Home > Mobile >  SSL client-server encryption and authentication
SSL client-server encryption and authentication

Time:01-30

I need to have one client and one server to communicate with each other on a secure channel. The client is a Java app, the server is a ucspi-ssl server, here for more details: https://www.fehcom.de/ipnet/ucspi-ssl/man/sslserver.1.html. I want communication to be simple, without using http.

What I am trying to achieve:

  1. Communication has to be encrypted;
  2. Server has to authenticate the client.

Here is what I have done so far:

  1. Created client private key and client self signed certificate:
openssl req -newkey rsa:2048 -nodes -keyout client-key.pem -x509 -days 365 -out client-certificate.pem
  1. Inserted both private key and certificate into client keystore:
openssl pkcs12 -inkey client-key.pem -in client-certificate.pem -export -out client-certificate.p12
  1. Created server private key and server self signed certificate:
openssl req -newkey rsa:2048 -nodes -keyout server-key.pem -x509 -days 365 -out server-certificate.pem
  1. Added server certificate to client truststore:
keytool -import -trustcacerts -file server-certificate.pem -keypass password -storepass password -keystore clienttruststore.jks
  1. Created DH param file:
openssl dhparam -out /etc/ssl/dh2048.pem 2048

At this point, If I were using a Java SSL server I would specify the server keystore containing the server certificate and private keyand the server truststore filled with the client certificate it needs to validate. But in ucspi-ssl server implementation there is no concept of keystore or truststore. For what my understanding is, given environment variables need to be set:

X509 certificate and encryption options:

   -3     Read a null-terminated key password from file descriptor 3.

   -m     (Mail.) Require valid client certificates, but don't check for
          matching FQDN.

   -z     (Host.) Require valid client certificates and match FQDN (if
          given) against SAN/DN.

   -Z     (Default.) Do not require client certificates.

SSL ENVIRONMENT VARIABLES READ

   These variables define the run-time environment of sslserver and are
   used to specify X509 certificates and keyfile per connection.

   $SSL_USER=name
          The user, reading the certificates and keyfile.

   $SSL_GROUP=group
          The respective user group.

   $SSL_UID=uid
          The numerical UID of the $SSL_USER.

   $SSL_CHROOT=path
          Perform reading of certificates and keyfile in a $SSL_CHROOT
          jail.

   $CAFILE=path
          If set, overrides the compiled-in CA file name.  The CA file
          contains the list of CAs used to verify the client certificate.
          Certificates in $CAFILE are processed when the server starts.

   $CADIR=path
          If set, overrides the compiled-in CA directory name.  The CA
          directory contains certificates files used to verify the client
          certificate.  This list augments the list from $CAFILE.
          Certificates in $CADIR are processed during certificate
          verification.

   $CERTFILE=path
          If set, overrides the compiled-in certificate file name.  The
          server presents this certificate to clients.

   $CERTCHAINFILE=path
          If set, overrides the compiled-in certificate chainfile name.
          The server presents this list of certificats to clients.  Note:
          Providing $CERTCHAINFILE has precedence over $CERTFILE.
          Certificates in this file needs to be 'ordered' starting from
          the uppermost root certificates and placing your host's
          it's certificate.

   $VERIFYDEPTH=n
          If set, overrides the compiled-in verification depth. Default:
          1.

   $CCAFILE=path
          If set, overrides the compiled-in client CA file name for client
          certificate request.  The client CA file contains the list of
          CAs sent to the client when requesting a client certificate.
          Note: Setting of $CCAFILE is required while using the option -z
          or -m.  However, declaring $CCAFILE="-" disables (on a per-
          connection base) the client certificate request.

   $CCAVERIFY
          If set, sslserver requests a valid client certificate on a per-
          connection base, unlike the general option -z.

SSL ENVIRONMENT VARIABLES SET

   In case sslserver is called with the option -e, the following mod_ssl
   environment variables are provided:

   SSL_PROTOCOL
          The TLS protocol version (SSLv3, TLSv1, ...).

   SSL_SESSION_ID
          The hex-encoded SSL session id.

   SSL_CIPHER
          The cipher specification name.

   SSL_CIPHER_USEKEYSIZE
          Number of cipher bits (actually used).

   SSL_CIPHER_ALGKEYSIZE
          Number of cipher bits (possible).

   SSL_VERSION_INTERFACE
          The mod_ssl program version.

   SSL_VERSION_LIBRARY
          The OpenSSL program version.

   SSL_CLIENT_M_VERSION
          The version of the client certificate.

   SSL_CLIENT_M_SERIAL
          The serial of the client certificate.

   SSL_CLIENT_S_DN
          Subject DN in client's certificate.


   SSL_CLIENT_A_SIG
          Algorithm used for the signature of client's certificate.

   SSL_CLIENT_A_KEY
          Algorithm used for the public key of client's certificate.

   SSL_CLIENT_CERT
          PEM-encoded client certificate.

   SSL_CLIENT_CERT_CHAIN n
          PEM-encoded certificates in client certificate chain.

   SSL_CLIENT_VERIFY
          NONE, SUCCESS, GENEROUS or FAILED:reason.

   SSL_SERVER_M_SERIAL
          The serial of the server certificate.

   SSL_SERVER_S_DN
          Subject DN in server's certificate.

   SSL_SERVER_S_DN_x509
          Component of server's Subject DN.

   SSL_SERVER_I_DN
          Issuer DN of server's certificate.

   SSL_SERVER_I_DN_x509
          Component of server's Issuer DN.

   SSL_SERVER_V_START
          Validity of server's certificate (start time).

   SSL_SERVER_V_END
          Validity of server's certificate (end time).

   SSL_SERVER_A_SIG
          Algorithm used for the signature of server's certificate.

   SSL_SERVER_A_KEY
          Algorithm used for the public key of server's certificate.

   SSL_SERVER_CERT
          PEM-encoded server certificate.

How can I inform ucspi-ssl server that the client certificate can be trusted and perform client authentication?

I have tried to run the server with the following command:

sslserver -v -m  localhost 12345 ./some_script.sh

with the following environment variables set:

DHFILE=/etc/ssl/dh2048.pem
CERTFILE=server-certificate.pem
KEYFILE=server-key.pem

Here is the java SSL client code:

try {
           // Client key store
           System.setProperty("https.protocols", "SSLv3");
           System.setProperty("javax.net.debug", "all");
           KeyStore keyStore = KeyStore.getInstance("PKCS12");
           String password = "password";
           InputStream inputStream = ClassLoader.getSystemClassLoader().getResourceAsStream("/home/centuri0n/reservations/ssl/client-certificate.p12");
           keyStore.load(inputStream, password.toCharArray());

           // Client trust store
           KeyStore trustStore = KeyStore.getInstance("JKS");
           String password2 = "password";
           TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("PKIX", "SunJSSE");
           InputStream inputStream1 = ClassLoader.getSystemClassLoader().getResourceAsStream("/home/centuri0n/reservations/ssl/clienttruststore.jks");
           trustStore.load(inputStream1, password2.toCharArray());
           trustManagerFactory.init(trustStore);
           X509TrustManager x509TrustManager = null;
           for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
               if (trustManager instanceof X509TrustManager) {
                   x509TrustManager = (X509TrustManager) trustManager;
                   break;
               }
           }

           if (x509TrustManager == null) throw new NullPointerException();

           // KeyManagerFactory ()
           KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509", "SunJSSE");
           keyManagerFactory.init(keyStore, password.toCharArray());
           X509KeyManager x509KeyManager = null;
           for (KeyManager keyManager : keyManagerFactory.getKeyManagers()) {
               if (keyManager instanceof X509KeyManager) {
                   x509KeyManager = (X509KeyManager) keyManager;
                   break;
               }
           }
           if (x509KeyManager == null) throw new NullPointerException();

           // set up the SSL Context
           SSLContext sslContext = SSLContext.getInstance("TLS");
           sslContext.init(new KeyManager[]{x509KeyManager}, new TrustManager[]{x509TrustManager}, null);

           SSLSocketFactory socketFactory = sslContext.getSocketFactory();
           SSLSocket kkSocket = (SSLSocket) socketFactory.createSocket("127.0.0.1", 12345);
           kkSocket.setUseClientMode(false);
           kkSocket.setEnabledProtocols(new String[]{"TLSv1","TLSv1.1","TLSv1.2","TLSv1.3"});
           kkSocket.setEnabledCipherSuites(new String[]{"TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256", "TLS_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256", "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
           });

           PrintWriter out = new PrintWriter(kkSocket.getOutputStream(), true);
           BufferedReader in = new BufferedReader(
                   new InputStreamReader(kkSocket.getInputStream()));

           BufferedReader stdIn =
                   new BufferedReader(new InputStreamReader(System.in));
           String fromServer;
           String fromUser;

           while ((fromServer = in.readLine()) != null) {
               System.out.println("Server: "   fromServer);
               if (fromServer.equals("Bye."))
                   break;

               fromUser = stdIn.readLine();
               if (fromUser != null) {
                   System.out.println("Client: "   fromUser);
                   out.println(fromUser);
               }
           }
       }catch (IOException e){
           e.printStackTrace();
       } catch (UnrecoverableKeyException e) {
           throw new RuntimeException(e);
       } catch (CertificateException e) {
           throw new RuntimeException(e);
       } catch (KeyStoreException e) {
           throw new RuntimeException(e);
       } catch (NoSuchProviderException e) {
           throw new RuntimeException(e);
       } catch (KeyManagementException e) {
           throw new RuntimeException(e);
       }

When I start the client, it blocks for about 10 seconds with the following debug messages:

javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.608 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DH_anon_WITH_DES_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.608 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DH_anon_WITH_DES_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.608 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.608 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.608 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.608 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.608 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.608 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_RSA_WITH_NULL_SHA256
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_RSA_WITH_NULL_SHA256
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDHE_ECDSA_WITH_NULL_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.609 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_NULL_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDHE_RSA_WITH_NULL_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_NULL_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_RSA_WITH_NULL_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_RSA_WITH_NULL_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDH_ECDSA_WITH_NULL_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDH_ECDSA_WITH_NULL_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDH_RSA_WITH_NULL_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDH_RSA_WITH_NULL_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDH_anon_WITH_NULL_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.610 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDH_anon_WITH_NULL_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.611 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_RSA_WITH_NULL_MD5
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.611 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_RSA_WITH_NULL_MD5
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.612 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.612 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.612 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.612 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.613 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.615 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.615 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.615 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.615 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.615 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.615 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.615 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.615 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.616 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.616 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.616 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.616 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.616 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.616 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.617 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.617 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.617 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.617 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.618 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.618 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.618 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.618 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.618 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.618 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.618 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.619 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.619 CET|SSLContextImpl.java:397|Ignore disabled cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.619 CET|SSLContextImpl.java:406|Ignore unsupported cipher suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.621 CET|SSLContextImpl.java:115|trigger seeding of SecureRandom
javax.net.ssl|ALL|10|main|2023-01-27 18:20:41.622 CET|SSLContextImpl.java:119|done seeding of SecureRandom
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.627 CET|SSLConfiguration.java:458|System property jdk.tls.client.SignatureSchemes is set to 'null'
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.641 CET|SSLConfiguration.java:458|System property jdk.tls.server.SignatureSchemes is set to 'null'
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.642 CET|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_AES_256_GCM_SHA384 for TLSv1.2
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.642 CET|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_AES_128_GCM_SHA256 for TLSv1.2
javax.net.ssl|DEBUG|10|main|2023-01-27 18:20:41.642 CET|HandshakeContext.java:298|Ignore unsupported cipher suite: TLS_CHACHA20_POLY1305_SHA256 for TLSv1.2

then, client timeouts and exits:

javax.net.ssl|DEBUG|10|main|2023-01-27 18:21:07.685 CET|SSLSocketInputRecord.java:481|Raw read: EOF
javax.net.ssl|ERROR|10|main|2023-01-27 18:21:07.687 CET|TransportContext.java:363|Fatal (HANDSHAKE_FAILURE): Couldn't kickstart handshaking (
"throwable" : {
  javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake
    at java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1714)
    at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1513)
    at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1420)
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
    at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:920)
    at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:1011)
    at java.base/sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:270)
    at java.base/sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:313)
    at java.base/sun.nio.cs.StreamDecoder.read(StreamDecoder.java:188)
    at java.base/java.io.InputStreamReader.read(InputStreamReader.java:176)
    at java.base/java.io.BufferedReader.fill(BufferedReader.java:162)
    at java.base/java.io.BufferedReader.readLine(BufferedReader.java:329)
    at java.base/java.io.BufferedReader.readLine(BufferedReader.java:396)
    at org.example.App.main(App.java:75)
  Caused by: java.io.EOFException: SSL peer shut down incorrectly
    at java.base/sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:483)
    at java.base/sun.security.ssl.SSLSocketInputRecord.readHeader(SSLSocketInputRecord.java:472)
    at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:160)
    at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:111)
    at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1505)
    ... 12 more}

)
javax.net.ssl|ALL|10|main|2023-01-27 18:21:07.687 CET|SSLSessionImpl.java:1221|Invalidated session:  Session(1674840041640|SSL_NULL_WITH_NULL_NULL)
javax.net.ssl|DEBUG|10|main|2023-01-27 18:21:07.688 CET|SSLSocketOutputRecord.java:71|WRITE: TLSv1.3 alert(handshake_failure), length = 2
javax.net.ssl|DEBUG|10|main|2023-01-27 18:21:07.688 CET|SSLSocketOutputRecord.java:85|Raw write (
  0000: 15 03 03 00 02 02 28                               ......(
)
javax.net.ssl|DEBUG|10|main|2023-01-27 18:21:07.688 CET|SSLSocketImpl.java:1754|close the underlying socket
javax.net.ssl|DEBUG|10|main|2023-01-27 18:21:07.688 CET|SSLSocketImpl.java:1780|close the SSL connection (passive)
javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake
    at java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1714)
    at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1513)
    at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1420)
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
    at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:920)
    at java.base/sun.security.ssl.SSLSocketImpl$AppInputStream.read(SSLSocketImpl.java:1011)
    at java.base/sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:270)
    at java.base/sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:313)
    at java.base/sun.nio.cs.StreamDecoder.read(StreamDecoder.java:188)
    at java.base/java.io.InputStreamReader.read(InputStreamReader.java:176)
    at java.base/java.io.BufferedReader.fill(BufferedReader.java:162)
    at java.base/java.io.BufferedReader.readLine(BufferedReader.java:329)
    at java.base/java.io.BufferedReader.readLine(BufferedReader.java:396)
    at org.example.App.main(App.java:75)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
    at java.base/sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:483)
    at java.base/sun.security.ssl.SSLSocketInputRecord.readHeader(SSLSocketInputRecord.java:472)
    at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:160)
    at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:111)
    at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1505)
    ... 12 more

Process finished with exit code 0

CodePudding user response:

Here is the formatted and cleaned up Java client code, and ucspi-ssl server environment variables needed to make the ssl communication between the two parties work.

JAVA CLIENT CODE:

        try {
    
            System.setProperty("javax.net.debug", "all");
    
            String keystore_path = "<keystore_path>";
            String keystore_password = "<keystore_password>";
    
            String truststore_path = "<truststore_path>";
            String truststore_password = "<truststore_password>";
    
            //Keystore
            KeyStore keystore = KeyStore.getInstance("PKCS12");
            keystore.load(new FileInputStream(keystore_path), keystore_password.toCharArray());
            KeyManagerFactory key_manager_factory = KeyManagerFactory.getInstance("SunX509");
            key_manager_factory.init(keystore, keystore_password.toCharArray());
    
            //Truststore
            KeyStore truststore = KeyStore.getInstance("PKCS12");
            truststore.load(new FileInputStream(truststore_path), truststore_password.toCharArray());
            TrustManagerFactory trust_manager_factory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trust_manager_factory.init(truststore);
    
            //SSL Context
            SSLContext sslContext = SSLContext.getInstance("TLS");
            sslContext.init(key_manager_factory.getKeyManagers(), trust_manager_factory.getTrustManagers(), null);
    
            //SSL Socket
            SSLSocketFactory socketFactory = sslContext.getSocketFactory();
            SSLSocket ssl_socket = (SSLSocket) socketFactory.createSocket("server_ip", 12345);
            ssl_socket.setUseClientMode(true);
            ssl_socket.setEnabledProtocols(new String[]{"TLSv1.3"});
            ssl_socket.setEnabledCipherSuites(new String[]{"TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_128_GCM_SHA256", "TLS_AES_256_GCM_SHA384"}); //Cyphers supported by both client and ucspi-ssl server
    
    
            //In and out streams
            PrintWriter out = new PrintWriter(ssl_socket.getOutputStream(), true);
            BufferedReader in = new BufferedReader(new InputStreamReader(ssl_socket.getInputStream()));
    
    //You can now interact with the server using input and output streams
    
    
        } catch (IOException | KeyManagementException | KeyStoreException | UnrecoverableKeyException |
                 CertificateException | NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }

SERVER ENVIRONMENT VARIABLES:

  • KEYFILE=server-key.pem
  • CERTFILE=server-certificate.pem
  • CAFILE=client-certificate.pem
  • CCAFILE=client-certificate.pem
  • DHFILE=/etc/ssl/dh2048.pem

Server is started by launching:

sslserver -v -m localhost 12345 ./some_script.sh 
  • Related