Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to specify the ciphersuite to be used in SSL session

I have created a socket on port 443 as in the following line:

socket = (SSLSocket) factory.createSocket(hostName, port);

Then, I wanted to see the enabled ciphersuites in this socket, I used:

String[] enCiphersuite=socket.getEnabledCipherSuites();
System.out.println("Enabled ciphersuites are: "+Arrays.toString(enCiphersuite));

Then, I want to pick only one ciphersuite that I want my application to use when creating handshake with the remote server. I did the following:

String pickedCipher[] ={"TLS_RSA_WITH_AES_128_CBC_SHA"}; 
socket.setEnabledCipherSuites(pickedCipher);
System.out.println("ciphersuite set to: "+Arrays.toString(pickedCipher));

Then I made the handshake, and checked the session ciphersuite:

socket.startHandshake();
System.out.println("Session ciphersuite is"+socket.getSession().getCipherSuite() );

But I found that the name of the cipher printed in the previous printout statement after the handshake (as I understand, this is the actually used cipher in the session) is not what I set earlier using setEnabledCipherSuites()

Why am I still not see my chosen ciphersuite is the used one ? and also, I also tried to getEnabledCipherSuites() and print it out after I setEnabledCipherSuites and found the list has not changed to what I have set. I am not sure when I print the enabled ciphersuite, is this list of ciphersuites depends on Java and always the same list, or depends on the client or on the server? Can any body explain ?

EDIT: Before the handshake I only have the following lines:

SSLSocketFactory factory = HttpsURLConnection.getDefaultSSLSocketFactory(); 
SSLSocket socket=null;
try {
socket = (SSLSocket) factory.createSocket(hostName, port);
socket.setSoTimeout(15000); 
socket.startHandshake(); //handshake
.
.
like image 926
user1810868 Avatar asked Dec 18 '12 23:12

user1810868


People also ask

How is Ciphersuite exchanged in TLS?

TLS 1.0–1.2 handshake The server may also request a client's digital certification if needed. If the client and server are not using pre-shared keys, the client then sends an encrypted message to the server that enables the client and the server to compute which secret key will be used during exchanges.

How do you check which TLS protocol is being used?

1. Click on: Start -> Control Panel -> Internet Options 2. Click on the Advanced tab 3. Scroll to the bottom and check the TLS version described in steps 3 and 4: 4.


1 Answers

I found out that I added socket.getsession() before the setEnableCipherSuite() in order to print out the enabled cipheres before setting them. When I removed it, the cipher has been set. why is that ?

As documented in the SSLSocket JavaDoc:

The initial handshake on this connection can be initiated in one of three ways:

  • calling startHandshake which explicitly begins handshakes, or
  • any attempt to read or write application data on this socket causes an implicit handshake, or
  • a call to getSession tries to set up a session if there is no currently valid session, and an implicit handshake is done.

If you call getSession() before calling setEnabledCipherSuite(), the handshake has already been done when you try to set the enabled cipher suites, so this session's cipher suite has already been selected.

like image 117
Bruno Avatar answered Sep 27 '22 18:09

Bruno