I need to have one client and one server to communicate with each other on a secure channel. The client is a Java app, the server is a ucspi-ssl server, here for more details: https://www.fehcom.de/ipnet/ucspi-ssl/man/sslserver.1.html.
I want communication to be simple, without using http.
What I am trying to achieve:
Communication has to be encrypted;
Server has to authenticate the client.
Here is what I have done so far:
Created client private key and client self signed certificate:
openssl req -newkey rsa:2048 -nodes -keyout client-key.pem -x509 -days 365 -out client-certificate.pem
Inserted both private key and certificate into client keystore:
openssl pkcs12 -inkey client-key.pem -in client-certificate.pem -export -out client-certificate.p12
Created server private key and server self signed certificate:
openssl req -newkey rsa:2048 -nodes -keyout server-key.pem -x509 -days 365 -out server-certificate.pem
Added server certificate to client truststore:
keytool -import -trustcacerts -file server-certificate.pem -keypass password -storepass password -keystore clienttruststore.jks
Created DH param file:
openssl dhparam -out /etc/ssl/dh2048.pem 2048
At this point, If I were using a Java SSL server I would specify the server keystore containing the server certificate and private keyand the server truststore filled with the client certificate it needs to validate. But in ucspi-ssl server implementation there is no concept of keystore or truststore. For what my understanding is, given environment variables need to be set:
X509 certificate and encryption options:
-3 Read a null-terminated key password from file descriptor 3.
-m (Mail.) Require valid client certificates, but don't check for
matching FQDN.
-z (Host.) Require valid client certificates and match FQDN (if
given) against SAN/DN.
-Z (Default.) Do not require client certificates.
SSL ENVIRONMENT VARIABLES READ
These variables define the run-time environment of sslserver and are
used to specify X509 certificates and keyfile per connection.
$SSL_USER=name
The user, reading the certificates and keyfile.
$SSL_GROUP=group
The respective user group.
$SSL_UID=uid
The numerical UID of the $SSL_USER.
$SSL_CHROOT=path
Perform reading of certificates and keyfile in a $SSL_CHROOT
jail.
$CAFILE=path
If set, overrides the compiled-in CA file name. The CA file
contains the list of CAs used to verify the client certificate.
Certificates in $CAFILE are processed when the server starts.
$CADIR=path
If set, overrides the compiled-in CA directory name. The CA
directory contains certificates files used to verify the client
certificate. This list augments the list from $CAFILE.
Certificates in $CADIR are processed during certificate
verification.
$CERTFILE=path
If set, overrides the compiled-in certificate file name. The
server presents this certificate to clients.
$CERTCHAINFILE=path
If set, overrides the compiled-in certificate chainfile name.
The server presents this list of certificats to clients. Note:
Providing $CERTCHAINFILE has precedence over $CERTFILE.
Certificates in this file needs to be 'ordered' starting from
the uppermost root certificates and placing your host's
it's certificate.
$VERIFYDEPTH=n
If set, overrides the compiled-in verification depth. Default:
1.
$CCAFILE=path
If set, overrides the compiled-in client CA file name for client
certificate request. The client CA file contains the list of
CAs sent to the client when requesting a client certificate.
Note: Setting of $CCAFILE is required while using the option -z
or -m. However, declaring $CCAFILE="-" disables (on a per-
connection base) the client certificate request.
$CCAVERIFY
If set, sslserver requests a valid client certificate on a per-
connection base, unlike the general option -z.
SSL ENVIRONMENT VARIABLES SET
In case sslserver is called with the option -e, the following mod_ssl
environment variables are provided:
SSL_PROTOCOL
The TLS protocol version (SSLv3, TLSv1, ...).
SSL_SESSION_ID
The hex-encoded SSL session id.
SSL_CIPHER
The cipher specification name.
SSL_CIPHER_USEKEYSIZE
Number of cipher bits (actually used).
SSL_CIPHER_ALGKEYSIZE
Number of cipher bits (possible).
SSL_VERSION_INTERFACE
The mod_ssl program version.
SSL_VERSION_LIBRARY
The OpenSSL program version.
SSL_CLIENT_M_VERSION
The version of the client certificate.
SSL_CLIENT_M_SERIAL
The serial of the client certificate.
SSL_CLIENT_S_DN
Subject DN in client's certificate.
SSL_CLIENT_A_SIG
Algorithm used for the signature of client's certificate.
SSL_CLIENT_A_KEY
Algorithm used for the public key of client's certificate.
SSL_CLIENT_CERT
PEM-encoded client certificate.
SSL_CLIENT_CERT_CHAIN n
PEM-encoded certificates in client certificate chain.
SSL_CLIENT_VERIFY
NONE, SUCCESS, GENEROUS or FAILED:reason.
SSL_SERVER_M_SERIAL
The serial of the server certificate.
SSL_SERVER_S_DN
Subject DN in server's certificate.
SSL_SERVER_S_DN_x509
Component of server's Subject DN.
SSL_SERVER_I_DN
Issuer DN of server's certificate.
SSL_SERVER_I_DN_x509
Component of server's Issuer DN.
SSL_SERVER_V_START
Validity of server's certificate (start time).
SSL_SERVER_V_END
Validity of server's certificate (end time).
SSL_SERVER_A_SIG
Algorithm used for the signature of server's certificate.
SSL_SERVER_A_KEY
Algorithm used for the public key of server's certificate.
SSL_SERVER_CERT
PEM-encoded server certificate.
How can I inform ucspi-ssl server that the client certificate can be trusted and perform client authentication?
I have tried to run the server with the following command:
sslserver -v -m localhost 12345 ./some_script.sh
with the following environment variables set:
DHFILE=/etc/ssl/dh2048.pem
CERTFILE=server-certificate.pem
KEYFILE=server-key.pem
Here is the java SSL client code:
try {
// Client key store
System.setProperty("https.protocols", "SSLv3");
System.setProperty("javax.net.debug", "all");
KeyStore keyStore = KeyStore.getInstance("PKCS12");
String password = "password";
InputStream inputStream = ClassLoader.getSystemClassLoader().getResourceAsStream("/home/centuri0n/reservations/ssl/client-certificate.p12");
keyStore.load(inputStream, password.toCharArray());
// Client trust store
KeyStore trustStore = KeyStore.getInstance("JKS");
String password2 = "password";
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("PKIX", "SunJSSE");
InputStream inputStream1 = ClassLoader.getSystemClassLoader().getResourceAsStream("/home/centuri0n/reservations/ssl/clienttruststore.jks");
trustStore.load(inputStream1, password2.toCharArray());
trustManagerFactory.init(trustStore);
X509TrustManager x509TrustManager = null;
for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
if (trustManager instanceof X509TrustManager) {
x509TrustManager = (X509TrustManager) trustManager;
break;
}
}
if (x509TrustManager == null) throw new NullPointerException();
// KeyManagerFactory ()
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509", "SunJSSE");
keyManagerFactory.init(keyStore, password.toCharArray());
X509KeyManager x509KeyManager = null;
for (KeyManager keyManager : keyManagerFactory.getKeyManagers()) {
if (keyManager instanceof X509KeyManager) {
x509KeyManager = (X509KeyManager) keyManager;
break;
}
}
if (x509KeyManager == null) throw new NullPointerException();
// set up the SSL Context
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(new KeyManager[]{x509KeyManager}, new TrustManager[]{x509TrustManager}, null);
SSLSocketFactory socketFactory = sslContext.getSocketFactory();
SSLSocket kkSocket = (SSLSocket) socketFactory.createSocket("127.0.0.1", 12345);
kkSocket.setUseClientMode(false);
kkSocket.setEnabledProtocols(new String[]{"TLSv1","TLSv1.1","TLSv1.2","TLSv1.3"});
kkSocket.setEnabledCipherSuites(new String[]{"TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
});
PrintWriter out = new PrintWriter(kkSocket.getOutputStream(), true);
BufferedReader in = new BufferedReader(
new InputStreamReader(kkSocket.getInputStream()));
BufferedReader stdIn =
new BufferedReader(new InputStreamReader(System.in));
String fromServer;
String fromUser;
while ((fromServer = in.readLine()) != null) {
System.out.println("Server: " + fromServer);
if (fromServer.equals("Bye."))
break;
fromUser = stdIn.readLine();
if (fromUser != null) {
System.out.println("Client: " + fromUser);
out.println(fromUser);
}
}
}catch (IOException e){
e.printStackTrace();
} catch (UnrecoverableKeyException e) {
throw new RuntimeException(e);
} catch (CertificateException e) {
throw new RuntimeException(e);
} catch (KeyStoreException e) {
throw new RuntimeException(e);
} catch (NoSuchProviderException e) {
throw new RuntimeException(e);
} catch (KeyManagementException e) {
throw new RuntimeException(e);
}
When I start the client, it blocks for about 10 seconds with the following debug messages:
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.608 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DH_anon_WITH_DES_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.608 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DH_anon_WITH_DES_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.608 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.608 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.608 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.608 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.608 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.608 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_RSA_WITH_NULL_SHA256
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_RSA_WITH_NULL_SHA256
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDHE_ECDSA_WITH_NULL_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_NULL_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDHE_RSA_WITH_NULL_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_NULL_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_RSA_WITH_NULL_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_RSA_WITH_NULL_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDH_ECDSA_WITH_NULL_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDH_ECDSA_WITH_NULL_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDH_RSA_WITH_NULL_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDH_RSA_WITH_NULL_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDH_anon_WITH_NULL_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDH_anon_WITH_NULL_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.611 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_RSA_WITH_NULL_MD5
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.611 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_RSA_WITH_NULL_MD5
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.612 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.612 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.612 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.612 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.615 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.615 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.615 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.615 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.615 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.615 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.615 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.615 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.616 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.616 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.616 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.616 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.616 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.616 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.617 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.617 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.617 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.617 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.618 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.618 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.618 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.618 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.618 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.618 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.618 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.619 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.619 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.619 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.621 CET|SSLContextImpl.java:115|trigger seeding of SecureRandom
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.622 CET|SSLContextImpl.java:119|done seeding of SecureRandom
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.627 CET|SSLConfiguration.java:458|System property jdk.tls.client.SignatureSchemes is set to 'null'
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.641 CET|SSLConfiguration.java:458|System property jdk.tls.server.SignatureSchemes is set to 'null'
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.642 CET|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_AES_256_GCM_SHA384 for TLSv1.2
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.642 CET|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_AES_128_GCM_SHA256 for TLSv1.2
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.642 CET|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_CHACHA20_POLY1305_SHA256 for TLSv1.2
then, client timeouts and exits:
javax.net.ssl|DEBUG|10|main|2023-01-27 18:21:07.685 CET|SSLSocketInputRecord.java:481|Raw read: EOF
javax.net.ssl|ERROR|10|main|2023-01-27 18:21:07.687 CET|TransportContext.java:363|Fatal (HANDSHAKE_FAILURE): Couldn't kickstart handshaking (
"throwable" : {
javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake
at java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1714)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1513)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1420)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:920)
at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:1011)
at java.base/sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:270)
at java.base/sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:313)
at java.base/sun.nio.cs.StreamDecoder.read(StreamDecoder.java:188)
at java.base/java.io.InputStreamReader.read(InputStreamReader.java:176)
at java.base/java.io.BufferedReader.fill(BufferedReader.java:162)
at java.base/java.io.BufferedReader.readLine(BufferedReader.java:329)
at java.base/java.io.BufferedReader.readLine(BufferedReader.java:396)
at org.example.App.main(App.java:75)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at java.base/sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:483)
at java.base/sun.security.ssl.SSLSocketInputRecord.readHeader(SSLSocketInputRecord.java:472)
at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:160)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:111)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1505)
... 12 more}
)
javax.net.ssl|ALL|10|main|2023-01-27 18:21:07.687 CET|SSLSessionImpl.java:1221|Invalidated session: Session(1674840041640|SSL_NULL_WITH_NULL_NULL)
javax.net.ssl|DEBUG|10|main|2023-01-27 18:21:07.688 CET|SSLSocketOutputRecord.java:71|WRITE: TLSv1.3 alert(handshake_failure), length = 2
javax.net.ssl|DEBUG|10|main|2023-01-27 18:21:07.688 CET|SSLSocketOutputRecord.java:85|Raw write (
0000: 15 03 03 00 02 02 28 ......(
)
javax.net.ssl|DEBUG|10|main|2023-01-27 18:21:07.688 CET|SSLSocketImpl.java:1754|close the underlying socket
javax.net.ssl|DEBUG|10|main|2023-01-27 18:21:07.688 CET|SSLSocketImpl.java:1780|close the SSL connection (passive)
javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake
at java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1714)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1513)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1420)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:920)
at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:1011)
at java.base/sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:270)
at java.base/sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:313)
at java.base/sun.nio.cs.StreamDecoder.read(StreamDecoder.java:188)
at java.base/java.io.InputStreamReader.read(InputStreamReader.java:176)
at java.base/java.io.BufferedReader.fill(BufferedReader.java:162)
at java.base/java.io.BufferedReader.readLine(BufferedReader.java:329)
at java.base/java.io.BufferedReader.readLine(BufferedReader.java:396)
at org.example.App.main(App.java:75)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at java.base/sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:483)
at java.base/sun.security.ssl.SSLSocketInputRecord.readHeader(SSLSocketInputRecord.java:472)
at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:160)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:111)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1505)
... 12 more
Process finished with exit code 0
Here is the formatted and cleaned up Java client code, and ucspi-ssl server environment variables needed to make the ssl communication between the two parties work.
JAVA CLIENT CODE:
try {
System.setProperty("javax.net.debug", "all");
String keystore_path = "<keystore_path>";
String keystore_password = "<keystore_password>";
String truststore_path = "<truststore_path>";
String truststore_password = "<truststore_password>";
//Keystore
KeyStore keystore = KeyStore.getInstance("PKCS12");
keystore.load(new FileInputStream(keystore_path), keystore_password.toCharArray());
KeyManagerFactory key_manager_factory = KeyManagerFactory.getInstance("SunX509");
key_manager_factory.init(keystore, keystore_password.toCharArray());
//Truststore
KeyStore truststore = KeyStore.getInstance("PKCS12");
truststore.load(new FileInputStream(truststore_path), truststore_password.toCharArray());
TrustManagerFactory trust_manager_factory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trust_manager_factory.init(truststore);
//SSL Context
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(key_manager_factory.getKeyManagers(), trust_manager_factory.getTrustManagers(), null);
//SSL Socket
SSLSocketFactory socketFactory = sslContext.getSocketFactory();
SSLSocket ssl_socket = (SSLSocket) socketFactory.createSocket("server_ip", 12345);
ssl_socket.setUseClientMode(true);
ssl_socket.setEnabledProtocols(new String[]{"TLSv1.3"});
ssl_socket.setEnabledCipherSuites(new String[]{"TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384"}); //Cyphers supported by both client and ucspi-ssl server
//In and out streams
PrintWriter out = new PrintWriter(ssl_socket.getOutputStream(), true);
BufferedReader in = new BufferedReader(new InputStreamReader(ssl_socket.getInputStream()));
//You can now interact with the server using input and output streams
} catch (IOException | KeyManagementException | KeyStoreException | UnrecoverableKeyException |
CertificateException | NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
SERVER ENVIRONMENT VARIABLES:
KEYFILE=server-key.pem
CERTFILE=server-certificate.pem
CAFILE=client-certificate.pem
CCAFILE=client-certificate.pem
DHFILE=/etc/ssl/dh2048.pem
Server is started by launching:
sslserver -v -m localhost 12345 ./some_script.sh
My application is running on jdk1.8.0_221 & tomcat 8 on Kubernetes.
When I try to connect to the URL using wget with the same certificate able to complete the call.
But when I try to connect using Java application its failing with error "Received fatal alert: handshake_failure".
Following are the ssl logs:
Is initial handshake: true
Is secure renegotiation: false
Timer-2,grails-cache-ehcache,hushly-deployment-7bcf9d98cf-lwtlk-20370, setSoTimeout(30000) called
Ignoring disabled protocol: SSLv3
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
update handshake state: client_hello[1]
upcoming handshake states: server_hello[2]
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1560217405 bytes = { 75, 51, 117, 237, 75, 213, 47, 220, 209, 236, 129, 21, 83, 91, 45, 173, 87, 8, 4, 62, 50, 51, 160, 94, 255, 240, 62, 68 }
Session ID: {}
Cipher Suites: [TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods: { 0 }
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension extended_master_secret
***
Timer-2,grails-cache-ehcache,hushly-deployment-7bcf9d98cf-lwtlk-20370, WRITE: TLSv1.2 Handshake, length = 119
Timer-2,grails-cache-ehcache,hushly-deployment-7bcf9d98cf-lwtlk-20370, READ: TLSv1.2 Alert, length = 2
Timer-2,grails-cache-ehcache,hushly-deployment-7bcf9d98cf-lwtlk-20370, RECV TLSv1.2 ALERT: fatal, handshake_failure
Timer-2,grails-cache-ehcache,hushly-deployment-7bcf9d98cf-lwtlk-20370, called closeSocket()
Timer-2,grails-cache-ehcache,hushly-deployment-7bcf9d98cf-lwtlk-20370, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
22-Dec-2019 06:03:42.674 WARNING [Timer-2,grails-cache-ehcache,hushly-deployment-7bcf9d98cf-lwtlk-20370] org.jgroups.ping.kube.KubePing.doReadAll Problem getting Pod json from Kubernetes Client[masterUrl=https://10.100.0.1:443/api/v1, headers={}, connectTimeout=5000, readTimeout=30000, operationAttempts=3, operationSleep=1000, streamProvider=org.openshift.ping.common.stream.TokenStreamProvider#880aefb] for cluster [grails-cache-ehcache], namespace [default], labels [app=hushly]; encountered [java.lang.Exception: 3 attempt(s) with a 1000ms sleep to execute [OpenStream] failed. Last failure was [javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure]]
Below is the code which used to prepare SSLSocketFactory:
X509Certificate cert = (X509Certificate)certFactory.generateCertificate(pemInputStream);
KeyStore trustStore = KeyStore.getInstance("JKS");
trustStore.load((LoadStoreParameter)null);
String alias = cert.getSubjectX500Principal().getName();
trustStore.setCertificateEntry(alias, cert);
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(trustStore);
SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
sslContext.init(kmf.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
sslsocketfactory = sslContext.getSocketFactory();
What am I missing here ?
I recently received a certificate from Commodo and I'm trying to integrate it with my Scala Spray Server. I have an trait to configure my Spray sever:
import java.io.{BufferedInputStream, FileInputStream}
import java.security.{SecureRandom, KeyStore}
import java.security.cert.{X509Certificate, CertificateFactory}
import javax.net.ssl.{TrustManagerFactory, KeyManagerFactory, SSLContext}
import spray.io._
import org.apache.camel.util.jsse._
// for SSL support (if enabled in application.conf)
trait MySSLConfig {
// if there is no SSLContext in scope implicitly the HttpServer uses the default SSLContext,
// since we want non-default settings in this example we make a custom SSLContext available here
implicit def sslContext: SSLContext = {
val keyStoreResource = "/home/ubuntu/key.jks"
val password = "password"
val keyStore = KeyStore.getInstance("jks")
keyStore.load(getClass.getResourceAsStream(keyStoreResource), password.toCharArray)
val keyManagerFactory = KeyManagerFactory.getInstance("SunX509")
keyManagerFactory.init(keyStore, password.toCharArray)
val trustManagerFactory = TrustManagerFactory.getInstance("SunX509")
trustManagerFactory.init(keyStore)
val context = SSLContext.getInstance("TLS")
context.init(keyManagerFactory.getKeyManagers, trustManagerFactory.getTrustManagers, new SecureRandom)
context
}
implicit def sslEngineProvider: ServerSSLEngineProvider = {
ServerSSLEngineProvider { engine =>
engine.setEnabledCipherSuites(Array("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"))
engine.setEnabledProtocols(Array("SSLv3", "TLSv1.2", "TLSv1", "TLSv1.1"))
engine
}
}
}
However I am getting this error at runtime when I try and request my uri with https
2015-09-15 02:06:54,662 - [ERROR] - from akka.actor.OneForOneStrategy in NflDbApiActorSystemConfig-akka.actor.default-dispatcher-11
Unsupported ciphersuite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
java.lang.IllegalArgumentException: Unsupported ciphersuite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
at sun.security.ssl.CipherSuite.valueOf(CipherSuite.java:235) ~[na:1.7.0_79]
at sun.security.ssl.CipherSuiteList.<init>(CipherSuiteList.java:82) ~[na:1.7.0_79]
at sun.security.ssl.SSLEngineImpl.setEnabledCipherSuites(SSLEngineImpl.java:2014) ~[na:1.7.0_79]
at com.suredbits.dfs.config.MySSLConfig$$anonfun$sslEngineProvider$1.apply(MySslConfig.scala:34) ~[suredbits-dfs.suredbits-dfs-0.0.1.jar:0.0.1]
at com.suredbits.dfs.config.MySSLConfig$$anonfun$sslEngineProvider$1.apply(MySslConfig.scala:33) ~[suredbits-dfs.suredbits-dfs-0.0.1.jar:0.0.1]
at scala.Option.map(Option.scala:145) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at spray.io.SSLEngineProviderCompanion$$anonfun$apply$3.apply(SslTlsSupport.scala:408) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at spray.io.SSLEngineProviderCompanion$$anonfun$apply$3.apply(SslTlsSupport.scala:408) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at spray.io.ServerSSLEngineProvider$$anon$3.apply(SslTlsSupport.scala:427) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at spray.io.ServerSSLEngineProvider$$anon$3.apply(SslTlsSupport.scala:425) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at spray.can.server.HttpServerConnection$$anon$1.sslEngine(HttpServerConnection.scala:78) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at spray.can.server.RequestParsing$$anon$1$$anon$2.<init>(RequestParsing.scala:41) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at spray.can.server.RequestParsing$$anon$1.apply(RequestParsing.scala:39) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at spray.can.server.RequestParsing$$anon$1.apply(RequestParsing.scala:37) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at spray.io.RawPipelineStage$$anon$3.apply(Pipelines.scala:117) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at spray.io.RawPipelineStage$$anon$3.apply(Pipelines.scala:116) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at spray.io.RawPipelineStage$$anon$3.apply(Pipelines.scala:116) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at spray.io.RawPipelineStage$$anon$3.apply(Pipelines.scala:116) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at spray.io.RawPipelineStage$$anon$3.apply(Pipelines.scala:116) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at spray.io.RawPipelineStage$$anon$3.apply(Pipelines.scala:116) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at spray.io.ConnectionHandler$class.running(ConnectionHandler.scala:56) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at spray.can.server.HttpServerConnection.running(HttpServerConnection.scala:29) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at spray.can.server.HttpServerConnection.register(HttpServerConnection.scala:68) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at spray.can.server.HttpServerConnection$$anonfun$receive$1.applyOrElse(HttpServerConnection.scala:49) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at akka.actor.Actor$class.aroundReceive(Actor.scala:465) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at spray.can.server.HttpServerConnection.aroundReceive(HttpServerConnection.scala:29) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at akka.actor.ActorCell.receiveMessage(ActorCell.scala:516) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at akka.actor.ActorCell.invoke(ActorCell.scala:487) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at akka.dispatch.Mailbox.processMailbox(Mailbox.scala:254) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at akka.dispatch.Mailbox.run(Mailbox.scala:221) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at akka.dispatch.Mailbox.exec(Mailbox.scala:231) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at scala.concurrent.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at scala.concurrent.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339) ~[suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at scala.concurrent.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979) [suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
at scala.concurrent.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107) [suredbits-dfs-nfl-assembly-0.0.1.jar:0.0.1]
Can anyone provide any insight as to why I am getting this error?
EDIT:
I upgraded the jdk to 1.8 as #Steffen Ullrich which yields a new error that I am receiving:
2015-09-15 15:14:51,717 - [ERROR] - from spray.can.server.HttpServerConnection in NflDbApiActorSystemConfig-akka.actor.default-dispatcher-7
Aborting encrypted connection to my-ip due to [SSLHandshakeException:no cipher suites in common] -> [SSLHandshakeException:no cipher suites in common]
2015-09-15 15:14:51,881 - [ERROR] - from spray.can.server.HttpServerConnection in NflDbApiActorSystemConfig-akka.actor.default-dispatcher-4
Aborting encrypted connection to my-ip due to [SSLHandshakeException:no cipher suites in common] -> [SSLHandshakeException:no cipher suites in common]
2015-09-15 15:14:52,029 - [ERROR] - from spray.can.server.HttpServerConnection in NflDbApiActorSystemConfig-akka.actor.default-dispatcher-10
Aborting encrypted connection to my-ip due to [SSLHandshakeException:Client requested protocol TLSv1.1 not enabled or not supported] -> [SSLHandshakeException:Client requested protocol TLSv1.1 not enabled or not supported]
2015-09-15 15:14:52,184 - [ERROR] - from spray.can.server.HttpServerConnection in NflDbApiActorSystemConfig-akka.actor.default-dispatcher-2
Aborting encrypted connection to my-ip due to [SSLHandshakeException:Client requested protocol TLSv1 not enabled or not supported] -> [SSLHandshakeException:Client requested protocol TLSv1 not enabled or not supported]
EDIT2:
I modified this line
engine.setEnabledCipherSuites(sslContext.getServerSocketFactory.getSupportedCipherSuites)
which gives me a list of cipher suites that includes
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
however I am still getting this error:
2015-09-15 18:43:55,690 - [INFO] - from org.apache.camel.util.jsse.SSLContextParameters in NflDbApiActorSystemConfig-akka.actor.default-dispatcher-9
Available providers: SUN version 1.8.
2015-09-15 18:43:55,696 - [ERROR] - from spray.can.server.HttpServerConnection in NflDbApiActorSystemConfig-akka.actor.default-dispatcher-4
Aborting encrypted connection to my-ip due to [SSLHandshakeException:no cipher suites in common] -> [SSLHandshakeException:no cipher suites in common]
more logs using a more granular debugging mode for -Djava.net.debug=ssl
Using SSLEngineImpl.
Using SSLEngineImpl.
Using SSLEngineImpl.
Using SSLEngineImpl.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring disabled protocol: SSLv3
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-42, READ: TLSv1 Handshake, length = 167
*** ClientHello, TLSv1
RandomCookie: GMT: -265533514 bytes = { 61, 40, 108, 219, 248, 171, 159, 143, 197, 121, 120, 2, 169, 117, 206, 251, 77, 174, 188, 36, 13, 240, 239, 104, 177, 132, 36, 253 }
Session ID: {}
Cipher Suites: [Unknown 0x56:0x0, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5]
Compression Methods: { 0 }
Extension server_name, server_name: [type=host_name (0), value=api.extrapoint.io]
Extension renegotiation_info, renegotiated_connection: <empty>
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
Unsupported extension type_35, data:
Unsupported extension type_13172, data:
Unsupported extension type_16, data: 00:12:08:73:70:64:79:2f:33:2e:31:08:68:74:74:70:2f:31:2e:31
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data:
***
%% Initialized: [Session-868, SSL_NULL_WITH_NULL_NULL]
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-42, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated: [Session-868, SSL_NULL_WITH_NULL_NULL]
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-42, SEND TLSv1 ALERT: fatal, description = handshake_failure
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-42, WRITE: TLSv1 Alert, length = 2
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-42, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
Using SSLEngineImpl.
Using SSLEngineImpl.
Using SSLEngineImpl.
Using SSLEngineImpl.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring disabled protocol: SSLv3
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-38, READ: TLSv1 Handshake, length = 167
*** ClientHello, TLSv1
RandomCookie: GMT: -1569487286 bytes = { 25, 54, 227, 33, 169, 61, 202, 196, 56, 250, 139, 68, 8, 183, 153, 237, 234, 230, 40, 91, 244, 198, 29, 236, 243, 121, 109, 28 }
Session ID: {}
Cipher Suites: [Unknown 0x56:0x0, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5]
Compression Methods: { 0 }
Extension server_name, server_name: [type=host_name (0), value=api.extrapoint.io]
Extension renegotiation_info, renegotiated_connection: <empty>
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
Unsupported extension type_35, data:
Unsupported extension type_13172, data:
Unsupported extension type_16, data: 00:12:08:73:70:64:79:2f:33:2e:31:08:68:74:74:70:2f:31:2e:31
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data:
***
%% Initialized: [Session-869, SSL_NULL_WITH_NULL_NULL]
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-38, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated: [Session-869, SSL_NULL_WITH_NULL_NULL]
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-38, SEND TLSv1 ALERT: fatal, description = handshake_failure
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-38, WRITE: TLSv1 Alert, length = 2
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-38, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
Using SSLEngineImpl.
Using SSLEngineImpl.
Using SSLEngineImpl.
Using SSLEngineImpl.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring disabled protocol: SSLv3
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-45, READ: TLSv1 Handshake, length = 167
*** ClientHello, TLSv1
RandomCookie: GMT: -1995784349 bytes = { 231, 253, 51, 160, 51, 83, 215, 117, 136, 228, 2, 249, 107, 133, 172, 213, 70, 200, 95, 170, 53, 5, 93, 19, 131, 185, 241, 92 }
Session ID: {}
Cipher Suites: [Unknown 0x56:0x0, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5]
Compression Methods: { 0 }
Extension server_name, server_name: [type=host_name (0), value=api.extrapoint.io]
Extension renegotiation_info, renegotiated_connection: <empty>
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
Unsupported extension type_35, data:
Unsupported extension type_13172, data:
Unsupported extension type_16, data: 00:12:08:73:70:64:79:2f:33:2e:31:08:68:74:74:70:2f:31:2e:31
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data:
***
%% Initialized: [Session-870, SSL_NULL_WITH_NULL_NULL]
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-45, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated: [Session-870, SSL_NULL_WITH_NULL_NULL]
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-45, SEND TLSv1 ALERT: fatal, description = handshake_failure
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-45, WRITE: TLSv1 Alert, length = 2
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-45, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
Using SSLEngineImpl.
Using SSLEngineImpl.
Using SSLEngineImpl.
Using SSLEngineImpl.
Using SSLEngineImpl.
Using SSLEngineImpl.
Using SSLEngineImpl.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring disabled protocol: SSLv3
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-41, READ: TLSv1 Handshake, length = 208
*** ClientHello, TLSv1.2
RandomCookie: GMT: -1327152795 bytes = { 83, 242, 3, 179, 176, 55, 11, 121, 181, 163, 83, 1, 237, 23, 101, 140, 177, 179, 40, 128, 77, 190, 63, 204, 162, 105, 4, 57 }
Session ID: {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5]
Compression Methods: { 0 }
Extension server_name, server_name: [type=host_name (0), value=api.extrapoint.io]
Extension renegotiation_info, renegotiated_connection: <empty>
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
Unsupported extension type_35, data:
Unsupported extension type_13172, data:
Unsupported extension type_16, data: 00:1b:08:73:70:64:79:2f:33:2e:31:05:68:32:2d:31:34:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data:
Extension signature_algorithms, signature_algorithms: SHA256withRSA, SHA384withRSA, SHA512withRSA, SHA1withRSA, SHA256withECDSA, SHA384withECDSA, SHA512withECDSA, SHA1withECDSA, Unknown (hash:0x4, signature:0x2), SHA1withDSA
***
%% Initialized: [Session-871, SSL_NULL_WITH_NULL_NULL]
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-41, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated: [Session-871, SSL_NULL_WITH_NULL_NULL]
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-41, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-41, WRITE: TLSv1.2 Alert, length = 2
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-41, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
Using SSLEngineImpl.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring disabled protocol: SSLv3
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-43, READ: TLSv1 Handshake, length = 167
*** ClientHello, TLSv1
RandomCookie: GMT: -300410757 bytes = { 151, 231, 251, 170, 239, 146, 191, 87, 5, 9, 151, 64, 86, 10, 220, 175, 228, 71, 112, 41, 250, 35, 36, 140, 114, 28, 8, 130 }
Session ID: {}
Cipher Suites: [Unknown 0x56:0x0, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5]
Compression Methods: { 0 }
Extension server_name, server_name: [type=host_name (0), value=api.extrapoint.io]
Extension renegotiation_info, renegotiated_connection: <empty>
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
Unsupported extension type_35, data:
Unsupported extension type_13172, data:
Unsupported extension type_16, data: 00:12:08:73:70:64:79:2f:33:2e:31:08:68:74:74:70:2f:31:2e:31
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data:
***
%% Initialized: [Session-872, SSL_NULL_WITH_NULL_NULL]
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-43, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated: [Session-872, SSL_NULL_WITH_NULL_NULL]
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-43, SEND TLSv1 ALERT: fatal, description = handshake_failure
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-43, WRITE: TLSv1 Alert, length = 2
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-43, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
Using SSLEngineImpl.
Using SSLEngineImpl.
Using SSLEngineImpl.
Using SSLEngineImpl.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring disabled protocol: SSLv3
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-43, READ: TLSv1 Handshake, length = 167
*** ClientHello, TLSv1.1
RandomCookie: GMT: -1944581904 bytes = { 65, 211, 112, 212, 209, 223, 205, 60, 175, 177, 83, 168, 139, 174, 78, 221, 40, 69, 103, 105, 117, 231, 103, 50, 53, 237, 22, 58 }
Session ID: {}
Cipher Suites: [Unknown 0x56:0x0, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5]
Compression Methods: { 0 }
Extension server_name, server_name: [type=host_name (0), value=api.extrapoint.io]
Extension renegotiation_info, renegotiated_connection: <empty>
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
Unsupported extension type_35, data:
Unsupported extension type_13172, data:
Unsupported extension type_16, data: 00:12:08:73:70:64:79:2f:33:2e:31:08:68:74:74:70:2f:31:2e:31
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data:
***
%% Initialized: [Session-873, SSL_NULL_WITH_NULL_NULL]
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-43, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated: [Session-873, SSL_NULL_WITH_NULL_NULL]
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-43, SEND TLSv1.1 ALERT: fatal, description = handshake_failure
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-43, WRITE: TLSv1.1 Alert, length = 2
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-43, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
Using SSLEngineImpl.
Using SSLEngineImpl.
Using SSLEngineImpl.
Using SSLEngineImpl.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Ignoring disabled protocol: SSLv3
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-41, READ: TLSv1 Handshake, length = 167
*** ClientHello, TLSv1
RandomCookie: GMT: 584450856 bytes = { 254, 198, 84, 40, 79, 119, 157, 34, 77, 19, 234, 180, 195, 251, 21, 69, 247, 233, 184, 117, 184, 4, 179, 104, 68, 102, 84, 232 }
Session ID: {}
Cipher Suites: [Unknown 0x56:0x0, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5]
Compression Methods: { 0 }
Extension server_name, server_name: [type=host_name (0), value=api.extrapoint.io]
Extension renegotiation_info, renegotiated_connection: <empty>
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
Unsupported extension type_35, data:
Unsupported extension type_13172, data:
Unsupported extension type_16, data: 00:12:08:73:70:64:79:2f:33:2e:31:08:68:74:74:70:2f:31:2e:31
Unsupported extension status_request, data: 01:00:00:00:00
Unsupported extension type_18, data:
***
%% Initialized: [Session-874, SSL_NULL_WITH_NULL_NULL]
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-41, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
%% Invalidated: [Session-874, SSL_NULL_WITH_NULL_NULL]
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-41, SEND TLSv1 ALERT: fatal, description = handshake_failure
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-41, WRITE: TLSv1 Alert, length = 2
NflDbApiActorSystemConfig-akka.actor.default-dispatcher-41, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 is a TLSv1.2 cipher suite.
It can not be used with SSLv3 or TLSv1. Also, it might not be even available for the unknown version of Java you are using.
Edit: since it is now known that Java 1.7 is used:
According to the documentation from Oracle no GCM ciphers are available in Java 1.7 but they only got added to Java 1.8. Which explains the message about unsupported cipher.
The issue with this was that the key was generated incorrectly. I had to go on to support with COMODO and get help with the key generation.
Following code to get mails from an exchange email account:
public class TicketMain {
/**
* #param args
*/
public static void main(String[] args) throws Exception {
final Properties props = new Properties();
//XTrustProvider.install();
// System.setProperty("sun.security.ssl.allowUnsafeRenegotiation", true);
props.setProperty("mail.pop3.socketFactory.class", "javax.net.ssl.SSLSocketFactory");
props.setProperty("mail.pop3.socketFactory.fallback", "false");
props.setProperty( "mail.pop3.host", "10.30.0.103" );
props.setProperty( "mail.pop3.user", "xxxx");
props.setProperty( "mail.pop3.password", "xxxx!");
props.setProperty( "mail.pop3.ssl.enable", "true");
props.setProperty( "mail.pop3.port", "445" );
props.setProperty( "mail.pop3.auth", "true" );
props.setProperty("mail.pop3.starttls.enable", "false");
/* props.setProperty( "mail.pop3.starttls.enable", "true" );
props.setProperty( "mail.pop3.starttls.required", "true" );*/
Session session = Session.getInstance(props);
session.setDebug(true);
Store store = session.getStore("pop3");
store.connect("xxxx", "xxxx!");
Folder folder = store.getDefaultFolder();
folder.open(Folder.READ_ONLY);
Message message[] = folder.getMessages();
for ( int i = 0; i < message.length; i++ )
{
Message m = message[i];
System.out.println( "-------------------------\nNachricht: " + i );
System.out.println( "From: " + Arrays.toString(m.getFrom()) );
System.out.println( "Topic: " + m.getSubject() );
if ( m.isMimeType("text/plain") )
System.out.println( m.getContent() );
}
folder.close( false );
store.close();
}
}
When executing this application I get following error:
DEBUG: setDebug: JavaMail version 1.5.2
DEBUG: getProvider() returning javax.mail.Provider[STORE,pop3,com.sun.mail.pop3.POP3Store,Oracle]
DEBUG POP3: mail.pop3.rsetbeforequit: false
DEBUG POP3: mail.pop3.disabletop: false
DEBUG POP3: mail.pop3.forgettopheaders: false
DEBUG POP3: mail.pop3.cachewriteto: false
DEBUG POP3: mail.pop3.filecache.enable: false
DEBUG POP3: mail.pop3.keepmessagecontent: false
DEBUG POP3: mail.pop3.starttls.enable: false
DEBUG POP3: mail.pop3.starttls.required: false
DEBUG POP3: mail.pop3.apop.enable: false
DEBUG POP3: mail.pop3.disablecapa: false
DEBUG POP3: connecting to host "10.30.0.103", port 445, isSSL true
keyStore is :
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
trustStore is: C:\Program Files (x86)\Java\jdk1.7.0_02\jre\lib\security\cacerts
trustStore type is : jks
trustStore provider is :
init truststore
trigger seeding of SecureRandom
done seeding SecureRandom
Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256
Allow unsafe renegotiation: true
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1389798620 bytes = { 115, 122, 157, 36, 180, 32, 127, 18, 33, 140, 18, 51, 218, 143, 189, 173, 30, 232, 215, 2, 114, 58, 144, 193, 229, 138, 82, 162 }
Session ID: {}
Cipher Suites: [TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, sect163k1, sect163r2, secp192r1, secp224r1, sect233k1, sect233r1, sect283k1, sect283r1, secp384r1, sect409k1, sect409r1, secp521r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, sect163r1, secp192k1, sect193r1, sect193r2, secp224k1, sect239k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
***
main, WRITE: TLSv1 Handshake, length = 149
main, handling exception: java.net.SocketException: Software caused connection abort: recv failed
main, SEND TLSv1 ALERT: fatal, description = unexpected_message
main, WRITE: TLSv1 Alert, length = 2
main, Exception sending alert: java.net.SocketException: Software caused connection abort: socket write error
main, called closeSocket()
Exception in thread "main" javax.mail.MessagingException: Connect failed;
nested exception is:
java.net.SocketException: Software caused connection abort: recv failed
at com.sun.mail.pop3.POP3Store.protocolConnect(POP3Store.java:213)
at javax.mail.Service.connect(Service.java:364)
at javax.mail.Service.connect(Service.java:245)
at javax.mail.Service.connect(Service.java:265)
at com.technisat.polarion.ticket.TicketMain.main(TicketMain.java:42)
Caused by: java.net.SocketException: Software caused connection abort: recv failed
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.read(SocketInputStream.java:168)
at java.net.SocketInputStream.read(SocketInputStream.java:121)
at sun.security.ssl.InputRecord.readFully(InputRecord.java:312)
at sun.security.ssl.InputRecord.read(InputRecord.java:350)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:893)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1294)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1321)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1305)
at com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:543)
at com.sun.mail.util.SocketFetcher.createSocket(SocketFetcher.java:348)
at com.sun.mail.util.SocketFetcher.getSocket(SocketFetcher.java:215)
at com.sun.mail.pop3.Protocol.<init>(Protocol.java:112)
at com.sun.mail.pop3.POP3Store.getPort(POP3Store.java:264)
at com.sun.mail.pop3.POP3Store.protocolConnect(POP3Store.java:207)
... 4 more
SSL certificate is already imported into java keystore.
Whats wrong here?
telnet host port is working from client.
You are trying to establish a SSL/TLS connection to a plain text POP3 port, not a POP3S port.
Therefore if you want to use SSL/TLS you have to enable starttls but disable ssl.
props.setProperty("mail.pop3.ssl.enable", "false");
props.setProperty("mail.pop3.starttls.enable", "true");
props.setProperty("mail.pop3.starttls.required", "true");