Im coding a client-server chat application. I want to encrypt connection between those two. Im doing that for my first time and I find it difficult. In my understanding I need a truststore for client and a keystore for server. I have followed this guide to generate them:http://peoplesofttutorial.com/generating-key-store-and-trust-store-using-keytool/
Client:
System.setProperty("javax.net.ssl.trustStore" , "hrms.truststore");
System.setProperty("javax.net.ssl.trustStorePassword" , "123456");
SSLSocketFactory sslsf = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLsocket = (SSLSocket) sslsf.createSocket(server, port);
Server:
System.setProperty("javax.net.ssl.keyStore" , "pskey.keystore");
System.setProperty("javax.net.ssl.keyStorePassword","123456");
SSLServerSocketFactory sslsocketfactory = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
sslserversocket = (SSLServerSocket) sslsocketfactory.createServerSocket(Port);
Server is starting correctly. When I connect a client which is run on the same computer as the server is then I can connect without any issues but when I connect from different computer which is on the same network I get this error: javax.net.ssl.SSLException: Received fatal alert: internal_error
Could anyone help me solve this error?
I have solved my issue. My trust store and keystone were in my project files, but when I compiled it to runnable jar I thought that trust store and keystore are included in that runnable jar, unfortunately they are not. I solved it by putting truststore and keystore in one folder with the runnable jar.
Solution was really simple and the whole problem occurred because of my inexperience.
Thank you for help.
Related
I am getting this error: javax.net.ssl.SSLHandshakeException: no cipher suites in common
when trying to do an SSL socket communication between java server and android client.
I used this line to create the keyfile: keytool -genkey -keystore mySrvKeystore -keyalg RSA
server code:
System.setProperty("javax.net.ssl.keyStore","mySrvKeystore.key");
System.setProperty("javax.net.ssl.keyStorePassword","1234567");
private SSLServerSocketFactory sslserversocketfactory =
(SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
private SSLServerSocket sslserversocket;
private SSLSocket sslsocket;
sslserversocket= (SSLServerSocket) sslserversocketfactory.createServerSocket(port);
sslsocket = (SSLSocket) sslserversocket.accept();
client code:
System.setProperty("javax.net.ssl.trustStore","mySrvKeystore.key");
System.setProperty("javax.net.ssl.trustStorePassword","1234567");
sslsocket = (SSLSocket) sslsocketfactory.createSocket(serverAddr, SERVERPORT);
private SSLSocketFactory sslsocketfactory = (SSLSocketFactory)
SSLSocketFactory.getDefault();
private SSLSocket sslsocket;
Any idea how to solve this issue ?
Is it possible that the connection is failing because the server's certificate is self-signed ?
Thanks.
You must be changing the enabled cipher suites in either your SSLServerSocket or your SSLSocket. Don't do that. If you must, make sure you set a subset that is supported by both peers.
EDIT In your client code, you have
System.setProperty("javax.net.ssl.trustStore","mySrvKeystore.key");
i.e. you are using the server keystore as the client truststore. Don't do that. The keystore contains the private key and it shouldn't reside anywhere except at the server. You need to export the server certificate from that keystore and import it into the client truststore as a trusted CA certificate.
Android uses slightly different approach to setup up a secure connection. Please take a look at this post:
Android Trusting SSL Certificates
I'm trying to write a service in Grails to send push notifications to update passbook passes. I got to the point where I could test to see if the code to connect to the APN server was working, however, I cannot seem to establish a connection using the Java SSLSocket methods.
The first part of the connection works, I receive the certificate from the server and find a trusted certificate in the certificate chain; however, after that, for some reason my client certificate / certificate chain is not ever sent to the server, and hence the connection fails.
I can't seem to figure out why the certificate is not being sent, I use the following code to set up the keystore:
void setupSSLPropertiesForConnection() {
System.setProperty("javax.net.ssl.keyStore", "superSecretFile.p12")
System.setProperty("javax.net.ssl.keyStorePassword", "superSecretPassword")
System.setProperty("javax.net.ssl.keyStoreType", "PKCS12")
System.setProperty("javax.net.ssl.trustStore", "trustStoreFile")
System.setProperty("javax.net.ssl.trustStorePassword", "trustStorePassword")
System.setProperty("javax.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol")
}
and then to try and connect to the APN server:
setupSSLPropertiesForConnection()
SSLSocketFactory factory = (SSLSocketFactory)SSLSocketFactory.getDefault()
SSLSocket socket = (SSLSocket)factory.createSocket("gateway.push.apple.com", 2195)
I've looked at the PKCS12 file using Java's keytool and there is only one alias, which contains the entire certificate chain for my passbook certificate (certificate, WWDR, Apple Certificate), so I'm stuck on why the certificate isn't being sent when it's requested. Any help as to why it's not sending the certificate information would be muchly appreciated!
Edit: Also, if someone were to post a method of getting a SSL certificate from a .p12 used to sign passes or simply from the passbook certificate downloaded from the iOS dev portal, that is known to work, then I might be able to work backwards from that to figure out what it is I'm doing wrong.
Now I feel silly, apparently the filenames for my client PKCS12 file and the trust store file were both wrong, but in setting the keystore and truststore using the System.setProperty, it doesn't throw any error if the files cannot be found or opened.
I tried changing my code so that I am creating SSLSocketFactory from an SSLContext created with a TrustManagerFactory and a KeyManagerFactory, and when I tried that it threw FileNotFoundError. Now it seems to be working at least. Sigh.
I'm writing an Android client for a system that requires me open an SSLSocket to a proxy server, do a tunnel handshake and then create ANOTHER SSLSocket over the tunnel. Here is my code to create the tunnel:
SSLSocketFactory sslsocketfactory = securityService.getSslContextNoCerts().getSocketFactory();
SSLSocket sslSocket = (SSLSocket) sslsocketfactory.createSocket(proxyAddress.getAddress(),
proxyAddress.getPort());
sslSocket.setEnabledProtocols(new String[] { SecurityService.TLS10 });
sslSocket.setEnabledCipherSuites(SecurityService.CIPHERS);
sslSocket.startHandshake();
Then I do tunnel handshake and then:
SSLSocketFactory sslsocketfactory = securityService.getSslContext().getSocketFactory();
hostSocket = (SSLSocket) sslsocketfactory.createSocket(tunnel,
InetAddress.getByAddress(remoteAddress.getIpAddress()).getHostAddress(),
remoteAddress.getPort(), false);
hostSocket.setUseClientMode(false);
hostSocket.setNeedClientAuth(true);
securityService.setEnabledProtocols(hostSocket);
hostSocket.setEnabledCipherSuites(SecurityService.DATASESSION_CIPHERS);
hostSocket.startHandshake();
At this point I get an SSLProtocolException with this message:
error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol (external/openssl/ssl/s23_srvr.c:589 0xad12b3f0:0x00000000)
Anybody know how I can achieve this? I know your first question would be why layer SSL over SSL, but I'm writing a client for and EXISTING system that requires it.
Any help would be much appreciated.
Zhubin
Ok I finally fixed this problem. For some reason when I use org.apache.harmony.xnet.provider.jsse.OpenSSLProvider (Android default SSL provider), SSL over SSL does not work. So I switched to org.apache.harmony.xnet.provider.jsse.JSSEProvider and now everything works fine.
Your code looks correct. As it doesn't work, I suggest you have misunderstood the requirement, or it has been misrepresented to you. I suggest you only need to keep using the original SSLSocket. Try it. I find it vanishingly unlikely that any real system works in the way you have described. Not only would its performance be abysmal; the server would have to have the same kind of double-SSL coding that you have here: and how would it know when to do that and when not? Once the tunnel is created the proxy just copies bytes. I bet that just continuing to use the original SSL connection will work.
I have a client written in C# and server in JAVA. So, when I'm trying to connect I got error in server javax.net.ssl.SSLHandshakeException: no cipher suites in common and in C# "EOF or 0 bytes".
[C#]:
TcpClient tc = new TcpClient(server, 1337);
using (sslStream = new SslStream(tc.GetStream())){ }
[JAVA]:
SSLServerSocketFactory ssocketFactory = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
SSLServerSocket server = (SSLServerSocket) ssocketFactory.createServerSocket(1337);
server.setEnabledCipherSuites(server.getEnabledCipherSuites());
And JAVA launch properties:
-Djavax.net.ssl.trustStore=Certificatename -Djavax.net.ssl.trustStorePassword=thereisapw -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol -Djavax.net.debug=ssl TCPServer
The truststore defines how you're going to trust remote certificates that are presented to you. The keystore is for the certificates you have (and for which you have the private key). (More details about the difference here. The terminology about "keystore" can be confusing, since it can have two meanings).
Here, you're trying to run a server, but you haven't set up your own certificate. You need to import/create a certificate in a keystore and use it as a keystore.
If you don't specify a keystore, the server won't be able to find a cert/key. As a result, it won't be able to use any of the cipher suites enabled by default.
I'm not sure where you got this from, but you don't need it: -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol
For secure server sockets in order to send the server certificate, all I do is initialize SSLContext with a KeyManagerFactory.getKeyManagers() that has been initialized with my keystore.
But how can I do this in client side?
I.e. for client I do:
System.setProperty("javax.net.ssl.keyStore", "clientKeystore.keystore");
System.setProperty("javax.net.ssl.keyStorePassword", "secret");
System.setProperty("javax.net.ssl.trustStore", "clientKeystore.keystore");
System.setProperty("javax.net.ssl.trustStorePassword", "secret");
SSLSocketFactory factory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket socket = (SSLSocket) factory.createSocket("localhost", 7890);
I use the same keystore as trust store. I assume that just for looking arround JSSE it is ok.
Problem is that I get in the server part (I have setNeedClientAuth in the serversocket to true).
Exception in thread "main" javax.net.ssl.SSLHandshakeException: null cert chain
So how am I supposed to configure the client side to send a certificate?Isn't the system properties a correct approach?
Because I do not see how the SSLContext can be used in client side.
Thank you!
You do not have to set a specific configuration on the client side to use a certificate for authentication. Maybe some intermediate CAs are missing in the keystore, and the client is not able to build a certificate path from the trust anchor sent by the server and therefore cannot determine if the certificate is suitable for authentication.
You can add the system property javax.net.debug to all to print the debug stream on the standard output. Maybe you can get more information on the error.