reposilite: Error finalising cipher/No Cipher Suite matching '...' is supported
What happened?
When using a Let’s Encrypt certificate, Reposilite prints “No Cipher Suite matching ‘…’ is supported” message (for both .pem and .jks formats). When using a self-signed certificate it throws BadPaddingException.
Reposilite version
3.x
Relevant log output
With Let's Encrypt certificate:
No Cipher Suite matching 'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384' is supported
No Cipher Suite matching 'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256' is supported
With self-signed certificate:
nl.altindag.ssl.exception.PrivateKeyParseException: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
at nl.altindag.ssl.util.PemUtils.extractPrivateKeyInfo(PemUtils.java:508)
at nl.altindag.ssl.util.PemUtils.lambda$parsePrivateKey$10(PemUtils.java:479)
at java.base/java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:197)
at java.base/java.util.ArrayList$ArrayListSpliterator.tryAdvance(ArrayList.java:1602)
at java.base/java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:129)
at java.base/java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:527)
at java.base/java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:513)
at java.base/java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:499)
at java.base/java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:150)
at java.base/java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at java.base/java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:647)
at nl.altindag.ssl.util.PemUtils.parsePrivateKey(PemUtils.java:482)
at nl.altindag.ssl.util.PemUtils.parseIdentityMaterial(PemUtils.java:395)
at nl.altindag.ssl.util.PemUtils.loadIdentityMaterial(PemUtils.java:367)
at nl.altindag.ssl.util.PemUtils.loadIdentityMaterial(PemUtils.java:298)
at io.javalin.community.ssl.util.SSLUtils.parseIdentity(SSLUtils.java:81)
at io.javalin.community.ssl.util.SSLUtils.getSslFactory(SSLUtils.java:51)
at io.javalin.community.ssl.util.SSLUtils.getSslFactory(SSLUtils.java:37)
at io.javalin.community.ssl.SSLPlugin.createJettyServerPatcher(SSLPlugin.java:143)
at io.javalin.community.ssl.SSLPlugin.apply(SSLPlugin.java:76)
at io.javalin.plugin.PluginManager.initializePlugins(PluginManager.kt:38)
at io.javalin.config.JavalinConfig$Companion.applyUserConfig(JavalinConfig.kt:47)
at io.javalin.config.JavalinConfig.applyUserConfig(JavalinConfig.kt)
at io.javalin.Javalin.create(Javalin.java:93)
at com.reposilite.web.HttpServer.createJavalin(HttpServer.kt:65)
at com.reposilite.web.HttpServer.start(HttpServer.kt:45)
at com.reposilite.Reposilite.launch(Reposilite.kt:64)
at com.reposilite.ReposiliteLauncherKt.main(ReposiliteLauncher.kt:22)
Caused by: org.bouncycastle.pkcs.PKCSException: unable to read encrypted data: Error finalising cipher
at org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo.decryptPrivateKeyInfo(Unknown Source)
at nl.altindag.ssl.decryptor.BouncyFunction.lambda$andThen$0(BouncyFunction.java:37)
at nl.altindag.ssl.util.PemUtils.extractPrivateKeyInfo(PemUtils.java:496)
... 27 more
Caused by: org.bouncycastle.crypto.io.InvalidCipherTextIOException: Error finalising cipher
at org.bouncycastle.jcajce.io.CipherInputStream.finaliseCipher(Unknown Source)
at org.bouncycastle.jcajce.io.CipherInputStream.nextChunk(Unknown Source)
at org.bouncycastle.jcajce.io.CipherInputStream.read(Unknown Source)
at org.bouncycastle.util.io.Streams.pipeAll(Unknown Source)
at org.bouncycastle.util.io.Streams.pipeAll(Unknown Source)
at org.bouncycastle.util.io.Streams.readAll(Unknown Source)
... 30 more
Caused by: javax.crypto.BadPaddingException: pad block corrupted
at org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher$BufferedGenericBlockCipher.doFinal(Unknown Source)
at org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher.engineDoFinal(Unknown Source)
at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2090)
... 36 more
About this issue
- Original URL
- State: closed
- Created a year ago
- Comments: 18 (8 by maintainers)
Commits related to this issue
- GH-1696 Exclude `org.bountycastle` from minimize & fix typo in PEM cfg (Fix #1696) — committed to dzikoysk/reposilite by dzikoysk a year ago
- GH-1698 Exclude `org.eclipse.jetty.http2` from minimize (Fix #1698) — committed to yangdy-buji/reposilite by dzikoysk a year ago
Sorry everyone for the delay on this issue, I believe we have found the issue and a fix is on the way!
Regarding this message, there is nothing wrong with it, I’ll try to suppress it since it will probably happen on most JVMs.
Regarding this exception I can’t actually debug without the certificate but I suspect is a problem with the file or encoding itself.
@JNNGL
That is completely normal, they show up because I’m setting Mozilla’s recommended settings (https://wiki.mozilla.org/Security/Server_Side_TLS) and some JVM providers/conscrypt might not support some of them. But every single other cipher suit should work, and that’s enough.
This looks like a wrong password/key, from what I can see in the stack trace. Sadly without them I can’t reproduce it.
The date is wrong, given that the screenshot was taken yesterday. Set it correctly and that would let you connect.
It’s starting both, H2 and http1.1, including a ALPN extension that should upgrade any http1.1 connection by default if supported.
I’ll investigate this now.