SSL-Secured AMX Admin Server of AMX 3.3.0 Hotfix Cannot be Accessed by Firefox Browser Later Than 18.0.x, IE 9, 10, and Chrome 42.0.2311.90
Article ID: KB0075108
Updated On:
| Products | Versions |
|---|---|
| TIBCO ActiveMatrix Service Grid | 3.3.0 GA or with Hotfixes |
Description
The issue:
When trying to access SSL-secured AMX 3.3.0 Admin server (e.g., AMX 3.3.0 HF09-V143 applied), the Admin server URL is not accessible in Firefox 37.0.2, IE 9 and 10, and Chrome 42.0.2311.90 m.
The error shown on the browser screen is:
--------------
(FireFox 37.0.2 browser)
Secure Connection Failed
An error occurred during a connection to <admin_host>:<port>. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)
- The page you are trying to view cannot be shown because the authority of the received data could not be verified.
- Please contact the website owners to inform them of this problem.
--------------
=================
(Chrome 42.0.2311.90 m browser)
This webpage is not available
ERR_SSL_VERSION_OR_CIPHER _MISMATCH
A secure connection cannot be established because this site uses an unsupported protocol.
=================
Root cause:
This is a browser issue. The Admin server cannot be accessed by these browsers versions because the self-signed certificate shipped by AMX is not supported by the browsers versions.
How do we prove it is a browser issue?
If you inspect the self-signed SSL cert which is used by AMX Admin HTTPS Server, it is using cipher “TLS_DHE_DSS_WITH_AES_128_CBC_SHA”.
Now if you go to site “www.howsmyssl.com” (use your browser, e.g., FireFox 37.0.2) it lists the ciphers used by browser (in order), and you will see that your browser does not support that cipher.
Firefox 37.0 has stopped support for DSA certificates and hence the DSS ciphers, see the following link:
https://www.mozilla.org/en-US/firefox/37.0/releasenotes/
When trying to access SSL-secured AMX 3.3.0 Admin server (e.g., AMX 3.3.0 HF09-V143 applied), the Admin server URL is not accessible in Firefox 37.0.2, IE 9 and 10, and Chrome 42.0.2311.90 m.
The error shown on the browser screen is:
--------------
(FireFox 37.0.2 browser)
Secure Connection Failed
An error occurred during a connection to <admin_host>:<port>. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)
- The page you are trying to view cannot be shown because the authority of the received data could not be verified.
- Please contact the website owners to inform them of this problem.
--------------
=================
(Chrome 42.0.2311.90 m browser)
This webpage is not available
ERR_SSL_VERSION_OR_CIPHER _MISMATCH
A secure connection cannot be established because this site uses an unsupported protocol.
=================
Root cause:
This is a browser issue. The Admin server cannot be accessed by these browsers versions because the self-signed certificate shipped by AMX is not supported by the browsers versions.
How do we prove it is a browser issue?
If you inspect the self-signed SSL cert which is used by AMX Admin HTTPS Server, it is using cipher “TLS_DHE_DSS_WITH_AES_128_CBC_SHA”.
Now if you go to site “www.howsmyssl.com” (use your browser, e.g., FireFox 37.0.2) it lists the ciphers used by browser (in order), and you will see that your browser does not support that cipher.
Firefox 37.0 has stopped support for DSA certificates and hence the DSS ciphers, see the following link:
https://www.mozilla.org/en-US/firefox/37.0/releasenotes/
Issue/Introduction
SSL-Secured AMX Admin Server of AMX 3.3.0 Hotfix cannot be accessed by Firefox browser later than 18.0.x, IE 9, 10, and Chrome 42.0.2311.90 because the self-signed certificate shipped by AMX is not supported by the browser
Environment
All supported OS platforms
Resolution
If you use a web browser that is listed in the AMX 3.3.0 (GA or Hotfix) Readme, then it works.
Additional Information
TAP-14093, TAP-16052
Attachments
Feedback
Yes
No
Powered by
