I need to have one client and one server to communicate with each other on a secure channel. The client is a Java app, the server is a ucspi-ssl server, here for more details: https://www.fehcom.de/ipnet/ucspi-ssl/man/sslserver.1.html. I want communication to be simple, without using http.
What I am trying to achieve:
- Communication has to be encrypted;
- Server has to authenticate the client.
Here is what I have done so far:
- Created client private key and client self signed certificate:
openssl req -newkey rsa:2048 -nodes -keyout client-key.pem -x509 -days 365 -out client-certificate.pem
- Inserted both private key and certificate into client keystore:
openssl pkcs12 -inkey client-key.pem -in client-certificate.pem -export -out client-certificate.p12
- Created server private key and server self signed certificate:
openssl req -newkey rsa:2048 -nodes -keyout server-key.pem -x509 -days 365 -out server-certificate.pem
- Added server certificate to client truststore:
keytool -import -trustcacerts -file server-certificate.pem -keypass password -storepass password -keystore clienttruststore.jks
- Created DH param file:
openssl dhparam -out /etc/ssl/dh2048.pem 2048
At this point, If I were using a Java SSL server I would specify the server keystore containing the server certificate and private keyand the server truststore filled with the client certificate it needs to validate. But in ucspi-ssl server implementation there is no concept of keystore or truststore. For what my understanding is, given environment variables need to be set:
X509 certificate and encryption options:
-3 Read a null-terminated key password from file descriptor 3. -m (Mail.) Require valid client certificates, but don't check for matching FQDN. -z (Host.) Require valid client certificates and match FQDN (if given) against SAN/DN. -Z (Default.) Do not require client certificates.
SSL ENVIRONMENT VARIABLES READ
These variables define the run-time environment of sslserver and are used to specify X509 certificates and keyfile per connection. $SSL_USER=name The user, reading the certificates and keyfile. $SSL_GROUP=group The respective user group. $SSL_UID=uid The numerical UID of the $SSL_USER. $SSL_CHROOT=path Perform reading of certificates and keyfile in a $SSL_CHROOT jail. $CAFILE=path If set, overrides the compiled-in CA file name. The CA file contains the list of CAs used to verify the client certificate. Certificates in $CAFILE are processed when the server starts. $CADIR=path If set, overrides the compiled-in CA directory name. The CA directory contains certificates files used to verify the client certificate. This list augments the list from $CAFILE. Certificates in $CADIR are processed during certificate verification. $CERTFILE=path If set, overrides the compiled-in certificate file name. The server presents this certificate to clients. $CERTCHAINFILE=path If set, overrides the compiled-in certificate chainfile name. The server presents this list of certificats to clients. Note: Providing $CERTCHAINFILE has precedence over $CERTFILE. Certificates in this file needs to be 'ordered' starting from the uppermost root certificates and placing your host's it's certificate. $VERIFYDEPTH=n If set, overrides the compiled-in verification depth. Default: 1. $CCAFILE=path If set, overrides the compiled-in client CA file name for client certificate request. The client CA file contains the list of CAs sent to the client when requesting a client certificate. Note: Setting of $CCAFILE is required while using the option -z or -m. However, declaring $CCAFILE="-" disables (on a per- connection base) the client certificate request. $CCAVERIFY If set, sslserver requests a valid client certificate on a per- connection base, unlike the general option -z.
SSL ENVIRONMENT VARIABLES SET
In case sslserver is called with the option -e, the following mod_ssl environment variables are provided: SSL_PROTOCOL The TLS protocol version (SSLv3, TLSv1, ...). SSL_SESSION_ID The hex-encoded SSL session id. SSL_CIPHER The cipher specification name. SSL_CIPHER_USEKEYSIZE Number of cipher bits (actually used). SSL_CIPHER_ALGKEYSIZE Number of cipher bits (possible). SSL_VERSION_INTERFACE The mod_ssl program version. SSL_VERSION_LIBRARY The OpenSSL program version. SSL_CLIENT_M_VERSION The version of the client certificate. SSL_CLIENT_M_SERIAL The serial of the client certificate. SSL_CLIENT_S_DN Subject DN in client's certificate. SSL_CLIENT_A_SIG Algorithm used for the signature of client's certificate. SSL_CLIENT_A_KEY Algorithm used for the public key of client's certificate. SSL_CLIENT_CERT PEM-encoded client certificate. SSL_CLIENT_CERT_CHAIN n PEM-encoded certificates in client certificate chain. SSL_CLIENT_VERIFY NONE, SUCCESS, GENEROUS or FAILED:reason. SSL_SERVER_M_SERIAL The serial of the server certificate. SSL_SERVER_S_DN Subject DN in server's certificate. SSL_SERVER_S_DN_x509 Component of server's Subject DN. SSL_SERVER_I_DN Issuer DN of server's certificate. SSL_SERVER_I_DN_x509 Component of server's Issuer DN. SSL_SERVER_V_START Validity of server's certificate (start time). SSL_SERVER_V_END Validity of server's certificate (end time). SSL_SERVER_A_SIG Algorithm used for the signature of server's certificate. SSL_SERVER_A_KEY Algorithm used for the public key of server's certificate. SSL_SERVER_CERT PEM-encoded server certificate.
How can I inform ucspi-ssl server that the client certificate can be trusted and perform client authentication?
I have tried to run the server with the following command:
sslserver -v -m localhost 12345 ./some_script.sh
with the following environment variables set:
DHFILE=/etc/ssl/dh2048.pem
CERTFILE=server-certificate.pem
KEYFILE=server-key.pem
Here is the java SSL client code:
try {
// Client key store
System.setProperty("https.protocols", "SSLv3");
System.setProperty("javax.net.debug", "all");
KeyStore keyStore = KeyStore.getInstance("PKCS12");
String password = "password";
InputStream inputStream = ClassLoader.getSystemClassLoader().getResourceAsStream("/home/centuri0n/reservations/ssl/client-certificate.p12");
keyStore.load(inputStream, password.toCharArray());
// Client trust store
KeyStore trustStore = KeyStore.getInstance("JKS");
String password2 = "password";
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("PKIX", "SunJSSE");
InputStream inputStream1 = ClassLoader.getSystemClassLoader().getResourceAsStream("/home/centuri0n/reservations/ssl/clienttruststore.jks");
trustStore.load(inputStream1, password2.toCharArray());
trustManagerFactory.init(trustStore);
X509TrustManager x509TrustManager = null;
for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
if (trustManager instanceof X509TrustManager) {
x509TrustManager = (X509TrustManager) trustManager;
break;
}
}
if (x509TrustManager == null) throw new NullPointerException();
// KeyManagerFactory ()
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509", "SunJSSE");
keyManagerFactory.init(keyStore, password.toCharArray());
X509KeyManager x509KeyManager = null;
for (KeyManager keyManager : keyManagerFactory.getKeyManagers()) {
if (keyManager instanceof X509KeyManager) {
x509KeyManager = (X509KeyManager) keyManager;
break;
}
}
if (x509KeyManager == null) throw new NullPointerException();
// set up the SSL Context
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(new KeyManager[]{x509KeyManager}, new TrustManager[]{x509TrustManager}, null);
SSLSocketFactory socketFactory = sslContext.getSocketFactory();
SSLSocket kkSocket = (SSLSocket) socketFactory.createSocket("127.0.0.1", 12345);
kkSocket.setUseClientMode(false);
kkSocket.setEnabledProtocols(new String[]{"TLSv1","TLSv1.1","TLSv1.2","TLSv1.3"});
kkSocket.setEnabledCipherSuites(new String[]{"TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
});
PrintWriter out = new PrintWriter(kkSocket.getOutputStream(), true);
BufferedReader in = new BufferedReader(
new InputStreamReader(kkSocket.getInputStream()));
BufferedReader stdIn =
new BufferedReader(new InputStreamReader(System.in));
String fromServer;
String fromUser;
while ((fromServer = in.readLine()) != null) {
System.out.println("Server: " fromServer);
if (fromServer.equals("Bye."))
break;
fromUser = stdIn.readLine();
if (fromUser != null) {
System.out.println("Client: " fromUser);
out.println(fromUser);
}
}
}catch (IOException e){
e.printStackTrace();
} catch (UnrecoverableKeyException e) {
throw new RuntimeException(e);
} catch (CertificateException e) {
throw new RuntimeException(e);
} catch (KeyStoreException e) {
throw new RuntimeException(e);
} catch (NoSuchProviderException e) {
throw new RuntimeException(e);
} catch (KeyManagementException e) {
throw new RuntimeException(e);
}
When I start the client, it blocks for about 10 seconds with the following debug messages:
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.608 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DH_anon_WITH_DES_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.608 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DH_anon_WITH_DES_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.608 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.608 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.608 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.608 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.608 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.608 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_RSA_WITH_NULL_SHA256
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_RSA_WITH_NULL_SHA256
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDHE_ECDSA_WITH_NULL_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_NULL_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDHE_RSA_WITH_NULL_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_NULL_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_RSA_WITH_NULL_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_RSA_WITH_NULL_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDH_ECDSA_WITH_NULL_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDH_ECDSA_WITH_NULL_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDH_RSA_WITH_NULL_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDH_RSA_WITH_NULL_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDH_anon_WITH_NULL_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDH_anon_WITH_NULL_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.611 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_RSA_WITH_NULL_MD5
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.611 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_RSA_WITH_NULL_MD5
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.612 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.612 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.612 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.612 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.615 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.615 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.615 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.615 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.615 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.615 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.615 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.615 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.616 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.616 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.616 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.616 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.616 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.616 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.617 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.617 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.617 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.617 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.618 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.618 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.618 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.618 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.618 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.618 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.618 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.619 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.619 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.619 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.621 CET|SSLContextImpl.java:115|trigger seeding of SecureRandom
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.622 CET|SSLContextImpl.java:119|done seeding of SecureRandom
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.627 CET|SSLConfiguration.java:458|System property jdk.tls.client.SignatureSchemes is set to 'null'
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.641 CET|SSLConfiguration.java:458|System property jdk.tls.server.SignatureSchemes is set to 'null'
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.642 CET|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_AES_256_GCM_SHA384 for TLSv1.2
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.642 CET|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_AES_128_GCM_SHA256 for TLSv1.2
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.642 CET|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_CHACHA20_POLY1305_SHA256 for TLSv1.2
then, client timeouts and exits:
javax.net.ssl|DEBUG|10|main|2023-01-27 18:21:07.685 CET|SSLSocketInputRecord.java:481|Raw read: EOF
javax.net.ssl|ERROR|10|main|2023-01-27 18:21:07.687 CET|TransportContext.java:363|Fatal (HANDSHAKE_FAILURE): Couldn't kickstart handshaking (
"throwable" : {
javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake
at java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1714)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1513)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1420)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:920)
at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:1011)
at java.base/sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:270)
at java.base/sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:313)
at java.base/sun.nio.cs.StreamDecoder.read(StreamDecoder.java:188)
at java.base/java.io.InputStreamReader.read(InputStreamReader.java:176)
at java.base/java.io.BufferedReader.fill(BufferedReader.java:162)
at java.base/java.io.BufferedReader.readLine(BufferedReader.java:329)
at java.base/java.io.BufferedReader.readLine(BufferedReader.java:396)
at org.example.App.main(App.java:75)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at java.base/sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:483)
at java.base/sun.security.ssl.SSLSocketInputRecord.readHeader(SSLSocketInputRecord.java:472)
at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:160)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:111)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1505)
... 12 more}
)
javax.net.ssl|ALL|10|main|2023-01-27 18:21:07.687 CET|SSLSessionImpl.java:1221|Invalidated session: Session(1674840041640|SSL_NULL_WITH_NULL_NULL)
javax.net.ssl|DEBUG|10|main|2023-01-27 18:21:07.688 CET|SSLSocketOutputRecord.java:71|WRITE: TLSv1.3 alert(handshake_failure), length = 2
javax.net.ssl|DEBUG|10|main|2023-01-27 18:21:07.688 CET|SSLSocketOutputRecord.java:85|Raw write (
0000: 15 03 03 00 02 02 28 ......(
)
javax.net.ssl|DEBUG|10|main|2023-01-27 18:21:07.688 CET|SSLSocketImpl.java:1754|close the underlying socket
javax.net.ssl|DEBUG|10|main|2023-01-27 18:21:07.688 CET|SSLSocketImpl.java:1780|close the SSL connection (passive)
javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake
at java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1714)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1513)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1420)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:920)
at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:1011)
at java.base/sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:270)
at java.base/sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:313)
at java.base/sun.nio.cs.StreamDecoder.read(StreamDecoder.java:188)
at java.base/java.io.InputStreamReader.read(InputStreamReader.java:176)
at java.base/java.io.BufferedReader.fill(BufferedReader.java:162)
at java.base/java.io.BufferedReader.readLine(BufferedReader.java:329)
at java.base/java.io.BufferedReader.readLine(BufferedReader.java:396)
at org.example.App.main(App.java:75)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at java.base/sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:483)
at java.base/sun.security.ssl.SSLSocketInputRecord.readHeader(SSLSocketInputRecord.java:472)
at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:160)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:111)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1505)
... 12 more
Process finished with exit code 0
CodePudding user response:
Here is the formatted and cleaned up Java client code, and ucspi-ssl server environment variables needed to make the ssl communication between the two parties work.
JAVA CLIENT CODE:
try {
System.setProperty("javax.net.debug", "all");
String keystore_path = "<keystore_path>";
String keystore_password = "<keystore_password>";
String truststore_path = "<truststore_path>";
String truststore_password = "<truststore_password>";
//Keystore
KeyStore keystore = KeyStore.getInstance("PKCS12");
keystore.load(new FileInputStream(keystore_path), keystore_password.toCharArray());
KeyManagerFactory key_manager_factory = KeyManagerFactory.getInstance("SunX509");
key_manager_factory.init(keystore, keystore_password.toCharArray());
//Truststore
KeyStore truststore = KeyStore.getInstance("PKCS12");
truststore.load(new FileInputStream(truststore_path), truststore_password.toCharArray());
TrustManagerFactory trust_manager_factory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trust_manager_factory.init(truststore);
//SSL Context
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(key_manager_factory.getKeyManagers(), trust_manager_factory.getTrustManagers(), null);
//SSL Socket
SSLSocketFactory socketFactory = sslContext.getSocketFactory();
SSLSocket ssl_socket = (SSLSocket) socketFactory.createSocket("server_ip", 12345);
ssl_socket.setUseClientMode(true);
ssl_socket.setEnabledProtocols(new String[]{"TLSv1.3"});
ssl_socket.setEnabledCipherSuites(new String[]{"TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384"}); //Cyphers supported by both client and ucspi-ssl server
//In and out streams
PrintWriter out = new PrintWriter(ssl_socket.getOutputStream(), true);
BufferedReader in = new BufferedReader(new InputStreamReader(ssl_socket.getInputStream()));
//You can now interact with the server using input and output streams
} catch (IOException | KeyManagementException | KeyStoreException | UnrecoverableKeyException |
CertificateException | NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
SERVER ENVIRONMENT VARIABLES:
- KEYFILE=server-key.pem
- CERTFILE=server-certificate.pem
- CAFILE=client-certificate.pem
- CCAFILE=client-certificate.pem
- DHFILE=/etc/ssl/dh2048.pem
Server is started by launching:
sslserver -v -m localhost 12345 ./some_script.sh