DHE-RSA-AES*-SHA* don't function

This issue was migrated from Pagure Issue #3030. Originally filed by slev (@stanislavlevin) on 2018-05-30 10:37:17:

Assigned to nobody

After an installation of pki system I can't browse to the web page by firefox https://slipadc.slipa.sltest:8443/. An error:

"Peer reports it experienced an internal error. Error code: SSL_ERROR_INTERNAL_ERROR_ALERT"

My environment:

cat /etc/os-release 
NAME="ALT Server"

pki --version
PKI Command-Line Interface 10.6.1-alt1.S1

java -version
openjdk version "1.8.0_144"
OpenJDK Runtime Environment (build 1.8.0_144-b01)
OpenJDK 64-Bit Server VM (build 25.144-b01, mixed mode)

openjdk is packaged without sun.security.ec.SunEC provider.

rpm -q tomcat
tomcat-8.5.29-alt1_1jpp8.noarch

rpm -q tomcatjss
tomcatjss-7.3.0-alt1.S1.noarch

rpm -q jss
jss-4.4.3-alt1.S1.x86_64

So, i have supported ciphers by pki:

DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA
DHE-RSA-AES256-SHA256

from which, for example, my firefox(52.8.0) supports and fails:

TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)

Issue can be reproduced using curl:

curl -vk --ciphers DHE-RSA-AES256-SHA256 https://slipadc.slipa.sltest:8443/ca/
...
curl: (56) OpenSSL SSL_read: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error, errno 0

DHE-RSA-AES*-GCM-SHA* ciphers are OK for curl, but are not supported by FF. The absolutely same problem with DHE-RSA-AES*-SHA* is on Fedora 28:

curl -k --ciphers DHE-RSA-AES256-SHA256 https://fedoradc.fedorastanislavlevin.stanislavlevintest:8443/ca/
curl: (56) OpenSSL SSL_read: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error, errno 0

Where can be problem? How can i debug and fix?

dogtagpki / pki

DHE-RSA-AES-SHA don't function #3148

dogtagpki / pki

DHE-RSA-AES*-SHA* don't function #3148

DHE-RSA-AES-SHA don't function #3148