH_AES_256_GCM_SHA384
TLS_WITH_AES_256_SHA256

Resolution

With DevTest 10.7.2, supported Protocols are: SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2

Supported Cipher Suites: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV

Please choose the CIPHER SUITES needed of the supported list.

Additional Information

Attached is a mar file with a test that shows the available Cipher Suites.

Gotten from https://support.azul.com/hc/en-us/articles/360061894852-Which-security-protocols-and-cipher-suites-are-enabled-in-a-specific-Java-Release-bundle

Attachments

1655836117008__Supported_Java_Ciphers.mar get_app