ლ(ಠ益ಠლ)

Java / DRAC: Error When Reading From SSL Socket Connection

Unable to connect to remote DRAC (version 5) unit on an older DELL PowerEdge server.

I observed the following visual error:

1
"Error when reading from SSL socket connection".

Invoking the Java Web start client (javaws) on my local shell, returned the following warnings:

1
2
3
4
5
6
7
$ javaws server.jnlp

javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: No appropriate protocol \
(protocol is disabled or cipher suites are inappropriate)

Caused by: javax.net.ssl.SSLHandshakeException: No appropriate protocol \
(protocol is disabled or cipher suites are inappropriate)

Per Oracle’s documentation:

"Starting with the January 20, 2015 Critical Patch Update releases (JDK 8u31, JDK 7u75, JDK 6u91 and above) the Java Runtime Environment has SSLv3 disabled by default."

This was in response to Padding Oracle On Downgraded Legacy Encryption (POODLE) CVE-2014-3566, a vulnerability found in the SSLv3 protocol.

Based on this information, my recent Java update on my workstation disabled SSLv3 support, effectively breaking my ability to connect to the DRAC unit.

The Update Release Notes contain the necessary documentation to revert this:

1
2
3
4
SSLv3 is disabled by default
Starting with JDK 7u75 release, the SSLv3 protocol (Secure Socket Layer) has been deactivated and is not available by default. See the java.security.Security property jdk.tls.disabledAlgorithms in <JRE_HOME>/lib/security/java.security file.

If SSLv3 is absolutely required, the protocol can be reactivated by removing "SSLv3" from the jdk.tls.disabledAlgorithms property in the java.security file or by dynamically setting this Security property to "true" before JSSE is initialized.

To easily locate the java.security file on your system:

1
2
3
4
5
$ updatedb
$ locate java.security
# This returned the following on my workstation:
/etc/java-7-openjdk/security/java.security
/usr/lib/jvm/java-7-openjdk-amd64/jre/lib/security/java.security

Comment out the following line from the file listed by the previous ‘locate’ command:

1
2
# File: /etc/java-7-openjdk/security/java.security
#jdk.tls.disabledAlgorithms=SSLv3

You should now be able to connect to the DRAC unit without issue.

UPDATE - Aug 11 2015

I recently pushed some updates on my workstation, and this error surfaced again.

What changed?

1
2
$ grep java /var/log/dpkg.log
2015-08-05 15:52:23 conffile /etc/java-7-openjdk/security/java.security install

The java.security file was altered–fortunately dpkg provided a backup of the older configuration file, java.security.dpkg-old, differential:

1
2
3
4
5
6
7
8
9
10
$ diff -U0 /etc/java-7-openjdk/security/java.security.dpkg-old /etc/java-7-openjdk/security/java.security.orig | grep -v "#"
@@ -441 +441,58 @@
+jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768
+
+jdk.tls.legacyAlgorithms= \
+        K_NULL, C_NULL, M_NULL, \
+        DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \
+        DH_RSA_EXPORT, RSA_EXPORT, \
+        DH_anon, ECDH_anon, \
+        RC4_128, RC4_40, DES_CBC, DES40_CBC

The original fix must be applied, comment out “jdk.tls.disabledAlgorithms”:

1
2
3
4
$ diff -U0 /etc/java-7-openjdk/security/java.security.orig /etc/java-7-openjdk/security/java.security
@@ -441 +441 @@
-jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768
+#jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768

You should now be able to connect to the DRAC.

Comments