Bug 38170 - There is no supported cipher suites for archive.apache.org
Summary: There is no supported cipher suites for archive.apache.org
Status: CLOSED FIXED
Alias: None
Product: Sisyphus
Classification: Development
Component: java-1.8.0-openjdk (show other bugs)
Version: unstable
Hardware: x86_64 Linux
: P5 normal
Assignee: Andrey Cherepanov
QA Contact: qa-sisyphus
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-02 11:09 MSK by Alexey
Modified: 2021-02-02 15:39 MSK (History)
5 users (show)

See Also:


Attachments
java code to get list of available cipher suites in the system (1.12 KB, text/x-java)
2020-03-02 11:09 MSK, Alexey
no flags Details
Java code to check SSL socket (4.29 KB, text/x-java)
2020-03-02 11:14 MSK, Alexey
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alexey 2020-03-02 11:09:33 MSK
Created attachment 8643 [details]
java code to get list of available cipher suites in the system

I discovered that there is know supported cipher suites in any of Alt Linux docker container.
I use attached java code to get list of supported cipher suites.
You can compile it with javac Ciphers.java and run with java Ciphers

This is the list of available cipher suites in alt:p9
Default	Cipher
*	TLS_DHE_DSS_WITH_AES_128_CBC_SHA
*	TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
*	TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
*	TLS_DHE_DSS_WITH_AES_256_CBC_SHA
*	TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
*	TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
*	TLS_DHE_RSA_WITH_AES_128_CBC_SHA
*	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
*	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
*	TLS_DHE_RSA_WITH_AES_256_CBC_SHA
*	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
*	TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
*	TLS_EMPTY_RENEGOTIATION_INFO_SCSV
*	TLS_RSA_WITH_AES_128_CBC_SHA
*	TLS_RSA_WITH_AES_128_CBC_SHA256
*	TLS_RSA_WITH_AES_128_GCM_SHA256
*	TLS_RSA_WITH_AES_256_CBC_SHA
*	TLS_RSA_WITH_AES_256_CBC_SHA256
*	TLS_RSA_WITH_AES_256_GCM_SHA384

And this is the list of available cipher suites from Centos 7

Default	Cipher
*	TLS_DHE_DSS_WITH_AES_128_CBC_SHA
*	TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
*	TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
*	TLS_DHE_DSS_WITH_AES_256_CBC_SHA
*	TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
*	TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
*	TLS_DHE_RSA_WITH_AES_128_CBC_SHA
*	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
*	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
*	TLS_DHE_RSA_WITH_AES_256_CBC_SHA
*	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
*	TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
*	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
*	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
*	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
*	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
*	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
*	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
*	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
*	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
*	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
*	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
*	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
*	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
*	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
*	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
*	TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
*	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
*	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
*	TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
*	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
*	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
*	TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
*	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
*	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
*	TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
*	TLS_EMPTY_RENEGOTIATION_INFO_SCSV
*	TLS_RSA_WITH_AES_128_CBC_SHA
*	TLS_RSA_WITH_AES_128_CBC_SHA256
*	TLS_RSA_WITH_AES_128_GCM_SHA256
*	TLS_RSA_WITH_AES_256_CBC_SHA
*	TLS_RSA_WITH_AES_256_CBC_SHA256
*	TLS_RSA_WITH_AES_256_GCM_SHA384

This is the list of archive.apache.org server 

       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (rsa 2048) - A
       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (rsa 2048) - A
       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
Comment 1 Alexey 2020-03-02 11:14:00 MSK
Created attachment 8644 [details]
Java code to check SSL socket
Comment 2 obirvalger@altlinux.org 2020-03-02 16:21:34 MSK
What version of Java was used?
Comment 3 Alexey 2020-03-02 16:31:50 MSK
I don't think that this problem related to java version. I've tried lower and greater versions of java in Centos.

openjdk version "1.8.0_212"
OpenJDK Runtime Environment (build 1.8.0_212-b04)
OpenJDK 64-Bit Server VM (build 25.212-b04, mixed mode)
Comment 4 Alexey 2020-03-02 16:32:51 MSK
java-1.8.0-openjdk-1.8.0.212.b04-alt2_0jpp8.x86_64
Comment 5 obirvalger@altlinux.org 2020-03-02 16:34:08 MSK
Java was installed from our repository?
Comment 6 Alexey 2020-03-02 16:45:35 MSK
I installed it in docker container, I don't change anything in it.
docker run -it --rm alt:p9

It has this repositories enabled:

rpm [p9] http://mirror.yandex.ru/altlinux p9/branch/x86_64 classic
rpm [p9] http://mirror.yandex.ru/altlinux p9/branch/x86_64-i586 classic
rpm [p9] http://mirror.yandex.ru/altlinux p9/branch/noarch classic
Comment 7 Alexey 2020-03-13 13:10:44 MSK
Another problem occurs related to this issue. 

Could not HEAD 'http://repo.maven.apache.org/maven2/org/apache/thrift/libthrift/0.9.3/libthrift-0.9.3.pom'. Received status code 501 from server: HTTPS Required

If I change maven repo URL to https:// following error occurs:

> javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Comment 8 Repository Robot 2021-02-02 15:39:23 MSK
java-1.8.0-openjdk-0:1.8.0.272.b10-alt3_0.3.eajpp8 -> sisyphus:

 Tue Feb 02 2021 Andrey Cherepanov <cas@altlinux> 0:1.8.0.272.b10-alt3_0.3.eajpp8
 - Remove crypto policy support that disable TLS1.3 (ALT #38170)