Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to avoid Diffie-Hellman for SSL connections with Java/Netty?

Tags:

java

ssl

netty

I am using Netty as backend in a Java-based Usenet client. The library is working fine, however, in some circumstances I can't connect to a remote server via SSL, because of exactly this error:

Java: Why does SSL handshake give 'Could not generate DH keypair' exception?

Unfortunately, it seems that for whatever reason this Java error still has not been fixed yet. And since the remote server is not under my control, I need a workaround here. One such "solution", according to the link above, is to avoid DH during SSL handshake at all (not very pretty, but maybe better than nothing).

However, I am no SSL expert, so I am not really sure how I can implement that within Netty; or better: within my solution that is based on Netty. By now I am creating connections as this:

// configure the Netty client
ClientBootstrap bootstrap = new ClientBootstrap(clSockChannelFactory);

// configure the pipeline factory
bootstrap.setPipelineFactory(channelPipelineFactory);
bootstrap.setOption("tcpNoDelay", true);
bootstrap.setOption("keepAlive", true);
bootstrap.setOption("child.receiveBufferSizePredictorFactory", 
          new AdaptiveReceiveBufferSizePredictorFactory());

// start the connection attempt
InetSocketAddress isa = new InetSocketAddress(serverAddress, port);
ChannelFuture future = bootstrap.connect(isa);
...
channel = future.getChannel();
...

Ok, that's fine, but where can I disable cipher suites before I connect the SSL socket, as desribed in the thread above?

Thanks in advance for all your help!

Kind regards, Matthias

PS: By the way, any ideas why this problem has not been addressed in Java yet?

like image 707
Matthias Avatar asked Nov 04 '22 02:11

Matthias

1 Answers

I'm not familiar with Netty, but I would suggest following the approach in the secure chat example.

I'm not sure what default SSL/TLS keys/trust settings you have, but if you don't have a custom SSLContext, try SSLContext.getDefault().

Then, create an SSLEngine using SSLContext.createSSLEngine(). On this SSLEngine, you should be able to enable the cipher suites you want. Assuming you're using the Oracle JRE (or OpenJDK), you'll find the list of cipher suites in the Sun Provider documentation.

After this (this is the Netty-specific part), set an SslHandler using something like this (see Netty example):

pipeline.addLast("ssl", new SslHandler(engine));
like image 147
Bruno Avatar answered Nov 09 '22 10:11

Bruno
Sign in to Comment

Related questions

Paint in a part of JPanel without repaint the rest
JNA, Structures and Arrays
Screen resolution java code
animating a recursive triangulation algorithm using swingworker
Can't connect to MySQL on Windows 7 using JDBC, but works via phpmyadmin and other admin tools?
Simple Java TCP Server and PHP Client Problems
SSL Socket between .Net and Java with client authentication
Running bash script from java
What is the easiest way to set custom binary data messages in Java?
Why my graphics code don't run unless there is a System.out.println in the code block?
Trouble in launching of firefox browser using selenium for MAC OS
Which color values can be used for GradientDrawable
How to get hostname in freemarker template?
JAX-WS Asynchonous client techniques for calling web services
Get method calls of IMethod through eclipse CallHierarchy
Moving animation not smooth in android
OpenGL ATI vs NVIDIA GLSL issues
Wicket, how to lazy-load DropDown choices on click?
What is a IncompatibleClassChangeError exception in Java?
Why is Maven generating this error: "...is not supported in -source 1.5"?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!