1

I've been trying the code from this question within a Eclipse/Maven/Jetty project, and I am getting SSLHandshakeException from within the try{} block near sslSocket.startHandshake(). I've tried it with both my .p12 file loaded into the keyStore as well as my .pem. Neither of them work. Both worked in a PHP prototype I built. Also wasn't clear if the two uses of were of the same password. 

try {
    KeyStore keyStore = KeyStore.getInstance("PKCS12");

    keyStore.load(getClass().getResourceAsStream("cert.p12"), "<password>".toCharArray());
    KeyManagerFactory keyMgrFactory = KeyManagerFactory.getInstance("SunX509");
    keyMgrFactory.init(keyStore, "<password>".toCharArray());

    SSLContext sslContext = SSLContext.getInstance("TLS");
    sslContext.init(keyMgrFactory.getKeyManagers(), null, null);
    SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();

    SSLSocket sslSocket = (SSLSocket) sslSocketFactory.createSocket(host, port);
    String[] cipherSuites = sslSocket.getSupportedCipherSuites();
    sslSocket.setEnabledCipherSuites(cipherSuites);
    sslSocket.startHandshake();
}catch()...

I've checked the connection to Apples servers using

openssl s_client -connect gateway.sandbox.push.apple.com:2195

In return I get the following.

CONNECTED(00000003)
depth=1 /C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
verify error:num=20:unable to get local issuer certificate
verify return:0
18183:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:/SourceCache/OpenSSL098/OpenSSL098-44/src/ssl/s3_pkt.c:1102:SSL alert number 40
18183:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-44/src/ssl/s23_lib.c:182:

I'm not really sure what's going on. Any ideas?

Community
  • 1
  • 1
mtwagner
  • 466
  • 6
  • 12
  • Which exception? Don't enable all the supported cipher suites. There's a reason why some of them are disabled by default: some are insecure. – Bruno May 03 '12 at 12:30
  • javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure is the exception that I get as I noted in my question. It looks like getClass().getResourceAsStream might not be reading/finding my "cert.p12" file. In which case I am not sure where to put it so that it will be found. Also, Push has been around for a while, why isn't there a nice clearly written how-to/tutorial? – mtwagner May 04 '12 at 13:51
  • I should say for Java, PHP is easy and works just fine. – mtwagner May 04 '12 at 13:58
  • Lack of client cert is the likely cause. Not finding "cert.p12" would cause that. It's up to you to know where it is... – Bruno May 04 '12 at 14:02
  • Yup. I moved the cert directly to / and used keyStore.load(new FileInputStream("/newcert.p12"), .toCharArray()); And exception disappeared. It's a short-term solution until I can get file-referencing working properly in this project. Thanks for being a sounding board. – mtwagner May 04 '12 at 15:18
  • In general, with `getResourceAsStream()`, the file should be in the same directory as the class you're using (including sub-packages). I'd recommend against copying and pasting that code (which visibly comes from a blog) without understanding what it does. As I said earlier, that `setEnabledCipherSuites()` is a bad idea, which could compromise the security of your application. – Bruno May 04 '12 at 15:37

0 Answers0