After a lot of R&D and googling, not able to troubleshoot my problem.
Environment Setup
Web Server (Tomcat 6.0.20) --> Proxy Server (Windows Server 2007) --> Thirdy part host
We have application, which does online payment transaction, after completion of this transaction, we want to send status of transaction to third party server. So posting data to third part server from our web server is opening 2 sockets for one transaction at proxy server, but when we check at web server it has created only one socket. SO why 2 socket at proxy server.
Below is my sample code
import javax.net.ssl.*;
import javax.net.SocketFactory;
import java.net.*;
import java.io.InputStream;
import java.io.OutputStream;
import java.io.IOException;
import java.security.MessageDigest;
import java.util.Hashtable;
import java.math.BigInteger;
import org.apache.commons.httpclient.*;
import org.apache.commons.httpclient.methods.PostMethod;
import org.apache.commons.httpclient.protocol.*;
public class HTTPPostDemo {
private String privateKey;
private String host;
private int port;
private String userName;
private Header[] headers = null;
public class MySSLSocketFactory implements SecureProtocolSocketFactory {
private TrustManager[] getTrustManager() {
TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(
java.security.cert.X509Certificate[] certs, String authType) {
}
public void checkServerTrusted(
java.security.cert.X509Certificate[] certs, String authType) {
}
}
};
return trustAllCerts;
}
public Socket createSocket(String host, int port) throws IOException, UnknownHostException {
TrustManager[] trustAllCerts = getTrustManager();
try {
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
SocketFactory socketFactory = HttpsURLConnection.getDefaultSSLSocketFactory();
return socketFactory.createSocket(host, port);
} catch (Exception ex) {
throw new UnknownHostException("Problems to connect " + host + ex.toString());
}
}
public Socket createSocket(Socket socket, String host, int port, boolean flag) throws IOException, UnknownHostException {
TrustManager[] trustAllCerts = getTrustManager();
try {
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
SocketFactory socketFactory = HttpsURLConnection.getDefaultSSLSocketFactory();
return socketFactory.createSocket(host, port);
} catch (Exception ex) {
throw new UnknownHostException("Problems to connect " + host + ex.toString());
}
}
public Socket createSocket(String host, int port, InetAddress clientHost, int clientPort) throws IOException, UnknownHostException {
TrustManager[] trustAllCerts = getTrustManager();
try {
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
SocketFactory socketFactory = HttpsURLConnection.getDefaultSSLSocketFactory();
return socketFactory.createSocket(host, port, clientHost, clientPort);
} catch (Exception ex) {
throw new UnknownHostException("Problems to connect " + host + ex.toString());
}
}
}
public SslClient(String host, int port, String userName, String privateKey) {
this.host = host;
this.port = port;
this.userName = userName;
this.privateKey = privateKey;
}
protected String md5Sum(String str) {
String sum = new String();
try {
MessageDigest md5 = MessageDigest.getInstance("MD5");
sum = String.format("%032x", new BigInteger(1, md5.digest(str.getBytes())));
} catch (Exception ex) {
}
return sum;
}
public String getSignature(String xml) {
return md5Sum(md5Sum(xml + privateKey) + privateKey);
}
public String sendRequest(String xml) throws Exception {
HttpClient client = new HttpClient();
client.setConnectionTimeout(60000);
client.setTimeout(60000);
String response = new String();
String portStr = String.valueOf(port);
Protocol.registerProtocol("https", new Protocol("https", new MySSLSocketFactory(), port));
String signature = getSignature(xml);
String uri = "https://" + host + ":" + portStr + "/";
PostMethod postRequest = new PostMethod(uri);
postRequest.addRequestHeader("Content-Length", String.valueOf(xml.length()));
postRequest.addRequestHeader("Content-Type", "text/xml");
postRequest.addRequestHeader("X-Signature", signature);
postRequest.addRequestHeader("X-Username", userName);
postRequest.setRequestBody(xml);
System.out.println("Sending https request....." + postRequest.toString());
try {
client.executeMethod(postRequest);
} catch (Exception ex) {
throw new TaskExecuteException("Sending post got exception ", ex);
}
response = postRequest.getResponseBodyAsString();
headers = postRequest.getRequestHeaders();
return response;
}
public String getPrivateKey() {
return privateKey;
}
public void setPrivateKey(String privateKey) {
this.privateKey = privateKey;
}
public String getHost() {
return host;
}
public void setHost(String host) {
this.host = host;
}
public int getPort() {
return port;
}
public void setPort(int port) {
this.port = port;
}
public String getUserName() {
return userName;
}
public void setUserName(String userName) {
this.userName = userName;
}
public Header[] getHeaders() {
return headers;
}
public void setHeaders(Header[] headers) {
this.headers = headers;
}
public static void main(String[] args) {
String privateKey = "your_private_key";
String userName = "your_user_name";
String host = "demo.site.net";
int port = 55443;
String xml =
"<?xml version='1.0' encoding='UTF-8' standalone='no' ?>"
+ "<!DOCTYPE OPS_envelope SYSTEM 'ops.dtd'>"
+ "<OPS_envelope>"
+ "<header>"
+ "<version>0.9</version>"
+ "<msg_id>2.21765911726198</msg_id>"
+ "<msg_type>standard</msg_type>"
+ "</header>"
+ "<body>"
+ "<data_block>"
+ "<dt_assoc>"
+ "<item key='attributes'>"
+ "<dt_assoc>"
+ "<item key='domain'>test-1061911771844.com</item>"
+ "<item key='pre-reg'>0</item>"
+ "</dt_assoc>"
+ "</item>"
+ "<item key='object'>DOMAIN</item>"
+ "<item key='action'>LOOKUP</item>"
+ "<item key='protocol'>XCP</item>"
+ "</dt_assoc>"
+ "</data_block>"
+ "</body>"
+ "</OPS_envelope>";
SslClient sslclient = new SslClient(host, port, userName, privateKey);
try {
String response = sslclient.sendRequest(xml);
System.out.println("\nResponse is:\n" + response);
} catch (Exception e) {
e.printStackTrace();
}
}
}
As in a day we are processing 10,000 + transactions, so number of socket at proxy are getting increased, so after 2-3 days, we need to do hard reboot of web server to free all the open sockets with proxy server.
Does HTTPClient, opens one socket for SSL Handshake and another for actual data post ? I don't think so. Then it should be at Web server and not at Proxy Server
For checking sockets and open ports at web server we are using netstat command.
For checking sockets and open ports at proxy server we are using proxy tool
when we check at web server it has created only one socket.
Because there is only one inbound connection to it.
SO why 2 socket at proxy server.
Because you are connecting to two different servers via the proxy server?
number of socket at proxy are getting increased, so after 2-3 days, we need to do hard reboot of web server to free all the open sockets with proxy server.
That doesn't make sense. It's the proxy server that has the dual connections, not the web server. You said that above. If the web server is running out of sockets, somebody isn't closing their connections correctly: the client, the proxy server, or the web server. Possibly your socket factory needs to override equals() and maybe hashCode() too, to enable whatever connection pooling HttpClient may do, I'm not an expert on that.
BUT your TrustManager is radically insecure. If you have this deployed in production, you have already committed a major security breach. This is currently a much bigger problem that running out of sockets every few days.
When socket ports run out, transaction timeouts occur. The solution to this problem is to tune the TIMEWAIT-related Windows registry parameters:
TcpTimedWaitDelay
MaxUserPort
StrictTimeWaitSeqCheck
The TIMEWAIT-related Windows registry parameters control how long a socket port remains unavailable after it is closed and how many ports are available for use.
By setting these windows registry parameters, I have solved this problem, but don't know, weather it is a correct solution to implement or not.
Related
I have a requirement to convert certain bash scripts to java and one such script connects to a server using openssl with a vanity-url as a parameter to check if that is connectable using that vanity-url. See command below
/usr/bin/openssl s_client -connect api.sys.found1.cf.company.com:443 -servername www.app.company.com 2>/dev/null
I wanted to do the similar activity in java and test the connectivity. Any ideas on how to make a open-ssl connection using Java .. Is this something that I need to use external Library ?
I was able to achieve this by referring the document over here
Basically, a SSLEngine needs to be created and make a successful handshake along with SNI
private SocketChannel createSocketChannel() throws IOException {
InetSocketAddress socketAddress = new InetSocketAddress(PROXY_ADDRESS, PROXY_PORT);
SocketChannel socketChannel = SocketChannel.open();
socketChannel.connect(socketAddress);
socketChannel.configureBlocking(false);
return socketChannel;
}
private SSLContext createSSLContext() throws KeyManagementException, NoSuchAlgorithmException {
SSLContext sslContext = SSLContext.getInstance(TLS_VERSION);
sslContext.init(null,null,null);
return sslContext;
}
private SSLEngine createSSLEngine() throws KeyManagementException, NoSuchAlgorithmException {
SSLContext sslContext = createSSLContext();
SSLEngine sslEngine = sslContext.createSSLEngine(PROXY_ADDRESS, PROXY_PORT);
sslEngine.setUseClientMode(true);
List<SNIServerName> serverNameList = new ArrayList<>();
serverNameList.add(new SNIHostName(SNI_HOST_NAME));
SSLParameters sslParameters = sslEngine.getSSLParameters();
sslParameters.setServerNames(serverNameList);
sslEngine.setSSLParameters(sslParameters);
return sslEngine;
}
After creating SSLEngine, the handShake has to begin
SocketChannel channel = createSocketChannel();
SSLEngine sslEngine = createSSLEngine();
doHandShake(sslEngine,channel);
private void doHandShake(SSLEngine sslEngine, SocketChannel socketChannel) throws Exception {
System.out.println("Going to do Handshake");
SSLSession session = sslEngine.getSession();
ByteBuffer myAppData = ByteBuffer.allocate(session.getApplicationBufferSize());
ByteBuffer peerAppData = ByteBuffer.allocate(session.getApplicationBufferSize());
ByteBuffer myNetData = ByteBuffer.allocate(session.getPacketBufferSize());
ByteBuffer peerNetData = ByteBuffer.allocate(session.getPacketBufferSize());
sslEngine.beginHandshake();
SSLEngineResult result;
handshakeStatus = sslEngine.getHandshakeStatus();
while (handshakeStatus != SSLEngineResult.HandshakeStatus.FINISHED &&
handshakeStatus != SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING) {
switch (handshakeStatus) {
case NEED_UNWRAP:
if (! (socketChannel.read(peerNetData) <0)) {
peerNetData.flip();
result = sslEngine.unwrap(peerNetData,peerAppData);
peerNetData.compact();
handshakeStatus = result.getHandshakeStatus();
switch (result.getStatus()) {
case OK:
break;
}
}
break;
case NEED_WRAP:
myNetData.clear() ;// Empty the local network packet buffer
result = sslEngine.wrap(myAppData,myNetData);
handshakeStatus = result.getHandshakeStatus();
switch (result.getStatus()) {
case OK:
myNetData.flip();
while (myNetData.hasRemaining()) {
socketChannel.write(myNetData);
}
}
break;
case NEED_TASK:
Runnable task = sslEngine.getDelegatedTask();
if (null!=task) {
task.run();
}
handshakeStatus = sslEngine.getHandshakeStatus();
break;
}
}
Once the handShake is done. you can get the Principal object
Principal principal = sslEngine.getSession().getPeerPrincipal();
if (principal.getName().contains(SNI_HOST_NAME)) {
System.out.println("available ... ");
}else {
System.out.println("Not available");
}
call isAliasExists with your values ,
isAliasExists("api.sys.found1.cf.company.com","www.app.company.com");
Returns true if your alias (servername) is part of the cert,
private static boolean isAliasExists(String hostName, String alias) throws Exception {
String host;
int port;
String[] parts = hostName.split(":");
host = parts[0];
port = (parts.length == 1) ? 443 : Integer.parseInt(parts[1]);
// key store password
char[] passphrase = "changeit".toCharArray();
File file = new File("jssecacerts");
if (file.isFile() == false) {
char SEP = File.separatorChar;
File dir = new File(System.getProperty("java.home") + SEP + "lib" + SEP + "security");
file = new File(dir, "jssecacerts");
if (file.isFile() == false) {
file = new File(dir, "cacerts");
}
}
InputStream in = new FileInputStream(file);
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(in, passphrase);
in.close();
SSLContext context = SSLContext.getInstance("TLS");
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ks);
X509TrustManager defaultTrustManager = (X509TrustManager) tmf.getTrustManagers()[0];
SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);
context.init(null, new TrustManager[] { tm }, null);
SSLSocketFactory factory = context.getSocketFactory();
SSLSocket socket = (SSLSocket) factory.createSocket(host, port);
socket.setSoTimeout(10000);
try {
System.out.println("Starting SSL handshake...");
socket.startHandshake();
socket.close();
System.out.println("Certificate is already trusted");
} catch (SSLException e) {
e.printStackTrace();
}
X509Certificate[] chain = tm.chain;
List<String> altNames=new ArrayList<String>();
for (X509Certificate cert: chain)
{
altNames.addAll(getSubjectAltNames(cert));
}
for(String altName: altNames) {
if(altName.trim().contains(alias))
return true;
}
if (chain == null) {
System.out.println("Could not obtain server certificate chain");
return false;
}
return false;
}
Returns list of alternative names from cert,
private static List<String> getSubjectAltNames(X509Certificate certificate) throws CertificateParsingException {
List<String> result = new ArrayList<>();
try {
Collection<?> subjectAltNames = certificate.getSubjectAlternativeNames();
if (subjectAltNames == null) {
return Collections.emptyList();
}
for (Object subjectAltName : subjectAltNames) {
List<?> entry = (List<?>) subjectAltName;
if (entry == null || entry.size() < 2) {
continue;
}
Integer altNameType = (Integer) entry.get(0);
if (altNameType == null) {
continue;
}
String altName = (String) entry.get(1);
if (altName != null) {
result.add(altName);
}
}
return result;
} catch (CertificateParsingException e) {
return Collections.emptyList();
}
}
custom trust manager,
private static class SavingTrustManager implements X509TrustManager {
private final X509TrustManager tm;
private X509Certificate[] chain;
SavingTrustManager(X509TrustManager tm) {
this.tm = tm;
}
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
// throw new UnsupportedOperationException();
}
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
throw new UnsupportedOperationException();
}
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
this.chain = chain;
tm.checkServerTrusted(chain, authType);
}
}
Without really knowing what SNI was I tried to get some insight with the test-program shown below.
I don't know the output from the openssl s_client command, but the test-program might prove to be a starting point. When the javax.net.debug output is turned on a lot of output is dumped of which only a few lines are relevant (see also the comments). That is a bit annoying and I do not have an easy solution for that. The TrustAllServers class can be reworked to inspect the certificates you expect to receive from the server (a.ka. host) for a particular domain. There might be other options (e.g. the socket's handshake methods) but this is as far as I got.
import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.nio.charset.StandardCharsets;
import java.security.KeyStore;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import javax.net.ssl.SNIHostName;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedTrustManager;
// https://stackoverflow.com/questions/56005883/java-equivalent-to-openssl-s-client-command
// Please use latest Java 8 version, bugs are around in earlier versions.
public class ServerNameTest {
public static void main(String[] args) {
// SSL debug options, see https://stackoverflow.com/q/23659564/3080094 and https://access.redhat.com/solutions/973783
// System.setProperty("javax.net.debug", "all");
// System.setProperty("javax.net.debug", "ssl:handshake");
// System.setProperty("jsse.enableSNIExtension", "true"); // "true" is the default
try {
ServerNameTest sn = new ServerNameTest();
// This will show 2 different server certificate chains.
// Note this is a random server - please pick your own one.
sn.test("major.io", "rackerhacker.com");
sn.test("major.io", "major.io");
} catch (Exception e) {
e.printStackTrace();
}
System.out.println("Done");
}
/*
* With javax.net.debug output you should see something like:
* <pre>
* *** ClientHello
* ...
* Extension server_name, server_name: [type=host_name (0), value=DOMAIN;]
* ...
* *** ServerHello
* ...
* Extension server_name, server_name:
* ...
* </pre>
* Note that if the server does not provide a value for server_name,
* it does not actually mean the server does not support SNI/server_name (see https://serverfault.com/a/506303)
*/
void test(String host, String domain) throws Exception {
SSLParameters sslParams = new SSLParameters();
if (domain != null && !domain.isEmpty()) {
sslParams.setServerNames(Arrays.asList(new SNIHostName(domain)));
}
// Only for webservers: set endpoint algorithm to HTTPS
sslParams.setEndpointIdentificationAlgorithm("HTTPS");
SSLSocketFactory sslsf = serverTrustingSSLFactory();
try (SSLSocket socket = (SSLSocket) sslsf.createSocket()) {
socket.setSSLParameters(sslParams);
socket.setSoTimeout(3_000);
System.out.println("Connecting to " + host + " for domain " + domain);
socket.connect(new InetSocketAddress(host, 443), 3_000);
// Trigger actual connection by getting the session.
socket.getSession();
System.out.println("Connected to remote " + socket.getRemoteSocketAddress());
try (BufferedReader input = new BufferedReader(new InputStreamReader(socket.getInputStream(), StandardCharsets.UTF_8))) {
try (OutputStream out = socket.getOutputStream()) {
System.out.println(">> OPTIONS");
out.write("OPTIONS * HTTP/1.1\r\n\r\n".getBytes(StandardCharsets.UTF_8));
System.out.println("<< " + input.readLine());
}
} catch (Exception e) {
System.err.println("No line read: " + e);
}
}
}
SSLSocketFactory serverTrustingSSLFactory() throws Exception {
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(null, trustManager(), null);
return ctx.getSocketFactory();
}
TrustManager[] trustManager() throws Exception {
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init( (KeyStore) null);
// Must use "extended" type versus the default javax.net.ssl.X509TrustManager,
// otherwise the error "No subject alternative DNS name matching" keeps showing up.
X509ExtendedTrustManager defaultManager = null;
for (TrustManager trustManager : tmf.getTrustManagers()) {
if (trustManager instanceof X509ExtendedTrustManager) {
defaultManager = (X509ExtendedTrustManager) trustManager;
break;
}
}
if (defaultManager == null) {
throw new RuntimeException("Cannot find default X509ExtendedTrustManager");
}
return new TrustManager[] { new TrustAllServers(defaultManager) };
}
static void printChain(X509Certificate[] chain) {
try {
for (int i = 0; i < chain.length; i++) {
X509Certificate cert = chain[i];
System.out.println("Cert[" + i + "] " + cert.getSubjectX500Principal() + " :alt: " + cert.getSubjectAlternativeNames());
}
} catch (Exception e) {
e.printStackTrace();
}
}
static class TrustAllServers extends X509ExtendedTrustManager {
final X509ExtendedTrustManager defaultManager;
public TrustAllServers(X509ExtendedTrustManager defaultManager) {
this.defaultManager = defaultManager;
}
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
try {
defaultManager.checkServerTrusted(chain, authType);
} catch (Exception e) {
System.err.println("Untrusted server: " + e);
}
printChain(chain);
}
public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException {
try {
defaultManager.checkServerTrusted(chain, authType, socket);
} catch (Exception e) {
System.err.println("Untrusted server for socket: " + e);
}
printChain(chain);
}
public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException {
try {
defaultManager.checkServerTrusted(chain, authType, engine);
} catch (Exception e) {
System.err.println("Untrusted server for engine: " + e);
}
printChain(chain);
}
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
defaultManager.checkClientTrusted(chain, authType);
}
public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException {
defaultManager.checkClientTrusted(chain, authType, socket);
}
public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException {
defaultManager.checkClientTrusted(chain, authType, engine);
}
public X509Certificate[] getAcceptedIssuers() {
return defaultManager.getAcceptedIssuers();
}
}
}
I am trying to connect a Java client to a NodeJS server using GRPC on a mac OS. I am consistently getting ssl handshake issues though I can connect with a sample JS client to the NodeJS server using the same certificates. Any thoughts on how to debug this further:
server logs:
chttp2_server.c:123] Handshaking failed: {"created":"#1489747510.536841000","description":"Handshake read failed","file":"../src/core/lib/security/transport/security_handshaker.c","file_line":238,"referenced_errors":[{"created":"#1489747510.536836000","description":"Socket closed","fd":27,"file":"../src/core/lib/iomgr/tcp_posix.c","file_line":249,"target_address":"ipv4:127.0.0.1:61964"}]}
client
public class Connection implements IConnection {
private static final Logger log = LogManager.getLogger(Connection.class.getName());
private final String host;
private final int port;
public Connection(String host, int port) {
this.host = host;
this.port = port;
}
/*public ManagedChannelBuilder getInsecure() {
return ManagedChannelBuilder.forAddress(host, port)
.usePlaintext(true);
}*/
public ManagedChannelBuilder getSecure() {
ManagedChannelBuilder<?> channelBuilder = null;
Optional<SslContext> optional = getSslContext();
if (optional.isPresent()) {
final SslContext sslContext = optional.get();
log.info("building channel for connection");
channelBuilder = NettyChannelBuilder.forAddress(host, port)
.overrideAuthority("localhost")
.negotiationType(NegotiationType.TLS)
.usePlaintext(false)
.sslContext(sslContext);
}
return channelBuilder;
}
private Optional<SslContext> getSslContext() {
SslContext sslContext = null;
Optional<ICertificateRepository> optional = getCertificates();
if (optional.isPresent()) {
final ICertificateRepository certificateRepo = optional.get();
final File publicCert = certificateRepo.getPublicCert();
final File clientCert = certificateRepo.getClientCert();
final File clientKey = certificateRepo.getClientKey();
try {
java.security.Security.addProvider(
new org.bouncycastle.jce.provider.BouncyCastleProvider()
);
log.info("attempting to create the ssl context");
sslContext = GrpcSslContexts.forClient()
.startTls(true)
.sslProvider(defaultSslProvider())
.trustManager(publicCert)
.keyManager(clientCert, clientKey)
.ciphers(null) //testing
.build();
} catch (SSLException se) {
log.error("ssl exception before connection attempt {}", se);
}
}
Optional<SslContext> sslOptional = Optional.ofNullable(sslContext);
return sslOptional;
}
private Optional<ICertificateRepository> getCertificates() {
ICertificateRepository certificateRepo = null;
try {
certificateRepo = new CertificateRepository();
log.info("path: {} | {} | {}", certificateRepo.getPublicCert().getAbsolutePath(),
certificateRepo.getPublicCert().exists(), certificateRepo.getPublicCert().isFile());
log.info("clientCert: {} | {}", certificateRepo.getClientCert().getAbsolutePath(),
certificateRepo.getClientCert().exists());
log.info("clientKey: {} | {}", certificateRepo.getClientKey().getAbsolutePath(),
certificateRepo.getClientKey().exists());
} catch (Exception fe) {
log.error("unable to read SSL certificates in keys directory");
}
Optional<ICertificateRepository> optional = Optional.ofNullable(certificateRepo);
return optional;
}
private static SslProvider defaultSslProvider() {
log.info("is OpenSsl available: {}", OpenSsl.isAvailable());
return OpenSsl.isAvailable() ? SslProvider.OPENSSL : SslProvider.JDK;
}
}
the certificate file locations are correct and the cert repository is created as:
public CertificateRepository() {
final ClassLoader classLoader = getClass().getClassLoader();
try {
this.publicCert = new File(classLoader.getResource(
new StringBuilder(MonetagoProps.BASE_DIR_FOR_CERTS)
.append(TestProps.CERT_NAME)
.toString()).getFile());
this.clientCert = new File(classLoader.getResource(
new StringBuilder(MonetagoProps.BASE_DIR_FOR_CERTS)
.append(MonetagoProps.CLIENT_CERT_NAME)
.toString()).getFile());
this.clientKey = new File(classLoader.getResource(
new StringBuilder(TestProps.BASE_DIR_FOR_CERTS)
.append(TestProps.CLIENT_KEY_NAME)
.toString()).getFile());
} catch (Exception fe) {
log.error("unable to read ssl certificate files for testConnection");
throw new IllegalStateException("unable to read ssl certificate files for test Connection");
}
}
I simply commented out the usePlaintext(false) call on the channel builder and was able to establish the SSL connection with the server.
channelBuilder = NettyChannelBuilder.forAddress(host, port)
.overrideAuthority("localhost")
.negotiationType(NegotiationType.TLS)
**//.usePlaintext(false)**
.sslContext(sslContext);
I've created a class which deal with HTTP proxy to connect with remote server for web services. Deployed on Tomcat 6, on Windows server 2008 and called in servlet.
It is working perfectly with $CATALINA_HOME\bin\tomcat6.exe, i.e. on cmd.
It couldn't go through proxy with windows service utility, i.e. $CATALINA_HOME\bin\tomcat6w.exe.
Both are reading same configurations, but behaving differently while establishing connection with remote server through proxy.
I've found few way to get proxy settings, as follows:
Proxy Vole utility jar (proxy-vole_20131209.jar).
java.net.useSystemProxies set to true and fetch proxy info.
Reading PAC with Java code (deploy.jar).
Passing constant hostname/IP and port.
All of the above work well with $CATALINA_HOME\bin\tomcat6.exe, other then PAC reading as it fetches private IP instead or public IP (well can ignore for now as long as I know exact hostname and port).
Note: there is no proxy credentials I've found and it is working without it as well from cmd.
But when I try to run it with tomcat windows service utility, i.e. $CATALINA_HOME\bin\tomcat6w.exe it fails to connect remote server and throws exception:
java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 Proxy Authentication Required"
Please find my Class, it retry each case one by one all above mentioned (PAC one skipped).
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.MalformedURLException;
import java.net.Proxy;
import java.net.ProxySelector;
import java.net.SocketAddress;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.net.URLConnection;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.List;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import com.btr.proxy.search.ProxySearch;
import com.btr.proxy.search.ProxySearch.Strategy;
import com.btr.proxy.util.PlatformUtil;
import com.btr.proxy.util.PlatformUtil.Platform;
import com.sun.deploy.net.proxy.BrowserProxyInfo;
import com.sun.deploy.net.proxy.DummyAutoProxyHandler;
import com.sun.deploy.net.proxy.ProxyConfigException;
import com.sun.deploy.net.proxy.ProxyInfo;
import com.sun.deploy.net.proxy.ProxyType;
public class ProxyPacManager {
public static void main(String args[]) throws Exception{
getProxy();
}
public static Proxy getProxy(){
String almProtocol = Constants.getPropereties().getProperty("dashboard.alm.protocol");
String almHost = Constants.getPropereties().getProperty("dashboard.alm.host");
String almPort = Constants.getPropereties().getProperty("dashboard.alm.port");
String urlStr = almProtocol+almHost+":"+almPort;
Proxy proxy = null;
List<Proxy> proxyList = null;
String successMsg = "Proxy not found.";
try{
System.out.println("Trying to connect through Proxy Vole plugin.");
proxyList = getSSLCertificateAutoProxy(urlStr);
proxy = getProxyTested(proxyList, urlStr);
successMsg="Successfully connected through Proxy Vole plugin.";
} catch(Exception ex){
System.out.println("Proxy Vole plugin didn't work."+ex.getMessage());
try{
System.out.println("Trying to connect through java.net.useSystemProxies Proxy.");
proxyList = getSSLCertificateSysProxy(urlStr);
proxy = getProxyTested(proxyList, urlStr);
successMsg="Successfully connected through java.net.useSystemProxies Proxy.";
} catch(Exception ex1){
System.out.println("java.net.useSystemProxies didn't work."+ex1.getMessage());
try{
/*System.out.println("Trying to connect through PAC Proxy.");
proxyList = getSSLCertificatePACProxy(urlStr);
proxy = getProxyTested(proxyList, urlStr);
successMsg="Successfully connected through PAC Proxy.";*/
throw new Exception("Bypass PAC Proxy for testing.");
}catch(Exception ex2){
System.out.println("PAC Proxy read didn't work."+ex2.getMessage());
try{
System.out.println("Trying to connect through Constant Proxy.");
proxyList = getSSLCertificateConstantProxy();
proxy = getProxyTested(proxyList, urlStr);
successMsg="Successfully connected through Constant Proxy.";
}catch(Exception ex3){
System.out.println("Constant Proxy read didn't work."+ex3.getMessage());
proxyList = new ArrayList<Proxy>();
proxyList.add(Proxy.NO_PROXY);
proxy = getProxyTested(proxyList, urlStr);
successMsg = "Connected with NO_PROXY";
}
}
}
}
System.out.println(successMsg);
return proxy;
}
private static Proxy getProxyTested(List<Proxy> proxyList, String urlStr){
if (proxyList != null && !proxyList.isEmpty()) {
for (Proxy proxy : proxyList) {
SocketAddress address = proxy.address();
if (address instanceof InetSocketAddress) {
System.out.println("Trying to connect through proxy: "+((InetSocketAddress) address).getHostName()+":"+((InetSocketAddress) address).getPort());
try {
URLConnection connection = new URL(urlStr).openConnection(proxy);
connection.connect();
System.out.println("Connected through proxy: "+((InetSocketAddress) address).getHostName()+":"+((InetSocketAddress) address).getPort());
return proxy;
} catch (MalformedURLException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
}
}
}
return null;
}
private static List<Proxy> getSSLCertificateConstantProxy() throws Exception{
setCertificate();
List<Proxy> proxyList = new ArrayList<Proxy>();
String proxyHost = Constants.getPropereties().getProperty("dashboard.alm.proxy.host");
InetAddress hostIp = InetAddress.getByName(proxyHost);
int proxyPort = Integer.parseInt(Constants.getPropereties().getProperty("dashboard.alm.proxy.port"));
//Create your proxy and setup authentication for it.
Proxy proxy = new Proxy(Proxy.Type.HTTP, new InetSocketAddress(hostIp.getHostAddress(), proxyPort));
//Setup authentication for your proxy.
/*Authenticator.setDefault(new Authenticator() {
#Override
protected PasswordAuthentication getPasswordAuthentication() {
return new PasswordAuthentication("<user>", "<password>".toCharArray());
}
});*/
proxyList.add(proxy);
return proxyList;
}
private static void setCertificate() throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, KeyManagementException{
//First, load the key store file
String jksFile = Constants.getPropereties().getProperty("dashboard.alm.certificate");
InputStream trustStream = new FileInputStream(jksFile);
String jksPass = Constants.getPropereties().getProperty("dashboard.alm.certificate.pass");
char[] trustPassword = jksPass.toCharArray();
//Initialize a KeyStore
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
trustStore.load(trustStream, trustPassword);
//Initialize TrustManager objects.
TrustManagerFactory trustFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustFactory.init(trustStore);
TrustManager[] trustManagers = trustFactory.getTrustManagers();
//Create a new SSLContext, load the TrustManager objects into it and set it as default.
SSLContext sslContext = SSLContext.getInstance("SSL");
sslContext.init(null, trustManagers, null);
SSLContext.setDefault(sslContext);
}
private static ProxyInfo[] getProxyInfo(String urlStr) throws ProxyConfigException, MalformedURLException{
String proxypac = Constants.getPropereties().getProperty("dashboard.alm.proxy.pac");
BrowserProxyInfo b = new BrowserProxyInfo();
/*WDefaultBrowserProxyConfig wd = new WDefaultBrowserProxyConfig();
BrowserProxyInfo b = wd.getBrowserProxyInfo(); */
b.setType(ProxyType.AUTO);
b.setAutoConfigURL(proxypac);
DummyAutoProxyHandler handler = new DummyAutoProxyHandler();
handler.init(b);
URL url = new URL(urlStr);
ProxyInfo[] ps = handler.getProxyInfo(url);
return ps;
}
public static List<Proxy> getSSLCertificateAutoProxy(String urlStr) throws Exception{
setCertificate();
/*ProxySearch proxySearch = ProxySearch.getDefaultProxySearch();*/
ProxySearch proxySearch = new ProxySearch();
proxySearch.setPacCacheSettings(32, 1000*60*5);
if (PlatformUtil.getCurrentPlattform() == Platform.WIN) {
proxySearch.addStrategy(Strategy.IE);
proxySearch.addStrategy(Strategy.FIREFOX);
proxySearch.addStrategy(Strategy.JAVA);
} else if (PlatformUtil.getCurrentPlattform() == Platform.LINUX) {
proxySearch.addStrategy(Strategy.GNOME);
proxySearch.addStrategy(Strategy.KDE);
proxySearch.addStrategy(Strategy.FIREFOX);
} else {
proxySearch.addStrategy(Strategy.OS_DEFAULT);
}
ProxySelector proxySelector = proxySearch.getProxySelector();
/*BufferedProxySelector cachedSelector = new BufferedProxySelector(32, 1000*60*5, proxySelector);*/
ProxySelector.setDefault(proxySelector);
//ProxySelector.setDefault(cachedSelector);
URI home = URI.create(urlStr);
//List<Proxy> proxyList = cachedSelector.select(home);
List<Proxy> proxyList = proxySelector.select(home);
return proxyList;
}
public static List<Proxy> getSSLCertificatePACProxy(String urlStr) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, KeyManagementException, ProxyConfigException{
List<Proxy> proxyList = new ArrayList<Proxy>();
setCertificate();
ProxyInfo[] ps = getProxyInfo(urlStr);
for(ProxyInfo p: ps){
String proxyHost = p.getProxy();
int proxyPort = p.getPort();
//Create your proxy and setup authentication for it.
Proxy proxy = new Proxy(Proxy.Type.HTTP, new InetSocketAddress(proxyHost, proxyPort));
//Setup authentication for your proxy.
/*Authenticator.setDefault(new Authenticator() {
#Override
protected PasswordAuthentication getPasswordAuthentication() {
return new PasswordAuthentication("<user>", "<password>".toCharArray());
}
});*/
proxyList.add(proxy);
}
return proxyList;
}
public static List<Proxy> getSSLCertificateSysProxy(String urlStr) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, KeyManagementException, ProxyConfigException, URISyntaxException{
setCertificate();
System.setProperty("java.net.useSystemProxies","true");
List<Proxy> proxyList = ProxySelector.getDefault().select(new URI(urlStr));
return proxyList;
}
}
Failure output of the class,
Trying to connect through java.net.useSystemProxies Proxy.
java.net.useSystemProxies didn't work.null
PAC Proxy read didn't work.Bypass PAC Proxy for testing.
Trying to connect through Constant Proxy.
Trying to connect through proxy: XX.XX.XXX.XX:8080 [Masked for security reasons]
java.io.IOException: Unable to tunnel through proxy. Proxy returns "HTTP/1.1 407 Proxy Authentication Required"
Please help me to get through the proxy with Tomcat 6 windows service utility.
Note: Windows security policy:
Network security: LAN Manager authentication level = Send NTLM response only
Please if someone have any solution for the issue let me know, ASAP.
I'll break the code for more understanding:
Get proxy by Proxy vole plugin/jar
public static List<Proxy> getSSLCertificateAutoProxy(String urlStr) throws Exception{
setCertificate();
/*ProxySearch proxySearch = ProxySearch.getDefaultProxySearch();*/
ProxySearch proxySearch = new ProxySearch();
proxySearch.setPacCacheSettings(32, 1000*60*5);
if (PlatformUtil.getCurrentPlattform() == Platform.WIN) {
proxySearch.addStrategy(Strategy.IE);
proxySearch.addStrategy(Strategy.FIREFOX);
proxySearch.addStrategy(Strategy.JAVA);
} else if (PlatformUtil.getCurrentPlattform() == Platform.LINUX) {
proxySearch.addStrategy(Strategy.GNOME);
proxySearch.addStrategy(Strategy.KDE);
proxySearch.addStrategy(Strategy.FIREFOX);
} else {
proxySearch.addStrategy(Strategy.OS_DEFAULT);
}
ProxySelector proxySelector = proxySearch.getProxySelector();
/*BufferedProxySelector cachedSelector = new BufferedProxySelector(32, 1000*60*5, proxySelector);*/
ProxySelector.setDefault(proxySelector);
//ProxySelector.setDefault(cachedSelector);
URI home = URI.create(urlStr);
//List<Proxy> proxyList = cachedSelector.select(home);
List<Proxy> proxyList = proxySelector.select(home);
return proxyList;
}
Get Proxy using java.net.useSystemProxies
public static List<Proxy> getSSLCertificateSysProxy(String urlStr) throws Exception{
setCertificate();
System.setProperty("java.net.useSystemProxies","true");
List<Proxy> proxyList = ProxySelector.getDefault().select(new URI(urlStr));
return proxyList;
}
Get proxy from PAC:
public static List<Proxy> getSSLCertificatePACProxy(String urlStr) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, KeyManagementException, ProxyConfigException{
setCertificate();
List<Proxy> proxyList = new ArrayList<Proxy>();
String proxypac = "<http://mydomain/proxy.pac>";
BrowserProxyInfo b = new BrowserProxyInfo();
/*WDefaultBrowserProxyConfig wd = new WDefaultBrowserProxyConfig();
BrowserProxyInfo b = wd.getBrowserProxyInfo(); */
b.setType(ProxyType.AUTO);
b.setAutoConfigURL(proxypac);
DummyAutoProxyHandler handler = new DummyAutoProxyHandler();
handler.init(b);
URL url = new URL(urlStr);
ProxyInfo[] ps = handler.getProxyInfo(url);
for(ProxyInfo p: ps){
String proxyHost = p.getProxy();
int proxyPort = p.getPort();
//Create your proxy and setup authentication for it.
Proxy proxy = new Proxy(Proxy.Type.HTTP, new InetSocketAddress(proxyHost, proxyPort));
//Setup authentication for your proxy.
/*Authenticator.setDefault(new Authenticator() {
#Override
protected PasswordAuthentication getPasswordAuthentication() {
return new PasswordAuthentication("<user>", "<password>".toCharArray());
}
});*/
proxyList.add(proxy);
}
return proxyList;
}
Get proxy by directly passing known proxy hostname and port
private static List<Proxy> getSSLCertificateConstantProxy() throws Exception{
setCertificate();
List<Proxy> proxyList = new ArrayList<Proxy>();
String proxyHost = "<myproxy.hostname>";
InetAddress hostIp = InetAddress.getByName(proxyHost);
int proxyPort = Integer.parseInt("<myProxyPort>"));
//Create your proxy and setup authentication for it.
Proxy proxy = new Proxy(Proxy.Type.HTTP, new InetSocketAddress(hostIp.getHostAddress(), proxyPort));
//Setup authentication for your proxy.
/*Authenticator.setDefault(new Authenticator() {
#Override
protected PasswordAuthentication getPasswordAuthentication() {
return new PasswordAuthentication("<user>", "<password>".toCharArray());
}
});*/
proxyList.add(proxy);
return proxyList;
}
Since Android 5.0.2 or 5.1.1 on Samsung devices my Android app receive error message when connecting web interface of old router "FRITZ!Box 7170".
javax.net.ssl.SSLProtocolException: SSL handshake aborted:
ssl=0xaecc7e00: Failure in SSL library, usually a protocol error
error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:got Channel
ID before a ccs (external/openssl/ssl/s3_clnt.c:3632
0xaf0e1679:0x00000000)
If I connect same interface with Firefox Browser:
ssl_error_weak_server_ephemeral_dh_key
I think it is because of unsafe Diffie-Hellman key length?
How to avoid this? I am using HTTPClient to make the connection.
I have a same problem.
The reason was a samsung security update, which has change a default cipher suite array given by SSLSocketFactory. Apropos if you take a nexus device with android M on it, you will see this error message
ssl_error_weak_server_ephemeral_dh_key
On samsung devices it is a
SSL3_CHECK_CERT_AND_ALGORITHM
The solution for me was to override cipher suites array. Here is my SSLSocketFactory, which I use to create ssl sockets.
public class SpeedportSSLSocketFactory extends SSLSocketFactory {
private final static Logger logger = Logger.getLogger(SpeedportSSLSocketFactory.class);
/**
* the order of ciphers in this list is important here e.g. TLS_DHE_* must not stay above TLS_RSA_*
*/
private static final String[] APPROVED_CIPHER_SUITES = new String[]{
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_256_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
};
private SSLSocketFactory factory;
public SpeedportSSLSocketFactory() {
try {
SSLContext sslcontext = SSLContext.getInstance("TLS");
sslcontext.init(null, new TrustManager[]{
// accepts certs with valid but expired key chain (incl. root cert)
new ExpiredSpeedportTrustManager()}, new java.security.SecureRandom());
factory = sslcontext.getSocketFactory();
} catch (Exception ex) {
logger.error("Cannot create SpeedportSSLSocketFactory", ex);
}
}
// dirty
private void injectHostname(InetAddress address, String host) {
try {
Field field = InetAddress.class.getDeclaredField("hostName");
field.setAccessible(true);
field.set(address, host);
} catch (Exception ignored) {
logger.error("Cannot inject hostName");
}
}
public static SocketFactory getDefault() {
return new SpeedportSSLSocketFactory();
}
public Socket createSocket() throws IOException {
return factory.createSocket();
}
public Socket createSocket(Socket socket, String host, int port, boolean autoClose) throws IOException {
return factory.createSocket(socket, host, port, autoClose);
}
public Socket createSocket(InetAddress addr, int port, InetAddress localAddr, int localPort) throws IOException {
return factory.createSocket(addr, port, localAddr, localPort);
}
public Socket createSocket(InetAddress inaddr, int i) throws IOException {
return factory.createSocket(inaddr, i);
}
public Socket createSocket(String host, int port, InetAddress localAddr, int localPort) throws IOException {
return factory.createSocket(host, port, localAddr, localPort);
}
public Socket createSocket(String host, int port) throws IOException {
InetAddress addr = InetAddress.getByName(host);
injectHostname(addr, host);
Socket socket = factory.createSocket(addr, port);
((SSLSocket) socket).setEnabledCipherSuites(getSupportedCipherSuites());
return socket;
}
#Override
public String[] getDefaultCipherSuites() {
return APPROVED_CIPHER_SUITES;
}
#Override
public String[] getSupportedCipherSuites() {
return APPROVED_CIPHER_SUITES;
}
}
Last two methods override default cipher suite. I am not sure, what you need override both.
The order in cipher suites array is also very important
I'm trying to make an https server on Android with a programmatically generated self signed certificate. I feel like I'm pretty close but I still can't connect to the https server. When I attempt to connect to the server with openssl I get the following:
openssl s_client -connect 192.168.1.97:8888
CONNECTED(00000003)
2895:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/SourceCache/OpenSSL098/OpenSSL098-50/src/ssl/s23_clnt.c:602:
The code is the following:
public class HttpsHello {
private static String domainName = "localhost";
static {
Security.addProvider(new BouncyCastleProvider());
}
public static void test(String[] args) {
try {
KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
keyPairGenerator.initialize(1024);
KeyPair KPair = keyPairGenerator.generateKeyPair();
X509V3CertificateGenerator v3CertGen = new X509V3CertificateGenerator();
int ran = new SecureRandom().nextInt();
if (ran < 0) ran = ran * -1;
BigInteger serialNumber = BigInteger.valueOf(ran);
v3CertGen.setSerialNumber(serialNumber);
v3CertGen.setIssuerDN(new X509Principal("CN=" + domainName + ", OU=None, O=None L=None, C=None"));
v3CertGen.setNotBefore(new Date(System.currentTimeMillis() - 1000L * 60 * 60 * 24 * 30));
v3CertGen.setNotAfter(new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 365 * 10)));
v3CertGen.setSubjectDN(new X509Principal("CN=" + domainName + ", OU=None, O=None L=None, C=None"));
v3CertGen.setPublicKey(KPair.getPublic());
// v3CertGen.setSignatureAlgorithm("MD5WithRSAEncryption");
v3CertGen.setSignatureAlgorithm("SHA1WithRSAEncryption");
X509Certificate pkcert = v3CertGen.generateX509Certificate(KPair.getPrivate());
// FileOutputStream fos = new FileOutputStream("/path/to/testCert.cert");
// fos.write(pkcert.getEncoded());
// fos.close();
ByteArrayInputStream cert = new ByteArrayInputStream(pkcert.getEncoded());
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(null);
ks.setCertificateEntry("localhost", pkcert);
// ks.load(cert,null);
KeyManagerFactory kmf =
KeyManagerFactory.getInstance("X509");
kmf.init(ks, null);
SSLContext sc = SSLContext.getInstance("TLS");
sc.init(kmf.getKeyManagers(), null, null);
SSLServerSocketFactory ssf = sc.getServerSocketFactory();
SSLServerSocket s
= (SSLServerSocket) ssf.createServerSocket(8888);
s.setEnabledCipherSuites(s.getSupportedCipherSuites());
// s.setEnabledCipherSuites(new String[]{"SSL_DH_anon_WITH_RC4_128_MD5"});
// s.setEnabledCipherSuites(new String[]{"SHA1WithRSAEncryption"});
System.out.println("Server started:");
printServerSocketInfo(s);
// Listening to the port
SSLSocket c = (SSLSocket) s.accept();
printSocketInfo(c);
BufferedWriter w = new BufferedWriter(
new OutputStreamWriter(c.getOutputStream()));
BufferedReader r = new BufferedReader(
new InputStreamReader(c.getInputStream()));
String m = r.readLine();
w.write("HTTP/1.0 200 OK");
w.newLine();
w.write("Content-Type: text/html");
w.newLine();
w.newLine();
w.write("<html><body>Hello world!</body></html>");
w.newLine();
w.flush();
w.close();
r.close();
c.close();
} catch (Exception e) {
e.printStackTrace();
}
}
private static void printSocketInfo(SSLSocket s) {
System.out.println("Socket class: " + s.getClass());
System.out.println(" Remote address = "
+ s.getInetAddress().toString());
System.out.println(" Remote port = " + s.getPort());
System.out.println(" Local socket address = "
+ s.getLocalSocketAddress().toString());
System.out.println(" Local address = "
+ s.getLocalAddress().toString());
System.out.println(" Local port = " + s.getLocalPort());
System.out.println(" Need client authentication = "
+ s.getNeedClientAuth());
SSLSession ss = s.getSession();
System.out.println(" Cipher suite = " + ss.getCipherSuite());
System.out.println(" Protocol = " + ss.getProtocol());
}
private static void printServerSocketInfo(SSLServerSocket s) {
System.out.println("Server socket class: " + s.getClass());
System.out.println(" Socker address = "
+ s.getInetAddress().toString());
System.out.println(" Socker port = "
+ s.getLocalPort());
System.out.println(" Need client authentication = "
+ s.getNeedClientAuth());
System.out.println(" Want client authentication = "
+ s.getWantClientAuth());
System.out.println(" Use client mode = "
+ s.getUseClientMode());
}
}
Thank you.
EDIT: I looked at two keytool generated keystores, one which worked and one that didn't. The one keystore which works has an entry in there for a PrivateKeyEntry where as the one which doesn't work has a trustedCertEntry. I then changed this code to print out the entry for the "localhost" alias and below is what I got, I'm guessing the issue is that it is a Trusted certificate entry and not a private key entry. How do I change that?
Trusted certificate entry:
[0] Version: 3
SerialNumber: 752445443
IssuerDN: CN=localhost,OU=None,O=None L,C=None
Start Date: Mon May 26 09:17:01 CDT 2014
Final Date: Sat Jun 22 09:17:01 CDT 2024
SubjectDN: CN=localhost,OU=None,O=None L,C=None
Public Key: RSA Public Key
modulus: b75870cd29db79f8c015d440a27cc1e81c9dd829268efa2ce48efc596b33e9c60e1d1621e10aba34472b6f7890b16392db021c0358e665b1bf58a426fbc47e7c135da583e4cd6bb9c69668ee4ff1e05b1de8e7f5fb5604044a1087ac0181ba09f61ab5345d9be5d930889b7c328329d0d18cf53f4c5af6bff1f0e488744ea1fb
public exponent: 10001
Signature Algorithm: SHA1WITHRSA
Signature: 83df0e761e9df2e61d5354ca58379975e0d97fcd
5201f8904b695d7bdbe08c5dfdfb8bcd6447657c
19740797a66314b2547a45985166c11ebadc16c6
c24b8e1d3c5de83ec1ac2c1c1092c3d06ed33408
4cf2811c5f9dba8a9d3ef0dcb8fef760e4d1d704
8fbb60eaa83eec23426fb9d8589e859a21a5ecce
951901f8e16ab6cd
s.setEnabledCipherSuites(s.getSupportedCipherSuites());
Remove this line.
The handshake failure usually means there's no shared cipher suite:
2895:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
SSL_NULL_WITH_NULL_NULL looks like its both eNULL and aNULL. Did BouncyCastle not load any ciphers?
Below is the code I use for a hardened SSLSocketFactoryEx. It only provides TLS (getInstance("TLS")will still return a SSLv3 socket), and it only provides approved cipher suites (approved by me). Its not enough to provide approved ciphers - the list must intersect with what's available else there's an exception. There are a few fallback cipher suites to ensure a shared cipher suite between old servers like those provided by Microsoft.
import java.util.List;
import java.util.Arrays;
import java.util.ArrayList;
import java.io.IOException;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.net.Socket;
import java.net.InetAddress;
import javax.net.SocketFactory;
import javax.net.ssl.KeyManager;
import javax.net.ssl.TrustManager;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
class SSLSocketFactoryEx extends SSLSocketFactory
{
public SSLSocketFactoryEx() throws NoSuchAlgorithmException, KeyManagementException
{
initSSLSocketFactoryEx(null,null,null);
}
public SSLSocketFactoryEx(KeyManager[] km, TrustManager[] tm, SecureRandom random) throws NoSuchAlgorithmException, KeyManagementException
{
initSSLSocketFactoryEx(km, tm, random);
}
public SSLSocketFactoryEx(SSLContext ctx) throws NoSuchAlgorithmException, KeyManagementException
{
initSSLSocketFactoryEx(ctx);
}
public String[] getDefaultCipherSuites()
{
return m_ciphers;
}
public String[] getSupportedCipherSuites()
{
return m_ciphers;
}
public String[] getDefaultProtocols()
{
return m_protocols;
}
public String[] getSupportedProtocols()
{
return m_protocols;
}
public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException
{
SSLSocketFactory factory = m_ctx.getSocketFactory();
SSLSocket ss = (SSLSocket)factory.createSocket(s, host, port, autoClose);
ss.setEnabledProtocols(m_protocols);
ss.setEnabledCipherSuites(m_ciphers);
return ss;
}
public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException
{
SSLSocketFactory factory = m_ctx.getSocketFactory();
SSLSocket ss = (SSLSocket)factory.createSocket(address, port, localAddress, localPort);
ss.setEnabledProtocols(m_protocols);
ss.setEnabledCipherSuites(m_ciphers);
return ss;
}
public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException
{
SSLSocketFactory factory = m_ctx.getSocketFactory();
SSLSocket ss = (SSLSocket)factory.createSocket(host, port, localHost, localPort);
ss.setEnabledProtocols(m_protocols);
ss.setEnabledCipherSuites(m_ciphers);
return ss;
}
public Socket createSocket(InetAddress host, int port) throws IOException
{
SSLSocketFactory factory = m_ctx.getSocketFactory();
SSLSocket ss = (SSLSocket)factory.createSocket(host, port);
ss.setEnabledProtocols(m_protocols);
ss.setEnabledCipherSuites(m_ciphers);
return ss;
}
public Socket createSocket(String host, int port) throws IOException
{
SSLSocketFactory factory = m_ctx.getSocketFactory();
SSLSocket ss = (SSLSocket)factory.createSocket(host, port);
ss.setEnabledProtocols(m_protocols);
ss.setEnabledCipherSuites(m_ciphers);
return ss;
}
private void initSSLSocketFactoryEx(KeyManager[] km, TrustManager[] tm, SecureRandom random)
throws NoSuchAlgorithmException, KeyManagementException
{
m_ctx = SSLContext.getInstance("TLS");
m_ctx.init(km, tm, random);
m_protocols = GetProtocolList();
m_ciphers = GetCipherList();
}
private void initSSLSocketFactoryEx(SSLContext ctx)
throws NoSuchAlgorithmException, KeyManagementException
{
m_ctx = ctx;
m_protocols = GetProtocolList();
m_ciphers = GetCipherList();
}
protected String[] GetProtocolList()
{
String[] preferredProtocols = { "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3" };
String[] availableProtocols = null;
SSLSocket socket = null;
try
{
SSLSocketFactory factory = m_ctx.getSocketFactory();
socket = (SSLSocket)factory.createSocket();
availableProtocols = socket.getSupportedProtocols();
Arrays.sort(availableProtocols);
}
catch(Exception e)
{
return new String[]{ "TLSv1" };
}
finally
{
if(socket != null)
socket.close();
}
List<String> aa = new ArrayList<String>();
for(int i = 0; i < preferredProtocols.length; i++)
{
int idx = Arrays.binarySearch(availableProtocols, preferredProtocols[i]);
if(idx >= 0)
aa.add(preferredProtocols[i]);
}
return aa.toArray(new String[0]);
}
protected String[] GetCipherList()
{
String[] preferredCiphers = {
// *_CHACHA20_POLY1305 are 3x to 4x faster than existing cipher suites.
// http://googleonlinesecurity.blogspot.com/2014/04/speeding-up-and-strengthening-https.html
// Use them if available. Normative names can be found at (TLS spec depends on IPSec spec):
// http://tools.ietf.org/html/draft-nir-ipsecme-chacha20-poly1305-01
// http://tools.ietf.org/html/draft-mavrogiannopoulos-chacha-tls-02
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_SHA",
"TLS_ECDHE_RSA_WITH_CHACHA20_SHA",
"TLS_DHE_RSA_WITH_CHACHA20_POLY1305",
"TLS_RSA_WITH_CHACHA20_POLY1305",
"TLS_DHE_RSA_WITH_CHACHA20_SHA",
"TLS_RSA_WITH_CHACHA20_SHA",
// Done with bleeding edge, back to TLS v1.2 and below
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
// TLS v1.0 (with some SSLv3 interop)
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
"TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
"TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
"SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA",
"SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA",
// RSA key transport sucks, but they are needed as a fallback.
// For example, microsoft.com fails under all versions of TLS
// if they are not included. If only TLS 1.0 is available at
// the client, then google.com will fail too. TLS v1.3 is
// trying to deprecate them, so it will be interesteng to see
// what happens.
"TLS_RSA_WITH_AES_256_CBC_SHA256",
"TLS_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA"
};
String[] availableCiphers = null;
try
{
SSLSocketFactory factory = m_ctx.getSocketFactory();
availableCiphers = factory.getSupportedCipherSuites();
Arrays.sort(availableCiphers);
}
catch(Exception e)
{
return new String[] {
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
"TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_256_CBC_SHA256",
"TLS_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
};
}
List<String> aa = new ArrayList<String>();
for(int i = 0; i < preferredCiphers.length; i++)
{
int idx = Arrays.binarySearch(availableCiphers, preferredCiphers[i]);
if(idx >= 0)
aa.add(preferredCiphers[i]);
}
aa.add("TLS_EMPTY_RENEGOTIATION_INFO_SCSV");
return aa.toArray(new String[0]);
}
private SSLContext m_ctx;
private String[] m_ciphers;
private String[] m_protocols;
}