specify ciphersuite for tls handshake
Question
In my requirement specifications it is written:
TLS implementations supporting these security frameworks shall implement at least the following ciphersuite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Java says it provides implementation of this ciphersuite at TLSv1.2 in Java7.
I am new to security, so don't know how to use it.
On my client side, i am using:
sslcontext = SSLContexts.custom()
.loadTrustMaterial(..)
.loadKeyMaterial(..)
.useProtocol("TLSv1.2")
.build();
What i have learnt from google is that client offers a range of options to server and server needs to pick on of them. Please correct me if i am wrong.
Now i want to specify it on server side, i don't know what to do If i am using jetty with secured connector:
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
<Arg>
<New class="org.eclipse.jetty.http.ssl.SslContextFactory">
<Set name="KeyStore">./etc/keystores/server.jks</Set>
<Set name="KeyStorePassword">password</Set>
<Set name="KeyManagerPassword">password</Set>
<Set name="TrustStore">./etc/keystores/trust_store.jks</Set>
<Set name="TrustStorePassword">password</Set>
<Set name="wantClientAuth">true</Set>
<Set name="needClientAuth">true</Set>
</New>
</Arg>
<Set name="port">8443</Set>
<Set name="maxIdleTime">30000</Set>
</New>
</Arg>
</Call>
it works,
if i add following, which will enable TLSv1.1:
<Set name="excludeProtocols">
<Array type="java.lang.String">
<Item>SSLv3</Item>
<Item>TLSv1.2</Item>
<Item>TLSv1</Item>
<Item>SSLv2Hello</Item>
</Array>
</Set>
it will give error:
executing requestGET https://localhost:8443/ HTTP/1.1 Exception in thread "main" javax.net.ssl.SSLHandshakeException: Server chose TLSv1.1, but that protocol version is not enabled or not supported by the client.
But if i allow only TLSv1.2, it runs:
<Set name="excludeProtocols">
<Array type="java.lang.String">
<Item>SSLv3</Item>
<Item>TLSv1.1</Item>
<Item>TLSv1</Item>
<Item>SSLv2Hello</Item>
</Array>
</Set>
But here , if i specify the protocol alongwith ciphersuite specification:
<Set name="IncludeCipherSuites">
<Array type="java.lang.String">
<Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</Item>
</Array>
</Set>
I get following exception:
Exception in thread "main" javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:912) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1294) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1321) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1305) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380) at org.apache.http.impl.execchain.MainClientEx ec.execute(MainClientExec.java:236) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107) at client.ClientCustomSSL.main(ClientCustomSSL.java:69) Caused by: java.io.EOFException: SSL peer shut down incorrectly at sun.security.ssl.InputRecord.read(InputRecord.java:352) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:893) ... 16 more
Next thing i tried is using factory on client side:
SSLConnectionSocketFactory factory=new SSLConnectionSocketFactory(sslcontext, new String[]{"TLSv1.2"},sslcontext.getDefaultSSLParameters().getCipherSuites(), SSLConnectionSocketFactory.getDefaultHostnameVerifier());
And i have printed these ciphersuites on my screen.
sslcontext.getDefaultSSLParameters().getCipherSuites()
Then i have excluded all those ciphersuites except "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" , it gave me error
<Set name="ExcludeCipherSuites">
<Array type="java.lang.String">
<Item>...</Item>
<!--
<Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</Item>
-->
</Array>
</Set>
But if i exclude all except "TLS_RSA_WITH_AES_128_CBC_SHA256" , it worked.
<Set name="ExcludeCipherSuites">
<Array type="java.lang.String">
<Item>...</Item>
<!--
<Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
-->
</Array>
</Set>
It means some ciphersuites are supported by jetty while some are not.
Is it so?, do we have any such list. Or is there any other way to do it. Please guide. I want to use this ciphersuite for this handshake, but i don't know how to do it.
1 answers
solution1
0 ACCPTED 2015-07-02 12:46:59
As it is mentioned, i need to enable ciphersuite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 which is not working but TLS_RSA_WITH_AES_128_CBC_SHA256 works.
On further study, i got to know that it might be because of keyalgorithm used to create certificate.
I have used RSA as keyalg for certificate creation in keytool, which does not support TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 but it support TLS_RSA_WITH_AES_128_CBC_SHA256.
So, i have used EC as keyalg which supports TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.