I have been able to get a handshake established with some direct threads using the conventional InputStream/OutputStream approach, making use of the BouncyCastle crypto libraries (both BouncyCastleProvider and BouncyCastleJsseProvider are required).
However, netty seems to have no mechanism to specify use of the BouncyCastle providers when initialising the SSLContext, only allowing the default JDK Provider or the OpenSSL provider. One problem with the OpenSSL provider is that this particular algorithm is only supported in OpenSSL 1.1, not any of the 1.02x branches. So, I tried inserting the BouncyCastle providers are position 1, which led to problems initialising the SecureRandom instances, etc, etc. Any thoughts on making it easy/possible to use BouncyCastle as the preferred Provider? Thanks! Rogan On Tuesday, September 26, 2017 at 9:40:55 AM UTC+2, Rogan Dawes wrote: > > Hi, > > I'm trying to write a proxy to intercept COAP connections from an embedded > device. I am able to clone the TLS certificates that it thinks it is > connecting to, obviously using my own keys (for the TLS server side), and > insert the CA cert into the firmware of this device. By this, I mean that > an ASN.1 dump of my CA certificate and the "expected" CA certificate show > differences only in the actual key values, not any other parameters of the > keys or certificates. > > However, so far I have been unable to convince netty to negotiate a > connection using the only supported algorithm offered by the device, > being TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8. When I do, I get handshake errors > that the handshaker was unable to establish a common cipher suite. > > I have tried using the native JDK 8 options (build 1.8.0_102-b14), as well > as tried specifying use of the Openssl provider via > > > sslContext = SslContextBuilder.forServer(km.getPrivateKey(target), km > .getCertificateChain(target)) > > .sslContextProvider(new BouncyCastleProvider()).build(); > > > I have also tried: > > > sslContext = SslContextBuilder.forServer(km.getPrivateKey(target), km > .getCertificateChain(target)) > > .sslProvider(SslProvider.OPENSSL).build(); > > > where km is an X509KeyManager instance that holds the relevant keys. > > > Any suggestions? > > > Rogan > > > -- You received this message because you are subscribed to the Google Groups "Netty discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/netty/b686c094-8a0c-4202-ad78-580ef88fcdd4%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
