Designer not opening with Java 8u51

After updating Java I am getting an error.

Ignition server:
Ignition 7.7.4 (b2015033012)
Java 1.8.0_45
Windows 7 Pro
SSL is configured with a certificate on a non-standard port

Client:
When Java 1.8.0_45 is installed, the designer opens as expected
When Java 1.8.0_51 is installed, I get the Java splash screen, but then get an error box: Unable to launch the application.
When I click the Details button, I get the following info:

javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.access$200(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection$9.run(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection$9.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at java.security.AccessController.doPrivileged(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source) at com.sun.deploy.net.HttpUtils.followRedirects(Unknown Source) at com.sun.deploy.net.BasicHttpRequest.doRequest(Unknown Source) at com.sun.deploy.net.BasicHttpRequest.doGetRequestEX(Unknown Source) at com.sun.deploy.cache.ResourceProviderImpl.checkUpdateAvailable(Unknown Source) at com.sun.deploy.cache.ResourceProviderImpl.isUpdateAvailable(Unknown Source) at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source) at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source) at com.sun.javaws.Launcher.updateFinalLaunchDesc(Unknown Source) at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source) at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source) at com.sun.javaws.Launcher.launch(Unknown Source) at com.sun.javaws.Main.launchApp(Unknown Source) at com.sun.javaws.Main.continueInSecureThread(Unknown Source) at com.sun.javaws.Main.access$000(Unknown Source) at com.sun.javaws.Main$1.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Caused by: java.io.EOFException: SSL peer shut down incorrectly at sun.security.ssl.InputRecord.read(Unknown Source) ... 30 more

We’re aware of this and fixed it in 7.7.5 (releasing this week, hopefully). Unfortunately Oracle got 8u51 out the door before we could finish preparing 7.7.5.

The only workarounds are to either temporarily disable SSL or to revert to 8u45.

Well that answers my question! Thanks. :smiley:
For what its worth, I had similar issue this AM but using standard SSL port and AD hybrid authentication. Kept telling me my name/password was invalid. I’ll patiently wait for 7.7.5…

Ignition server:
Ignition 7.7.4 (b2015033012)
Java 1.8.0_45
Windows Server 2012 / Ubuntu 14.04.02
SSL is configured with a certificate on standard port

We have another work around for the SSL issue now.

In your ignition.conf file, add another additional parameter:

-Dciphers=LS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV

Not all 35 of these ciphers will be necessary, but since there are a lot of variables involved we haven’t tested to see how far it can be pared down and still work in most cases. Using -Dciphers should work for all versions of Ignition from 7.6.4 on, but I’ve only tested on 7.7.4.

How do we revert to u45?

You need to uninstall Java, and the reinstall 8u45 from the archived versions: oracle.com/technetwork/java/ … 77648.html

Applying the workaround Kathy posted would be preferable to this, in my opinion.

That worked. Thanks. Just need to reboot after reverting.

The 7.7.5 release is now available: inductiveautomation.com/downloads/ignition

Looks like 7.7.5 also fixed a couple other minor irritations I had… Thanks!

We have v7.6.7 and I have tried to add the “-Dciphers=…” into the config without success. I may not have done this properly though. First I copied and pasted those lines at the end of the conf file. However I am still connecting with RC4_128. I assume now that generating new key or cert will NOT solve this. Can I further assume the only solution is to force Ignition to accept connections at higher encryption levels that were not removed in Java update 51.

Can I please get further guidance on how to do this correctly?

p.s. Upgrading to 7.7.5 is not an option at this time, though I have tested to see that update 51 does work.

[quote=“Sam5”]We have v7.6.7 and I have tried to add the “-Dciphers=…” into the config without success. I may not have done this properly though. First I copied and pasted those lines at the end of the conf file. However I am still connecting with RC4_128. I assume now that generating new key or cert will NOT solve this. Can I further assume the only solution is to force Ignition to accept connections at higher encryption levels that were not removed in Java update 51.

Can I please get further guidance on how to do this correctly?

p.s. Upgrading to 7.7.5 is not an option at this time, though I have tested to see that update 51 does work.[/quote]

You need to add the “-Dcipers=…” to the “wrapper.java.additional” section of ignition.conf and then restart.

For example, if 10 was the next available param:

wrapper.java.additional.10=-Dciphers=LS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,
SSL_RSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_RC4_128_MD5,
TLS_EMPTY_RENEGOTIATION_INFO_SCSV

I got the lines added to the next “wrapper.java.additional” line correctly, and can now actually connect using the Designer. However, I can only connect using IE, neither Chrome or Firefox can connect, essentially secure connection failed or connection closed errors.

I am going to assume that at this time there is not much to be done further? Well thank you for your assistance, at least customers can open the designer which is what we need most.

[quote=“Sam5”]I got the lines added to the next “wrapper.java.additional” line correctly, and can now actually connect using the Designer. However, I can only connect using IE, neither Chrome or Firefox can connect, essentially secure connection failed or connection closed errors.

I am going to assume that at this time there is not much to be done further? Well thank you for your assistance, at least customers can open the designer which is what we need most.[/quote]

I’ll ask QA if they have tested -Dciphers wokraround on 7.6.7 and get back to you.

I have 3 main browsers plus Designer working now with both client & server running u51. I simply removed most of the encrypt options down to;
wrapper.java.additional.8=-Dciphers=
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256

The first option is what solved issue with Chrome & Firefox’s connection. As for me, this issue is resolved (that is until next Java update :slight_smile:

[quote=“Sam5”]I have 3 main browsers plus Designer working now with both client & server running u51. I simply removed most of the encrypt options down to;
wrapper.java.additional.8=-Dciphers=
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256

The first option is what solved issue with Chrome & Firefox’s connection. As for me, this issue is resolved (that is until next Java update :slight_smile:[/quote]
Everything worked fine for me in all browsers on 7.6.7 with all ciphers included in the parameter. Are you using a certificate? If so, which certificate authority issued your certificate?