I am getting this error: javax.net.ssl.SSLHandshakeException: no cipher suites in common
when trying to do an SSL socket communication between java server and android client.
I used this line to create the keyfile: keytool -genkey -keystore mySrvKeystore -keyalg RSA
server code:
System.setProperty("javax.net.ssl.keyStore","mySrvKeystore.key");
System.setProperty("javax.net.ssl.keyStorePassword","1234567");
private SSLServerSocketFactory sslserversocketfactory =
(SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
private SSLServerSocket sslserversocket;
private SSLSocket sslsocket;
sslserversocket= (SSLServerSocket) sslserversocketfactory.createServerSocket(port);
sslsocket = (SSLSocket) sslserversocket.accept();
client code:
System.setProperty("javax.net.ssl.trustStore","mySrvKeystore.key");
System.setProperty("javax.net.ssl.trustStorePassword","1234567");
sslsocket = (SSLSocket) sslsocketfactory.createSocket(serverAddr, SERVERPORT);
private SSLSocketFactory sslsocketfactory = (SSLSocketFactory)
SSLSocketFactory.getDefault();
private SSLSocket sslsocket;
Any idea how to solve this issue ?
Is it possible that the connection is failing because the server's certificate is self-signed ?
Thanks.
You must be changing the enabled cipher suites in either your SSLServerSocket or your SSLSocket. Don't do that. If you must, make sure you set a subset that is supported by both peers.
EDIT In your client code, you have
System.setProperty("javax.net.ssl.trustStore","mySrvKeystore.key");
i.e. you are using the server keystore as the client truststore. Don't do that. The keystore contains the private key and it shouldn't reside anywhere except at the server. You need to export the server certificate from that keystore and import it into the client truststore as a trusted CA certificate.
Android uses slightly different approach to setup up a secure connection. Please take a look at this post:
Android Trusting SSL Certificates
Related
I have this code to connect the server with a client using SSL, and now I want to add client-side authentication:
(I have a server keystore (JCEKS type) and a client keystore (JKS type), the server uses a truststore (cacerts) where I imported both certificates because I also want to use this truststore for client authentication)
Client code:
System.setProperty("javax.net.ssl.trustStore", cerServer);
System.setProperty("javax.net.ssl.trustStoreType","JCEKS");
System.setProperty("javax.net.ssl.trustStorePassword", pwdCacerts);
SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket("localhost", port);
Server Code:
KeyStore ks = LoadKeyStore(new File(serverKeyStore), pwdKeyStore, "JCEKS");
KeyManagerFactory kmf;
kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, pwdKeyStore.toCharArray());
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(kmf.getKeyManagers(),null, null);
SSLServerSocketFactory ssf = sc.getServerSocketFactory();
sslserversocket = (SSLServerSocket) ssf.createServerSocket(port);
thanks in advance for any help.
edit:
I add this code in the server side:
System.setProperty("javax.net.ssl.trustStore", cacerts);
System.setProperty("javax.net.ssl.trustStoreType","JKS");
System.setProperty("javax.net.ssl.trustStorePassword", pwdCacerts);
but if I delete the client certificate in cacerts, the connection doesn't give me error and for that I think it's wrong that way
If you want your system to use client-certificate authentication, you'll need
the server to request (or require) a client certificate. This is done by setting setWantClientAuth(true) on the server socket (or setNeedClientAuth, respectively). You'll also need the server to advertise the CA it accepts, which is normally done by using a truststore on the server that contains the CA by which the client-certificate chain was issued (this seems to be what you've done by setting javax.net.ssl.trustStore* on the server).
the client to be configured with a keystore containing the client certificate (possible the chain if there are intermediate CAs) and its private key. This can be done by setting the javax.net.ssl.keyStore* (which may affect other connections) or by using a KeyManagerFactory in the same way as you've done it on the server side.
If you use setWantClientAuth(true), you might still not get an error, since the server will accept connections that don't have a client-certificate (the server would then check the SSLSession's peer certificates to see whether there was a cert or not). setNeedClientAuth(true) would break the connection when the client doesn't present a certificate.
In case of POP3 it is possible to connect via telnet using sockets over port 110, But how to do it , if SPOP3 is implemented.
With normal telnet it can be done quite easily with
Socket pop3Socket = new Socket(host.com, 110);
FYI:
For connecting to SPOP3 we use in linux/unix
openssl s_client -connect servername.com:995
You'll need to use the SSLSocket class. An example can be found at: http://www.herongyang.com/JDK/SSL-Socket-Client-Example-SslSocketClient.html.
Basically, you'll do something like:
SSLSocketFactory f = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket c = (SSLSocket) f.createSocket("localhost", 8888);
If the endpoint has a self signed certificate then you have two options:
Add this self-signed cert to your local keystore. This URL gives a good overview: http://www.chrissearle.org/blog/technical/adding_self_signed_https_certificates_java_keystore
Create a TrustManager that does not validate the server's certificate: http://www.howardism.org/Technical/Java/SelfSignedCerts.html
Option 1 is more secure.
I have a client written in C# and server in JAVA. So, when I'm trying to connect I got error in server javax.net.ssl.SSLHandshakeException: no cipher suites in common and in C# "EOF or 0 bytes".
[C#]:
TcpClient tc = new TcpClient(server, 1337);
using (sslStream = new SslStream(tc.GetStream())){ }
[JAVA]:
SSLServerSocketFactory ssocketFactory = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
SSLServerSocket server = (SSLServerSocket) ssocketFactory.createServerSocket(1337);
server.setEnabledCipherSuites(server.getEnabledCipherSuites());
And JAVA launch properties:
-Djavax.net.ssl.trustStore=Certificatename -Djavax.net.ssl.trustStorePassword=thereisapw -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol -Djavax.net.debug=ssl TCPServer
The truststore defines how you're going to trust remote certificates that are presented to you. The keystore is for the certificates you have (and for which you have the private key). (More details about the difference here. The terminology about "keystore" can be confusing, since it can have two meanings).
Here, you're trying to run a server, but you haven't set up your own certificate. You need to import/create a certificate in a keystore and use it as a keystore.
If you don't specify a keystore, the server won't be able to find a cert/key. As a result, it won't be able to use any of the cipher suites enabled by default.
I'm not sure where you got this from, but you don't need it: -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol
For secure server sockets in order to send the server certificate, all I do is initialize SSLContext with a KeyManagerFactory.getKeyManagers() that has been initialized with my keystore.
But how can I do this in client side?
I.e. for client I do:
System.setProperty("javax.net.ssl.keyStore", "clientKeystore.keystore");
System.setProperty("javax.net.ssl.keyStorePassword", "secret");
System.setProperty("javax.net.ssl.trustStore", "clientKeystore.keystore");
System.setProperty("javax.net.ssl.trustStorePassword", "secret");
SSLSocketFactory factory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket socket = (SSLSocket) factory.createSocket("localhost", 7890);
I use the same keystore as trust store. I assume that just for looking arround JSSE it is ok.
Problem is that I get in the server part (I have setNeedClientAuth in the serversocket to true).
Exception in thread "main" javax.net.ssl.SSLHandshakeException: null cert chain
So how am I supposed to configure the client side to send a certificate?Isn't the system properties a correct approach?
Because I do not see how the SSLContext can be used in client side.
Thank you!
You do not have to set a specific configuration on the client side to use a certificate for authentication. Maybe some intermediate CAs are missing in the keystore, and the client is not able to build a certificate path from the trust anchor sent by the server and therefore cannot determine if the certificate is suitable for authentication.
You can add the system property javax.net.debug to all to print the debug stream on the standard output. Maybe you can get more information on the error.
I am trying to implement a standalone application for iphone; for which I wish to use Apple Push notification for iphone clients.
I am getting javax.net.ssl.SSLHandshakeException: Received fatal alert: unknown_ca
Following is my Java code to connect to apns gateway:
int port = 2195;
String hostname = "gateway.sandbox.push.apple.com";
char[] passwKey = "password".toCharArray();
KeyStore ts = KeyStore.getInstance("PKCS12");
ts.load(new FileInputStream("/path/to/file/Cert.p12"), passwKey);
KeyManagerFactory tmf = KeyManagerFactory.getInstance("SunX509");
tmf.init(ts, passwKey);
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(tmf.getKeyManagers(), null, null);
SSLSocketFactory factory = sslContext.getSocketFactory();
SSLSocket socket = (SSLSocket) factory.createSocket(hostname,port);
String[] suites = socket.getSupportedCipherSuites();
socket.setEnabledCipherSuites(suites);
//start handshake
socket.startHandshake();
Please help me understand what and how the ssl certificate can be installed on my Linux machine.
EDIT :
It worked for me now, I recreated Cert.p12, and the program started working. I don't know what was the exact cause for not working, but I guess it would be corrupt Cert.p12 file.
Thank you all for your help.
unknown_ca:
Received a valid certificate chain or partial chain, but the certificate was not accepted because the CA certificate could not be located or could not be matched with a known, trusted CA. This message is always fatal.
You may need to add the certificate to your jre's cacerts file (generally located under lib/security). Look into the documentation for keytool and its -import option for more information.
You can probably find an example of how to do this by researching the cacerts file and keytool further.
had same issue.
import to IE/export with "all certificates included" solved it.