Management Software

Reply
New Contributor
Posts: 4
Registered: ‎08-16-2016
Accepted Solution

BNA 14.3.1 HTTPS SSL error

Linux Redhat 6.9

I just successfully migrated from 14.2.0 to 14.3.1

The Java client works fine but I am having problems with the HTML web page.

The HTML web page was working fine in 14.2.0

 

I receive the following error when connecting to https://<myBNAIP>

 

Secure Connection Failed. Cannot communicate securely with peer: no common encryption algorithm(s).

Error code: SSL_ERROR_NO_CYPHER_OVERLAP

 

This probbably has something to do with certs but I cannot find where the problem lies.

 

Brocade Moderator
Posts: 414
Registered: ‎03-29-2011

Re: BNA 14.3.1 HTTPS SSL error

Hi Rick,

 

which browser (firefox) and version (>= 50.0) are you using? 

 

https://www.fxsitecompat.com/en-CA/docs/2016/rc4-support-has-been-completely-removed/

 

Try the following on your BNA server

 

RC4 can be disabled by modifying a config file in BNA. See instructions below:

1. Stop BNA service

2. Open file: <Network Advisor Home>\jre64\lib\security\java.security

3. Add ‘RC4’ to the line below:

 jdk.tls.disabledAlgorithms=SSLv3, MD5, DES, 3DES, RC2, RC4

4. Start BNA service
 
Note: Prior to modifying the config file, please back up the original file.



If this provided you with a solution to this issue, please mark it with the button at the bottom "Accept as solution".


Any and all information provided by me is not reviewed, approved or endorsed by Brocade and is provided solely as a convenience for Brocade customers. All systems and all networks are different and unique. If you have a service affecting network problem, please open a TAC service request for service through Brocade, or through your OEM equipment provider. If this provided you with a solution to this issue, please mark it with the button at the bottom "Accept as solution"
New Contributor
Posts: 4
Registered: ‎08-16-2016

Re: BNA 14.3.1 HTTPS SSL error

Thanks for your response Martin.
I looked at the jdk.tls.disabledAlgorithms setting and RC4 is already in there.

Here are the various responses from browsers.  It looks like I need a cert of some kind but I did not have to do this in 14.2.0.
Did they change something in the new version?

Firefox (55.x)
An error occurred during a connection to BNA. Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP
Usually Firefox will let you make an exception but it does not with BNA.

IE
There is a problem with this website’s security certificate.
The security certificate presented by this website was not issued by a trusted certificate authority.
IE did allow me to proceed but the web site did not come up.

Chrome
Attackers might be trying to steal your information from storage3 (for example, passwords, messages, or credit cards).
NET::ERR_CERT_AUTHORITY_INVALID
I clicked on the advanced options and selected "Proceed to site" and Chrome let me into the website.

Brocade Moderator
Posts: 414
Registered: ‎03-29-2011

Re: BNA 14.3.1 HTTPS SSL error

Hi Rick,

 

which Java version are you using?  Notice that BNA is using a self signed certificated (CA) for https - from the RN

 

 A delay of 5 to 7 minutes is seen when Web Tools is launched on a system (through Network Advisor or directly in a web browser) where internet access is not available and the network does not return a ‘destination unreachable’ message. This issue occurs as Java tries to validate the SSL certificates with external CAs. This problem can be avoided on such systems by modifying the below Java properties:

 

On Windows: C:\Users\<logged in username>\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

On Linux: home/< logged in user name>/.java/deployment/deployment.properties

 

In the ‘deployment.properties’ file, edit the below parameters and set them to ‘false’. If these parameters are not present, add them and save the file. Then re-launch Web tools.

deployment.security.validation.ocsp = false

deployment.security.validation.crl = false

 

For firefox, it sould like the following is the issue (not RC=$, but SHA-1):

 

Firefox browser will restrict the user from launching the Fabric Insight Portal with a warning - “Secure Connection Failed”. This is due to the disabling of the weak hashing algorithm (SHA-1) in Network Advisor. As Firefox cannot use the recommended hash algorithm (SHA-2 and above) due to no overlap between the ciphers supported by Network Advisor server and those supported by Firefox with SHA-2, it is recommended not to use this browser. This issue will not occur in other browsers (Chrome and Internet Explorer) as they use the recommended hash algorithm (SHA-2 and above).
If user wishes to launch the application in Firefox regardless of the security issue, then the workaround for this issue would be to remove the SHA-1 algorithm from the disabled algorithms list in java.security file present on the Network Advisor server.


- Navigate to <Network Advisor Home>\jre64\lib\security directory to open java.security file and remove SHA1 from the disabled algorithm list.


jdk.tls.disabledAlgorithms=MD5, DES, 3DES, DESede, RC2, DHE, DH, ECDHE, ECDH, SSLv3, RC4, MD5withRSA, SHA1, DSA, DH keySize < 768, \ EC keySize < 224, RSA keySize < 2048


- Restart all the Network Advisor services through Service Management Console.




If this provided you with a solution to this issue, please mark it with the button at the bottom "Accept as solution".


Any and all information provided by me is not reviewed, approved or endorsed by Brocade and is provided solely as a convenience for Brocade customers. All systems and all networks are different and unique. If you have a service affecting network problem, please open a TAC service request for service through Brocade, or through your OEM equipment provider. If this provided you with a solution to this issue, please mark it with the button at the bottom "Accept as solution"
New Contributor
Posts: 4
Registered: ‎08-16-2016

Re: BNA 14.3.1 HTTPS SSL error

Thanks Martin.

 

I did some research and found that Firefox does have SHA-2 enabled. However, after reading a bunch of Mozilla articles, Firefox will not roll over to SHA-2 for some reason.

I removed SHA-1 from the jdk.tls.disabledAlgorithms and all three browsers can now get into BNA.

 

Thanks for the workaround.

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook