Did you turn on the low level java ssl debugging yet? (like I pointed out at your stackoverflow question)? That will tell us what's going on.
-- Joakim Erdfelt <[email protected]> webtide.com <http://www.webtide.com/> - eclipse.org/jetty - cometd.org Expert advice, services and support from from the Jetty & CometD experts On Mon, Jun 29, 2015 at 12:32 AM, Himanshu Rawal <[email protected] > wrote: > Hi, > > > In my requirement specifications it is written: > > TLS implementations supporting these security frameworks shall implement > at least the following ciphersuite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 > > Java says it provides implementation of this ciphersuite at TLSv1.2 in > Java7. > > I am new to security, so don't know how to use it. > > On my client side, i am using: > > sslcontext = SSLContexts.custom() > .loadTrustMaterial(..) > .loadKeyMaterial(..) > .useProtocol("TLSv1.2") > .build(); > > What i have learnt from google is that client offers a range of options to > server and server needs to pick on of them. Please correct me if i am wrong. > > Now i want to specify it on server side, i don't know what to do If i am > using jetty with secured connector: > > > <Call name="addConnector"> > <Arg> > <New > class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector"> > <Arg> > <New class="org.eclipse.jetty.http.ssl.SslContextFactory"> > <Set name="KeyStore">./etc/keystores/server.jks</Set> > <Set name="KeyStorePassword">password</Set> > <Set name="KeyManagerPassword">password</Set> > <Set > name="TrustStore">./etc/keystores/trust_store.jks</Set> > <Set name="TrustStorePassword">password</Set> > <Set name="wantClientAuth">true</Set> > <Set name="needClientAuth">true</Set> > </New> > </Arg> > <Set name="port">8443</Set> > <Set name="maxIdleTime">30000</Set> > </New> > </Arg> > </Call> > > it works, > > if i add following, which will enable TLSv1.1: > > <Set name="excludeProtocols"> > <Array type="java.lang.String"> > <Item>SSLv3</Item> > <Item>TLSv1.2</Item> > <Item>TLSv1</Item> > <Item>SSLv2Hello</Item> > </Array> > </Set> > > it will give error: > > > executing requestGET https://localhost:8443/ HTTP/1.1 Exception in > > thread "main" javax.net.ssl.SSLHandshakeException: Server chose > > TLSv1.1, but that protocol version is not enabled or not supported by > > the client. > > But if i allow only TLSv1.2, it runs: > > <Set name="excludeProtocols"> > <Array type="java.lang.String"> > <Item>SSLv3</Item> > <Item>TLSv1.1</Item> > <Item>TLSv1</Item> > <Item>SSLv2Hello</Item> > </Array> > </Set> > > But here , if i specify the protocol alongwith ciphersuite specification: > > <Set name="IncludeCipherSuites"> > <Array type="java.lang.String"> > <Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</Item> > </Array> > </Set> > > I get following exception: > > > > Exception in thread "main" javax.net.ssl.SSLHandshakeException: Remote > > host closed connection during handshake at > > sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:912) at > > > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1294) > > at > > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1321) > > at > > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1305) > > at > > > org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394) > > at > > > org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353) > > at > > > org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134) > > at > > > org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353) > > at > > > org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380) > > at > > > org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) > > at > > > org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) > > at > > org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88) > > at > > > org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) > > at > > > org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) > > at > > > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) > > at > > > org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107) > > at client.ClientCustomSSL.main(ClientCustomSSL.java:69) Caused by: > > java.io.EOFException: SSL peer shut down incorrectly at > > sun.security.ssl.InputRecord.read(InputRecord.java:352) at > > sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:893) ... > > 16 more > > Next thing i tried is using factory on client side: > > SSLConnectionSocketFactory factory=new > SSLConnectionSocketFactory(sslcontext, new > String[]{"TLSv1.2"},sslcontext.getDefaultSSLParameters().getCipherSuites(), > SSLConnectionSocketFactory.getDefaultHostnameVerifier()); > > And i have printed these ciphersuites on my screen. > > sslcontext.getDefaultSSLParameters().getCipherSuites() > > Then i have excluded all those ciphersuites except > "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" , it gave me error > > > <Set name="ExcludeCipherSuites"> > <Array type="java.lang.String"> > <Item>...</Item> > > <!-- > <Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</Item> > --> > </Array> > </Set> > > But if i exclude all except "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256" > > > <Set name="ExcludeCipherSuites"> > <Array type="java.lang.String"> > <Item>...</Item> > <!-- > <Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</Item> > > --> > </Array> > </Set> > > > > Both of these ciphersuites are in list of ciphersuites I printed on client. > > Point to be noted is , both of these cipher suites are listed in java7 > with FootNote1 ( which points to TLSv1.2) > > > http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider > > It means some ciphersuites are supported by jetty while some are not. > > > Is it so?, do we have any such list. Or is there any other way to do it. > Please guide. > I want to use this ciphersuite for this handshake, but i don't know how to > do it. > > > > > > > -- > *With Regards* > Himanshu Rawal > > > _______________________________________________ > jetty-users mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://dev.eclipse.org/mailman/listinfo/jetty-users >
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
