Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1576037 - Avocent KVM viewer doesn't work with IcedTea plugin
Summary: Avocent KVM viewer doesn't work with IcedTea plugin
Alias: None
Product: Fedora
Classification: Fedora
Component: icedtea-web
Version: 28
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: jiri vanek
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2018-05-08 16:03 UTC by bpk678
Modified: 2018-06-14 13:26 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-06-14 13:26:38 UTC
Type: Bug

Attachments (Terms of Use)
Java console output (38.21 KB, application/octet-stream)
2018-05-08 16:03 UTC, bpk678
no flags Details

Description bpk678 2018-05-08 16:03:38 UTC
Created attachment 1433290 [details]
Java console output

Description of problem:
Avocent KVM viewer does not work with IcedTea plugin on F28.  Connection Failed message is received.

Version-Release number of selected component (if applicable):

How reproducible:
all the time

Steps to Reproduce:
1. log into KVM
2. attempt to launch KVM viewer
3. receive connection failed message

Actual results:
no KVM functionality works

Expected results:
KVM console window would appear and give console access to device

Additional info:
see attached output

Comment 1 Afox 2018-05-08 21:15:10 UTC
I can confirm this.

Comment 2 Afox 2018-05-16 11:11:38 UTC
for me the problem exists when trying to run the idrac 6 virtual console.

Comment 3 bpk678 2018-05-17 00:36:01 UTC
i am using HP IMPI remote access cards for the Microserver N54L.  i just updated the firmware to latest version, 1.4 (from 1.3) and the issue still occurs.

Comment 4 Afox 2018-05-18 13:17:58 UTC
I just checked on Fedora 27 and it is working there with Icedtea-web 1.7.1-5.fc27.

Comment 5 jiri vanek 2018-05-18 13:50:29 UTC
Wait. You are saying it is working in f27 and not in f28?

connecting http://vpn-ipmi.bpk2.com:80/software/avctKVMIOLinux.jar
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
     at sun.security.ssl.InputRecord.handleUnknownRecord(InputRecord.java:710)
     at sun.security.ssl.InputRecord.read(InputRecord.java:527)

And notifying f27x28 few nits:

was jdk used in f27 also u171?
were the system crypto policies  same? (update-crypto-policies --show)
Maybe used  crypto policies changed between f27 and f28?
try update-crypto-policies --set LEGACY for check.
Maybe ITW have issue swith enforcing of https - try to put deployment.https.noenforce=true  into  ~/.config/icedtea-web/deployment.properties

Sorry for little ehelp., this is quite hard to reproduce as both idrac and  impi and avocado are proprietary and you need something to observe (btw, clue how to debug this locally will be appreciated). Also I recall dell (idrac)  have ITW in supported platforms.

Comment 6 Afox 2018-05-18 14:21:01 UTC
For me setting the crypto-policies to LEGACY worked :-)

Comment 7 bpk678 2018-05-18 22:28:33 UTC
i was using F24 or F26 previously and performed an inplace upgrade via dnf system-upgrade to F28.  after the upgrade to F28 it stopped working.

i have a practice of keeping very up-to-date while using a "supported" version of fedora (run dnf upgrade every few days), so i likely used most of the available versions of java/icedtea while on F24 or F26.

[brendan@desktop ~]$ update-crypto-policies --show

setting update-crypto-policies to LEGACY "fixes" the problem.

i am willing to attend a teamviewer or hangout session and share my screen for diagnostics.

Comment 8 jiri vanek 2018-05-22 15:19:58 UTC
Unluckily not much diagnostic needed.
Unless somebody in this thread disagree,  I', for closing this bug as "not a bug"

Your servers are using some cryptographic settings
Your client is using some cryptographic settings

Until now, there was intersection, so they could communicate.
F28 removed insecure and legacy algorithms, so now the intersection is empty.

By update-crypto-policies -- set LEGACY you enable this intersection again.

The correct fix would be to adjust the servers to current century and newest security.

Note You need to log in before you can comment on or make changes to this bug.