I'm using an SSLServerSocket to accept client connections on my openSUSE server, but none of them can connect. I always get an SSLHandshakeException saying no cipher suites in common
. I've activated all of the possible suites, enabled multiple protocols, tried with the newest oracle JRE and the openjdk. Also I followed several other posts on forums and stuff and "unlocked" all the cipher suites in the jre of oracle and I changed the settings of the openjdk jre like this:
disabled: #security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
and enabled: security.provider.9=sun.security.ec.SunEC
This is how I initialize my SSLServerSocket:
System.setProperty("javax.net.ssl.keyStore", "./keystore"); System.setProperty("javax.net.ssl.keyStorePassword", "nopassword"); java.lang.System.setProperty("sun.security.ssl.allowUnsafeRenegotiation", "true"); // Create a trust manager that does not validate certificate chains TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() { public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) { } public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) { } public java.security.cert.X509Certificate[] getAcceptedIssuers() { return null; } } }; // Install the all-trusting trust manager SSLContext sc = SSLContext.getInstance("TLSv1.2"); sc.init(null, trustAllCerts, new SecureRandom()); SSLServerSocket ssl = (SSLServerSocket) sc.getServerSocketFactory().createServerSocket( DownloadFilelist.PORT); // Got rid of: //ssl.setEnabledCipherSuites(sc.getServerSocketFactory().getSupportedCipherSuites()); ssl.setEnabledProtocols(new String[] {"TLSv1", "TLSv1.1", "TLSv1.2", "SSLv3"}); // System.out.println(Arrays.toString(ssl.getEnabledCipherSuites())); s = ssl; // s = new ServerSocket(DownloadFilelist.PORT); s.setSoTimeout(TIMEOUT);
The Problem is that I can't find out what cipher suites the clients want neither can I influence it. I started the program with -Djavax.net.debug=ssl,handshake
, here is the result. Can someone of you figure out what the problem is?
EDIT The keystore was generated with: keytool -genkey -keyalg RSA -keystore ./keystore
Here's the code on this page, if that helps (seems like the formatting is not messed up):
trigger seeding of SecureRandom trigger seeding of SecureRandom done seeding SecureRandom done seeding SecureRandom Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA main, setSoTimeout(2000) called Allow unsafe renegotiation: true Allow legacy hello messages: true Is initial handshake: true Is secure renegotiation: false %% No cached client session *** ClientHello, TLSv1 RandomCookie: GMT: 1361763651 bytes = { 159, 113, 250, 254, 103, 37, 66, 234, 127, 4, 36, 240, 60, 252, 55, 112, 6, 224, 192, 181, 146, 163, 63, 148, 152, 255, 77, 8 } Session ID: {} Cipher Suites: [TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] Compression Methods: { 0 } *** main, WRITE: TLSv1 Handshake, length = 67 main, READ: TLSv1 Handshake, length = 81 *** ServerHello, TLSv1 RandomCookie: GMT: 1361763767 bytes = { 249, 20, 120, 68, 76, 110, 168, 235, 47, 91, 119, 64, 151, 242, 169, 191, 111, 105, 146, 90, 173, 223, 55, 127, 133, 12, 1, 247 } Session ID: {246, 66, 250, 209, 13, 188, 190, 246, 14, 49, 113, 183, 192, 202, 68, 246, 121, 162, 165, 71, 242, 220, 233, 223, 245, 47, 250, 215, 203, 94, 255, 148} Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA Compression Method: 0 Extension renegotiation_info, renegotiated_connection: <empty> *** %% Initialized: [Session-1, TLS_RSA_WITH_AES_256_CBC_SHA] ** TLS_RSA_WITH_AES_256_CBC_SHA main, READ: TLSv1 Handshake, length = 933 *** Certificate chain chain [0] = [ [ Version: V3 Subject: CN=dc.hadiko.de, O=hadiko dc, L=town, ST=land of the free, C=de Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 2048 bits modulus: 22613010171436639614880560956464961031555258188367451246658444583390999370970098210909007150132692078653881042731046316239498513359691936582885343174669796075601988313858262934995935649363223919652108615287224220030023261629874169998331654587246748976585212101810697310529416436829153514374554242128947092694064999520197281527578067183301918060451970607703466399571245107774569719996572643148013190800713656468629158991997127544540177983174906099325217344868710319256330960086862269228933938482311029685238274537823670267001618579382801319470736924423550865055775144486750164961588873175599114046362924859400297960451 public exponent: 65537 Validity: [From: Sat Jul 07 12:56:23 CEST 2012, To: Tue Jul 07 12:56:23 CEST 2015] Issuer: CN=dc.hadiko.de, O=hadiko dc, L=town, ST=land of the free, C=de SerialNumber: [ 8682354f f94fbbb5] Certificate Extensions: 3 [1]: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 43 1D D9 A7 CF 21 2E 17 F3 4E EE F6 6C 6C 88 16 C....!...N..ll.. 0010: 08 3C 67 8E .<g. ] ] [2]: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 ] [3]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 43 1D D9 A7 CF 21 2E 17 F3 4E EE F6 6C 6C 88 16 C....!...N..ll.. 0010: 08 3C 67 8E .<g. ] ] ] Algorithm: [SHA1withRSA] Signature: 0000: 14 83 48 D3 EC 39 49 E3 9C BC 20 F5 BF E4 32 33 ..H..9I... ...23 0010: 5F 09 8F 2D F2 C3 82 80 79 93 9A C1 97 93 92 D9 _..-....y....... 0020: D0 DA 4D B2 FC A1 43 60 1F B9 EA 4C 29 D7 79 D0 ..M...C`...L).y. 0030: 66 8C 25 14 EB 9D 60 94 D7 F4 15 33 8B 17 24 24 f.%...`....3..$$ 0040: 5C 65 26 3D C3 B0 8A 51 B6 27 01 D1 A6 A3 68 87 \e&=...Q.'....h. 0050: 2D 6F 0B E6 00 96 B6 CF BC E9 D2 9C 7E 19 9E E1 -o.............. 0060: 3A 96 42 2E B7 E8 C0 70 01 99 20 39 89 6D 94 2B :.B....p.. 9.m.+ 0070: 76 2F F1 0E 6D 2D 9B 52 77 D3 63 6A 11 DC A3 E6 v/..m-.Rw.cj.... 0080: 4E 0E 64 6D FA 77 BC 1E 4F C3 91 AD 21 F7 5D 31 N.dm.w..O...!.]1 0090: F9 04 A5 FA 34 EF 43 61 F1 42 32 5A 9B D1 16 84 ....4.Ca.B2Z.... 00A0: 07 2B CA 01 AF 84 54 D2 A9 C4 3A 7A EA D1 2A 95 .+....T...:z..*. 00B0: 47 30 03 BA 48 C4 57 1F 78 58 6C 7A 56 60 40 2C G0..H.W.xXlzV`@, 00C0: 6A 17 15 3F 43 A5 FB 81 4D 9D 1B DC A7 CE 78 D1 j..?C...M.....x. 00D0: 5A 66 97 79 04 55 DA 34 3C B2 CD 9A 62 EE 32 22 Zf.y.U.4<...b.2" 00E0: 70 84 0E 3E 5D 7F 91 0D A5 D4 84 6B F3 E9 40 E9 p..>]......k..@. 00F0: E8 69 D7 E5 FC B6 0A 4C 35 66 CC BA E5 38 12 A0 .i.....L5f...8.. ] *** main, READ: TLSv1 Handshake, length = 4 *** ServerHelloDone *** ClientKeyExchange, RSA PreMasterSecret, TLSv1 main, WRITE: TLSv1 Handshake, length = 262 SESSION KEYGEN: PreMaster Secret: 0000: 03 01 59 D3 0F F9 95 E8 DC E2 C2 4A 2B 93 79 55 ..Y........J+.yU 0010: 0B 1A 43 5E F4 0A 73 F1 13 E1 00 DF 78 55 F6 52 ..C^..s.....xU.R 0020: 4E 6A D3 2C F8 08 A1 B3 03 DF C9 5E 8C 14 8D 4E Nj.,.......^...N CONNECTION KEYGEN: Client Nonce: 0000: 51 2B DD 43 9F 71 FA FE 67 25 42 EA 7F 04 24 F0 Q+.C.q..g%B...$. 0010: 3C FC 37 70 06 E0 C0 B5 92 A3 3F 94 98 FF 4D 08 <.7p......?...M. Server Nonce: 0000: 51 2B DE B7 F9 14 78 44 4C 6E A8 EB 2F 5B 77 40 Q+....xDLn../[w@ 0010: 97 F2 A9 BF 6F 69 92 5A AD DF 37 7F 85 0C 01 F7 ....oi.Z..7..... Master Secret: 0000: 3E 9E 24 42 3D E4 82 AF AD 97 76 EF 06 EF FB FD >.$B=.....v..... 0010: C8 1A D5 7E 8E A2 74 4D E8 E7 B9 1E 60 E9 E0 6F ......tM....`..o 0020: 09 E3 56 81 FC 2D 20 D9 69 6B 26 C3 0B C5 53 5F ..V..- .ik&...S_ Client MAC write Secret: 0000: 04 30 70 7E A9 4A 1F 88 55 F8 31 31 75 36 40 35 .0p..J..U.11u6@5 0010: 25 65 24 5D %e$] Server MAC write Secret: 0000: 8B C1 65 50 6D 11 21 32 CD 50 3A AB 0F 2E A5 FC ..ePm.!2.P:..... 0010: C7 30 E6 EC .0.. Client write key: 0000: 25 D7 96 B0 9A 1F 49 95 06 4D 05 36 2E D0 38 04 %.....I..M.6..8. 0010: 0F 32 15 2E 8F 0A 6C 79 F8 ED E8 9B FE 5C 2C D8 .2....ly.....\,. Server write key: 0000: 4A 91 5D DF B2 FE 6F 35 3E 8A 21 DF 17 E0 35 F0 J.]...o5>.!...5. 0010: DB 97 4C 7E 18 07 7E 27 DD AD BC C4 C4 28 C5 E1 ..L....'.....(.. Client write IV: 0000: B6 C1 98 05 9B 37 F9 0F 4E 0C 0F 6E 08 8A 26 C9 .....7..N..n..&. Server write IV: 0000: 0E 83 27 3E 3B 40 E8 BE 4C 58 C4 5F EF E4 D3 4C ..'>;@..LX._...L main, WRITE: TLSv1 Change Cipher Spec, length = 1 *** Finished verify_data: { 23, 181, 134, 191, 68, 30, 119, 81, 239, 135, 238, 80 } *** main, WRITE: TLSv1 Handshake, length = 48 main, READ: TLSv1 Change Cipher Spec, length = 1 main, READ: TLSv1 Handshake, length = 48 *** Finished verify_data: { 254, 182, 228, 50, 121, 214, 35, 175, 100, 128, 102, 152 } *** %% Cached client session: [Session-1, TLS_RSA_WITH_AES_256_CBC_SHA] main, WRITE: TLSv1 Application Data, length = 48 HSent: HSUP ADBASE ADTIGR ADBLOM main, READ: TLSv1 Application Data, length = 32 main, READ: TLSv1 Application Data, length = 48 main, READ: TLSv1 Application Data, length = 32 main, READ: TLSv1 Application Data, length = 32 main, WRITE: TLSv1 Application Data, length = 32 main, WRITE: TLSv1 Application Data, length = 288 ClientManager, READ: TLSv1 Application Data, length = 32 ClientManager, READ: TLSv1 Application Data, length = 96 [...] (Cut out becauseI exceeded body limit.) ClientManager, READ: TLSv1 Application Data, length = 80 ClientManager, READ: TLSv1 Application Data, length = 32 ClientManager, READ: TLSv1 Application Data, length = 80 main, WRITE: TLSv1 Application Data, length = 32 main, WRITE: TLSv1 Application Data, length = 64 Allow unsafe renegotiation: true Allow legacy hello messages: true Is initial handshake: true Is secure renegotiation: false Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for SSLv3 Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for SSLv3 Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for SSLv3 Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1 Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1 Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1 Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1 Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1 Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1 Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 A client, READ: SSLv3 Handshake, length = 112 Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA *** ClientHello, TLSv1.2 RandomCookie: GMT: 1361763651 bytes = { 47, 7, 95, 146, 25, 28, 95, 191, 146, 159, 184, 47, 149, 220, 67, 169, 121, 123, 252, 98, 0, 253, 108, 88, 108, 188, 52, 76 } Session ID: {} Cipher Suites: [TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5] Compression Methods: { 0 } Extension renegotiation_info, renegotiated_connection: <empty> Extension signature_algorithms, signature_algorithms: Unknown (hash:0x4, signature:0x2), SHA256withRSA, SHA1withRSA, SHA1withDSA *** %% Initialized: [Session-2, SSL_NULL_WITH_NULL_NULL] %% Invalidated: [Session-2, SSL_NULL_WITH_NULL_NULL] A client, SEND TLSv1.2 ALERT: fatal, description = handshake_failure A client, WRITE: TLSv1.2 Alert, length = 2 A client, called closeSocket() A client, handling exception: javax.net.ssl.SSLHandshakeException: no cipher suites in common
The output contains one connect to another server that works and then the connection to my server. I can't remove the other connect, because I'm getting the information on how to connect over this connection. I could enable debugging after the first connect, if that's possible, but I don't know how...
I removed all not related output (Output that I created).
UPDATE:
I can't even connect to myself. When I create a SSLServerSocket and an SSLSocket to connect to it in the same application, I get the same error. But when I compare the lists of enabled cipher suites, There are a bunch of suites that are supported by both sockets. I've tested that on Windows 7 64bit with the newest JDK.
UPDATE:
I just started the server part of my program from scratch using a tutorial, and magically it worked... I have no idea why, but it seems like I should have just used as much standard implementations as possible. I give the reputation to Bruno, since he put the most effort in his post.
You're initialising your SSLContext
with a null
KeyManager
array.
The key manager is what handles the server certificate (on the server side), and this is what you're probably aiming to set when using javax.net.ssl.keyStore
.
However, as described in the JSSE Reference Guide, using null
for the first parameter doesn't do what you seem to think it does:
If the KeyManager[] parameter is null, then an empty KeyManager will be defined for this context. If the TrustManager[] parameter is null, the installed security providers will be searched for the highest-priority implementation of the TrustManagerFactory, from which an appropriate TrustManager will be obtained. Likewise, the SecureRandom parameter may be null, in which case a default implementation will be used.
An empty KeyManager
doesn't contain any RSA or DSA certificates. Therefore, all the default cipher suites that would rely on such a certificate are disabled. This is why you get all these "Ignoring unavailable cipher suite" messages, which ultimately result in a "no cipher suites in common" message.
If you want your keystore to be used as a keystore, you'll need to load it and initialise a KeyManagerFactory with it:
KeyStore ks = KeyStore.getInstance("JKS"); InputStream ksIs = new FileInputStream("..."); try { ks.load(ksIs, "password".toCharArray()); } finally { if (ksIs != null) { ksIs.close(); } } KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory .getDefaultAlgorithm()); kmf.init(ks, "keypassword".toCharArray());
The use kmf.getKeyManagers()
as the first parameter to SSLContext.init()
.
For the other two parameters, since you're visibly not requesting client-certificate authentication, you should leave the trust manager to its default value (null
) instead of copying/pasting a trust manager that's a potential cause of vulnerability, and you can also use the default null
SecureRandom
.
Having had this exception myself, I delved into the JRE source code. It became apparent that the message is rather misleading. It could mean what it says, but it more generally means that the server doesn't have the data it needs to respond to the client in the requested way. This can happen, for example, if certificates are missing from the keystore, or haven't been generated with the an appropriate algoritm. Indeed, given the cipher suites that are installed by default, one would have to go to some lengths to really get this exception because of lack of common cipher suites. In my particular case I'd generated the certificates with the default algorithm of DSA, when what I needed to get the server to work with Firefox was RSA.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With