10-17-2017 11:26 AM
Linux Redhat 6.9
I just successfully migrated from 14.2.0 to 14.3.1
The Java client works fine but I am having problems with the HTML web page.
The HTML web page was working fine in 14.2.0
I receive the following error when connecting to https://<myBNAIP>
Secure Connection Failed. Cannot communicate securely with peer: no common encryption algorithm(s).
Error code: SSL_ERROR_NO_CYPHER_OVERLAP
This probbably has something to do with certs but I cannot find where the problem lies.
Solved! Go to Solution.
10-18-2017 12:39 AM
which browser (firefox) and version (>= 50.0) are you using?
Try the following on your BNA server
10-19-2017 09:20 AM
Thanks for your response Martin.
I looked at the jdk.tls.disabledAlgorithms setting and RC4 is already in there.
Here are the various responses from browsers. It looks like I need a cert of some kind but I did not have to do this in 14.2.0.
Did they change something in the new version?
An error occurred during a connection to BNA. Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP
Usually Firefox will let you make an exception but it does not with BNA.
There is a problem with this website’s security certificate.
The security certificate presented by this website was not issued by a trusted certificate authority.
IE did allow me to proceed but the web site did not come up.
Attackers might be trying to steal your information from storage3 (for example, passwords, messages, or credit cards).
I clicked on the advanced options and selected "Proceed to site" and Chrome let me into the website.
10-20-2017 11:27 AM
which Java version are you using? Notice that BNA is using a self signed certificated (CA) for https - from the RN
A delay of 5 to 7 minutes is seen when Web Tools is launched on a system (through Network Advisor or directly in a web browser) where internet access is not available and the network does not return a ‘destination unreachable’ message. This issue occurs as Java tries to validate the SSL certificates with external CAs. This problem can be avoided on such systems by modifying the below Java properties:
On Windows: C:\Users\<logged in username>\AppData\LocalLow\Sun\Java\Deployment\deployment.properties
On Linux: home/< logged in user name>/.java/deployment/deployment.properties
In the ‘deployment.properties’ file, edit the below parameters and set them to ‘false’. If these parameters are not present, add them and save the file. Then re-launch Web tools.
deployment.security.validation.ocsp = false
deployment.security.validation.crl = false
For firefox, it sould like the following is the issue (not RC=$, but SHA-1):
Firefox browser will restrict the user from launching the Fabric Insight Portal with a warning - “Secure Connection Failed”. This is due to the disabling of the weak hashing algorithm (SHA-1) in Network Advisor. As Firefox cannot use the recommended hash algorithm (SHA-2 and above) due to no overlap between the ciphers supported by Network Advisor server and those supported by Firefox with SHA-2, it is recommended not to use this browser. This issue will not occur in other browsers (Chrome and Internet Explorer) as they use the recommended hash algorithm (SHA-2 and above).
If user wishes to launch the application in Firefox regardless of the security issue, then the workaround for this issue would be to remove the SHA-1 algorithm from the disabled algorithms list in java.security file present on the Network Advisor server.
- Navigate to <Network Advisor Home>\jre64\lib\security directory to open java.security file and remove SHA1 from the disabled algorithm list.
jdk.tls.disabledAlgorithms=MD5, DES, 3DES, DESede, RC2, DHE, DH, ECDHE, ECDH, SSLv3, RC4, MD5withRSA, SHA1, DSA, DH keySize < 768, \ EC keySize < 224, RSA keySize < 2048
- Restart all the Network Advisor services through Service Management Console.
10-20-2017 12:04 PM
I did some research and found that Firefox does have SHA-2 enabled. However, after reading a bunch of Mozilla articles, Firefox will not roll over to SHA-2 for some reason.
I removed SHA-1 from the jdk.tls.disabledAlgorithms and all three browsers can now get into BNA.
Thanks for the workaround.