与浏览器和Java服务器建立客户端/服务器SSL连接？

Question

I am trying to create a HttpsServer/Client so that I can create a proxy to examine traffic coming from the browser to the server. These types of tool are invaluable to people who test web application security. I have decided to use httpclient to send the requests and httpcore components for my server. At the moment I'm simply trying to establish the ssl socket connection between the browser and the server on port 8080. I have read all over and still cannot seem to get this to work. Here are the steps I did up to this point:

1. Created a CA cert with keytool and added it to file called cacerts

2. I added this cert to the firefox browser instance listening on port 8080

3. In my code i do the following to call that cert in the server code

     KeyStore ks = KeyStore.getInstance("JKS"); ks.load(new FileInputStream("C:\\\\Program Files\\\\Java\\\\jre6\\\\bin\\\\cacerts"), "password".toCharArray()); KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); kmf.init(ks, "password".toCharArray()); SSLContext context = SSLContext.getInstance("TLS"); context.init(kmf.getKeyManagers(), null, null); ServerSocketFactory ssocketFactory = SSLServerSocketFactory.getDefault(); serversocket = ssocketFactory.createServerSocket(port); 

Then when I call the accept on the socket as seen below i get the following exception:

I/O error initialising connection thread: No available certificate or key corresponds    to the SSL cipher suites which are enabled.
 javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL     cipher suites which are enabled.
 at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(Unknown Source)
at DefaultHttpServer$RequestListenerThread.run(DefaultHttpServer.java:151) 

Here is line throwing the exception:

   Socket socket = serversocket.accept(); 

Any ideas on what i'm doing wrong here? Just trying to establish the ssl socket connection with the port 8080 the browser is sending its requests on.

Update 11/13

I took some of your information thus far and went to create a separate keystore file. This is what I did

C:\Users\Steve>keytool -genkey -alias serverprivkey -keystore privateKey.store

Then I copied this file privateKey.store from my user directory over to my project folder and did the following changes in my code:

        KeyStore ks = KeyStore.getInstance("JKS");  
        ks.load(new FileInputStream("privateKey.store"), "pass123".toCharArray());

        KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
        kmf.init(ks, "pass123".toCharArray());

I know it is correctly grabbing that file because if passwords are wrong i get exceptions. However, i'm still getting that same exception. Any ideas what to try next?

Here is what is inside privateKey.store:

 C:\Users\Steve>keytool -list -v -keystore privateKey.store
Enter keystore password:

Keystore type: JKS
 Keystore provider: SUN

Your keystore contains 1 entry

Alias name: serverprivkey
Creation date: Nov 13, 2011
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=sven rbera, OU=application developement, O=whs, L=san hjose, ST=
 ca, C=ca
 Issuer: CN=sven rbera, OU=application developement, O=whs, L=san hjose, ST
 =ca, C=ca
 Serial number: 4ec00a18
 Valid from: Sun Nov 13 10:19:04 PST 2011 until: Sat Feb 11 10:19:04 PST 2012
 Certificate fingerprints:
     MD5:  9C:A7:2B:CE:DC:AD:5B:9C:D6:B7:71:6C:EC:91:8A:24
     SHA1: 47:8F:9B:A2:E1:31:A5:D9:F6:71:8A:CA:3F:CB:BA:FC:C7:2D:F5:A8
     Signature algorithm name: SHA1withDSA
     Version: 3

---

---

I have changed my key to now use RSA as mentioned. Additionally, i added the debug flag for SSL and have it available. Its a bit tricky to fully understand but it looks like it finds the key serverprivkey2 just fine. Then it goes into trustStore and I do not see anything in that list that looks like it came from me. I really dont know what i should be expecting to see in that section. Any ideas?

            ***
            found key for : serverprivkey2
            chain [0] = [
            [
              Version: V3
              Subject: CN=steve, OU=labarbera, O=whs, L=sj, ST=ca, C=ca
              Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

              Key:  Sun RSA public key, 1024 bits
              modulus: 140985119594686674696976228136679950023710897166974487014150510574037897724033913877362573524361519470364814271848450916151017718803985253447854099124509296799994400199293690731598145912452994962103007955337967369473821653235218532303270695076070736956288068926075705380732910518314547899958542901647381772169
              public exponent: 65537
              Validity: [From: Sun Nov 13 14:45:44 PST 2011,
                           To: Sat Feb 11 14:45:44 PST 2012]
              Issuer: CN=steve, OU=labarbera, O=whs, L=sj, ST=ca, C=ca
              SerialNumber: [    4ec04898]

            ]
              Algorithm: [SHA1withRSA]
              Signature:
            0000: C8 81 37 74 E9 7C A4 76   9F FD EC 8A 78 69 F2 A4  ..7t...v....xi..
            0010: 64 1E C9 98 FD 99 FB 48   3D E2 C5 C5 EB A3 34 1B  d......H=.....4.
            0020: 7C BE B3 E4 F7 4D 90 F1   AB A6 4D 36 97 95 9B 95  .....M....M6....
            0030: 90 C1 B9 28 9C DE A0 4A   AD C7 10 8F 06 57 A6 2B  ...(...J.....W.+
            0040: 51 45 63 73 ED 1E AF 5F   61 E2 87 1A 7C CD 4E 3F  QEcs..._a.....N?
            0050: A7 18 15 FA 73 94 58 46   62 46 42 F9 31 12 2F C7  ....s.XFbFB.1./.
            0060: 6E 6E A0 3F 17 FA A8 24   FC 68 83 88 E2 23 EF DE  nn.?...$.h...#..
            0070: E9 F5 58 AB 16 19 1B 82   72 C6 A0 A7 7E 41 36 1C  ..X.....r....A6.

            ]
            ***

trustStore is: C:\Program Files\Java\jre6\lib\security\cacerts
trustStore type is : jks
trustStore provider is : 
init truststore
adding as trusted cert:
... bunch certs none of which look familiar?

Answer 1

1.Created a CA cert with keytool and added it to file called cacerts

I can not understand what you did here.
Did you create a public/private key pair and stored it to cacerts keystore?
You should not have done that.
cacerts is meant to be used as a truststore and not as a keystore.

You should have created a new keystore and loaded that for your KeyManager to use.

The exception is ambiguous.
Either it can not find the private key in the cacerts and this could be related to the alias that you have chosen, or the certificate does not have proper extensions to be used for encryption.
I believe the alias problem is the most likely one.

I recomenend to not try to debug this.
Instead create a separate keystore for your server and load that instead.
Don't use cacert .

UPDATE: Make sure you use RSA as the key algorithm in keytool command

Answer 2

Steve, you dont have to reinvent the wheel if you just need to examine the traffic. Use one of the already available proxy servers like Paros for watching the Traffic.

Answer 3

I would normally expect to find cacerts under "C:\\Program Files\\Java\\jre6\\lib\\security". Your program is looking for it in "C:\\Program Files\\Java\\jre6\\bin".