SSLException: No appropriate protocol

[JiangXL]

I'm trying to connect the ilo2 remote console at HP Proliant ML350 G6. After building, I got following error:

hf@spectre ~/b/ILO2-Standalone-Remote-Console (master) [1]> /usr/lib64/jvm/java-1.8.0-openjdk-1.8.0/bin/java -Djava.security.properties=java.security  -jar ILO2RemCon.jar -c config.properties
Couldn't find datastore, requesting Cookie
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
        at sun.security.ssl.HandshakeContext.<init>(HandshakeContext.java:171)
        at sun.security.ssl.ClientHandshakeContext.<init>(ClientHandshakeContext.java:103)
        at sun.security.ssl.TransportContext.kickstart(TransportContext.java:220)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:433)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:197)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1572)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1500)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:268)
        at Main.Stage1(Main.java:82)
        at Main.main(Main.java:301)

Any idea is welcome!

[fridtjof]

Are you running the latest ilo2 firmware? Should be 2.33, if I recall correctly. They implemented slightly more modern SSL with that, which is needed.

[JiangXL]

It is weird because my ilo2 is actually running the firmware 2.33.

[scrapes]

Can you post the Certificate information? Maybe it was issued with an older firmware.

[JiangXL]

Thank for your kind reply! I will post the certificate information later when I come back to laboratory.

I have flashed twice the 2.33 firmware today. Rather than firmware issue, I’m worrying the Java version and configuration. I try to build and run with Java 8 and Java 11, but both of them show above error.

On Aug 10, 2022, at 19:10, Anton Scharnowski @.***> wrote:



Can you post the Certificate information? Maybe it was issued with an older firmware.

— Reply to this email directly, view it on GitHubhttps://github.com/scrapes/ILO2-Standalone-Remote-Console/issues/12#issuecomment-1210524049, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ABLIOLGWIJLNC3OM4KYC64TVYOE2DANCNFSM56DWYIXA. You are receiving this because you authored the thread.Message ID: @.***>

[ppar]

FWIW -- I've been able to connect to the iLO2 web frontend using a Debian 9 VM. The openssl & co shipped with that OS still support the old ciphers.

Don't remember if this applies to the Java runtime too (and hence the remote console client).

My iLO2 firmware is probably a couple of versions behind too - too scared to update it.

[JiangXL]

Thanks everyone, here are how firefox shows:

Public Key Info
Algorithm: RSA
Key Size: 1024
Exponent: 65537
Modulus: xxxxxxxx
Miscellaneous
Signature Algorithm: MD5 with RSA Encryption
Version: NaN
Fringerprints
SHA-256: xxxxx
SHA-1: xxx
Techical Details: TLS_RSA_WITH_AES_128_CBC_SHA

And web interface show: iLO 2 Firmware Version: | 2.33   03/20/2018

[scrapes]

You need to go into the cipher settings and set MD5 to SHA1 and reissue a new self signed certificate. (as far as I can remember) "Newer" systems don't support MD5 due to its being insecure.

[JiangXL]

Yes, I found that the existed certificate is pretty old which is issued at 2002. I try to issuse reissue self signed certificate, but I can not get the private key from ilo2 instead of a certificate request. Today, I generated a new private key, and issued certificate with this private key and the ilo2 certificate request. When I pasted the certificate to ilo2, it refused and showed that this certificate don't match private key in memory.

Thanks!

[JiangXL]

I finally the right certificate paired to ilo2 certificate request by Let's encrypt. However, the SSLHandshakeException still occur on my openSUSE Tumbleweed which may be too "new".

Why not try it on my old RPI 3b? It does work! The RPI 3b shipped with openjdk 1.8.0_312. Thanks again!

One more issue: The command in README java -jar ILO2RemCon.jar -Djava.security.properties=java.security -c <Path to config.properties> shows java argument error. The command java -Djava.security.properties=java.security -jar ILO2RemCon.jar -c <Path to config.properties> works. If it happens all the time, the README will require a udpate.

[fridtjof]

I guess that might be specific to JDK 1.8, and I probably only tested that command on JDK 11. They might have relaxed the ordering requirements a bit. I'll adjust it anyway :)

[fridtjof]

fixed in eb0e50f5c88b57c455739c3d634a0b412400826f