0

I am trying to call an API using SSL Certificates. From -Djavax.net.debug = all log I am passing the following steps.

  1. Received "Server Hello Done"
  2. Client Key Exchange: RSA PreMasterSecret, TLSv1
  3. Received Finished Status on Client Key Exchange

  4. Change Cipher Spec: Fail

    RECV TLSv1 ALERT:  
fatal, 
handshake_failure
%% Invalidated:  [Session-1, SSL_RSA_WITH_RC4_128_MD5]

I am using JDK1.7, with JCE Unlimited Strength Policy files. Thanks for you help.

EDIT: Between Server Hello Done and Client Key Exchange

*** ServerHelloDone
[read] MD5 and SHA1 hashes:  len = 4
0000: 0E 00 00 00                                        ....
*** Certificate chain
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1

Code for setting up SSL Socket Factory:

System.setProperty('javax.net.ssl.keyStore', 'jksfile')
System.setProperty('javax.net.ssl.keyStorePassword', '')
System.setProperty("https.protocols", "TLSv1");

System.setProperty('javax.net.ssl.trustStore', 'C:/Program Files/Java/jdk1.7.0_79/jre/lib/security/cacerts')
System.setProperty('javax.net.ssl.trustStorePassword', '')

SSLContext sslcontext = SSLContext.getInstance("TLSv1");
        sslcontext.init(null, null, null);

    HostnameVerifier allHostsValid = new HostnameVerifier() {
        public boolean verify(String hostname, SSLSession session) {
            return true;
        }
    };
    HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
    HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();


    if (conn instanceof HttpsURLConnection){
        conn.setSSLSocketFactory(sslcontext.getSocketFactory());
    }
user5982977
  • 1
  • 2
  • PLease check duplicacy with : http://stackoverflow.com/questions/17201805/ssl-with-client-authentication-between-cxf-and-iis-resulting-in-socketexception – meet thakkar Feb 25 '16 at 21:59
  • Hey thanks for the response, but not necessarily the same error. I am getting a Cipher Spec Change error on the Server side to the Client and not sure how to resolve such an issue / what is causing this issue. – user5982977 Feb 25 '16 at 22:14
  • @meetthakkar A question about a socket read timeout exception is not and cannot be a duplicate of this question. – user207421 Feb 25 '16 at 23:50
  • I don't believe you 'Received Finished Status on Client Key Exchange'; Java (JSSE) doesn't do that. What it can do is prepare ClientKeyExchange and WRITE it, do "KEYGEN" (really derivation), WRITE ChangeCipherSpec, prepare Finished and WRITE (not receive), then turn and receive normally server CCS and Finished or abnormally an alert (or abort). An alert in response to this flight almost always **(about 99.9%) means the server requested client authentication with a certificate** and the client did not. Look before `*** ServerHelloDone` for `*** CertificateRequest` plus a few lines of data ... – dave_thompson_085 Feb 26 '16 at 00:37
  • ... and between `*** ServerHelloDone` and `*** ClientKeyExchange...` for `*** Certificate chain` and `***` but nothing else. If so, you need to configure the client to send (and use) a cert (and matching privatekey) acceptable to the server. How you do this depends on how the SSL connection is being made, especially whether you are using the default `SSLSocketFactory` or a 'tailored' or even modified one, so you need to provide more details. PS: a server choosing plainRSA-RC4-MD5 out of the list JSSE offers unless you changed it is a badly configured and quite possibly insecure server. – dave_thompson_085 Feb 26 '16 at 00:40
  • Hi Dave, As you have said, it looks like the client is not configured to send and use the cert acceptable to the server. But I am believe I am setting the key and truststore above that should be used by the client. Is there some settings I need to add to the SSLSocketFactory? – user5982977 Feb 26 '16 at 16:55

0 Answers0