Hi,
In my requirement specifications it is written:
TLS implementations supporting these security frameworks shall implement at
least the following ciphersuite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
Java says it provides implementation of this ciphersuite at TLSv1.2 in
Java7.
I am new to security, so don't know how to use it.
On my client side, i am using:
sslcontext = SSLContexts.custom()
.loadTrustMaterial(..)
.loadKeyMaterial(..)
.useProtocol("TLSv1.2")
.build();
What i have learnt from google is that client offers a range of options to
server and server needs to pick on of them. Please correct me if i am wrong.
Now i want to specify it on server side, i don't know what to do If i am
using jetty with secured connector:
<Call name="addConnector">
<Arg>
<New
class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
<Arg>
<New class="org.eclipse.jetty.http.ssl.SslContextFactory">
<Set name="KeyStore">./etc/keystores/server.jks</Set>
<Set name="KeyStorePassword">password</Set>
<Set name="KeyManagerPassword">password</Set>
<Set
name="TrustStore">./etc/keystores/trust_store.jks</Set>
<Set name="TrustStorePassword">password</Set>
<Set name="wantClientAuth">true</Set>
<Set name="needClientAuth">true</Set>
</New>
</Arg>
<Set name="port">8443</Set>
<Set name="maxIdleTime">30000</Set>
</New>
</Arg>
</Call>
it works,
if i add following, which will enable TLSv1.1:
<Set name="excludeProtocols">
<Array type="java.lang.String">
<Item>SSLv3</Item>
<Item>TLSv1.2</Item>
<Item>TLSv1</Item>
<Item>SSLv2Hello</Item>
</Array>
</Set>
it will give error:
> executing requestGET https://localhost:8443/ HTTP/1.1 Exception in
> thread "main" javax.net.ssl.SSLHandshakeException: Server chose
> TLSv1.1, but that protocol version is not enabled or not supported by
> the client.
But if i allow only TLSv1.2, it runs:
<Set name="excludeProtocols">
<Array type="java.lang.String">
<Item>SSLv3</Item>
<Item>TLSv1.1</Item>
<Item>TLSv1</Item>
<Item>SSLv2Hello</Item>
</Array>
</Set>
But here , if i specify the protocol alongwith ciphersuite specification:
<Set name="IncludeCipherSuites">
<Array type="java.lang.String">
<Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</Item>
</Array>
</Set>
I get following exception:
> Exception in thread "main" javax.net.ssl.SSLHandshakeException: Remote
> host closed connection during handshake at
> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:912) at
>
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1294)
> at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1321)
> at
> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1305)
> at
>
org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
> at
>
org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
> at
>
org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)
> at
>
org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
> at
>
org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
> at
>
org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
> at
> org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
> at
> org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
> at
> org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
> at
>
org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
> at
>
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
> at
>
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
> at client.ClientCustomSSL.main(ClientCustomSSL.java:69) Caused by:
> java.io.EOFException: SSL peer shut down incorrectly at
> sun.security.ssl.InputRecord.read(InputRecord.java:352) at
> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:893) ...
> 16 more
Next thing i tried is using factory on client side:
SSLConnectionSocketFactory factory=new
SSLConnectionSocketFactory(sslcontext, new
String[]{"TLSv1.2"},sslcontext.getDefaultSSLParameters().getCipherSuites(),
SSLConnectionSocketFactory.getDefaultHostnameVerifier());
And i have printed these ciphersuites on my screen.
sslcontext.getDefaultSSLParameters().getCipherSuites()
Then i have excluded all those ciphersuites except
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" , it gave me error
<Set name="ExcludeCipherSuites">
<Array type="java.lang.String">
<Item>...</Item>
<!--
<Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</Item>
-->
</Array>
</Set>
But if i exclude all except "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
<Set name="ExcludeCipherSuites">
<Array type="java.lang.String">
<Item>...</Item>
<!--
<Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</Item>
-->
</Array>
</Set>
Both of these ciphersuites are in list of ciphersuites I printed on client.
Point to be noted is , both of these cipher suites are listed in java7 with
FootNote1 ( which points to TLSv1.2)
http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider
It means some ciphersuites are supported by jetty while some are not.
Is it so?, do we have any such list. Or is there any other way to do it.
Please guide.
I want to use this ciphersuite for this handshake, but i don't know how to
do it.
--
*With Regards*
Himanshu Rawal
_______________________________________________
jetty-users mailing list
[email protected]
To change your delivery options, retrieve your password, or unsubscribe from
this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users
