-1


I have a small problem in using SSLEngine of Java. I used it for creating SSL connection between client and server. This is not a web based application.

I'm creating a framework for developers of my product to communicate between client and server. Based on their configuration, I have to create the connection. If encryption is required, I have to create an encrypted channel and give it to them; if not, I just have to create an SSL channel with no encryption but with message digests, so the cypher suite which I need to enable is SSL_RSA_WITH_NULL_MD5. If encryption is required, I will use SSL_RSA_WITH_<some encryption algo>_SHA/MD5.

I'm able to configure the second… but not able to configure SSL_RSA_WITH_NULL_MD5. It is giving me an exception with message No cypher suites in common. The framework I used for developing this is Netty(jboss-netty).

Can any one help me regarding this ??

code ::

public static ChannelFuture doHandshake(Channel channel,boolean isServer){
    if (isServer) {
        SSLEngine engine = SslContextFactory.getServerContext().createSSLEngine();
        engine.setUseClientMode(false);
        //engine.setWantClientAuth(true);
        engine.setNeedClientAuth(true);

        System.setProperty("sun.security.ssl.allowUnsafeRenegotiation", "true");

        String[] enabledSuites = engine.getEnabledCipherSuites();
        //String[] sdf = engine.getSupportedCipherSuites();
        engine.setEnabledCipherSuites(getWantedCyphers(enabledSuites, true));
        engine.setEnableSessionCreation(true);
        channel.getPipeline().addFirst(SSL_SERVER_HANDLER_NAME, new SslHandler(engine));

        SslHandler sslHandler = (SslHandler) channel.getPipeline().get(SSL_SERVER_HANDLER_NAME);

        sslHandler.setEnableRenegotiation(true);
        return sslHandler.handshake();
    } else {
        SSLEngine engine = SslContextFactory.getClientContext().createSSLEngine();
        engine.setUseClientMode(true);
        engine.setEnableSessionCreation(true);
        //engine.setWantClientAuth(true);
        //engine.setNeedClientAuth(true);

        System.setProperty("sun.security.ssl.allowUnsafeRenegotiation", "true");

        String[] enabledSuites=engine.getEnabledCipherSuites();
        //String[] sdf=engine.getSupportedCipherSuites();
        engine.setEnabledCipherSuites(getWantedCyphers(enabledSuites,true));
        channel.getPipeline().addFirst(SSL_CLIENT_HANDLER_NAME, new SslHandler(engine));

        SslHandler sslHandler = (SslHandler) channel.getPipeline().get(SSL_CLIENT_HANDLER_NAME);

        sslHandler.setEnableRenegotiation(true);
        return sslHandler.handshake();
    }
}

public static String[] getWantedCyphers(String[] enabledSuites,boolean isEnabled) {
    List<String> wantedCyphers = new LinkedList<String>();
    String[] finalEnabledCyphers = null;
    if (!isEnabled) {
        finalEnabledCyphers = new String[1];
        finalEnabledCyphers[0] = "SSL_RSA_WITH_NULL_MD5";
        return finalEnabledCyphers;
    }
    String configFilePath = TestConstants.CONFIG_FILE;
    ConfigSAXParser configParser = new ConfigSAXParser();
    <OurOwnConfigClass>config = null;
    try {
        config = (<OurOwnConfigClass>(configParser.parseFile(configFilePath));
    } catch (SAXParserException spe){
    }
    <ourOwnConfigSubClass> communicationConfig = config.getCommunicationConfig();
    String[] requestedCyphers = communicationConfig.getEncryptionAlgorithms();
    for (int i=0;i<requestedCyphers.length;i++){
        requestedCyphers[i] = "SSL_RSA_WITH_"+requestedCyphers[i]+"_SHA";
    }
    List<String> stList = new LinkedList<String>();
    for (int i=0;i<enabledSuites.length;i++) {
        stList.add(enabledSuites[i]);
    }
    for (int j=0;j<requestedCyphers.length;j++) {
        if (stList.contains(requestedCyphers[j])) {
            wantedCyphers.add(requestedCyphers[j]);
        }
    }

    Object[] strings = wantedCyphers.toArray();
    finalEnabledCyphers = new String[strings.length];
    for (int k=0;k<strings.length;k++) {
        finalEnabledCyphers[k] = (String)strings[k];
    }
    return finalEnabledCyphers;
}
Jonas
  • 121,568
  • 97
  • 310
  • 388
Bhaswanth
  • 283
  • 6
  • 14
  • At the end of `getWantedCyphers`, I see you're using `toArray()` and then copying the array into an array of a different type. There's an easier way! `return wantedCyphers.toArray(new String[wantedCyphers.size()]);` That's type correct and faster too. – Donal Fellows Dec 06 '10 at 09:40
  • yeah...yeah.i kno..this is jus a sample . – Bhaswanth Dec 06 '10 at 09:51
  • thanks anyways :) ..but my concern is totally different :( – Bhaswanth Dec 06 '10 at 09:52

2 Answers2

1

Have you added it to the enabled cipher suites?

user207421
  • 305,947
  • 44
  • 307
  • 483
  • yes..when i add to setEnabledCypherSuites only .u ll be able to perform with that .Then only it can throw an exception No cypher suite in common . – Bhaswanth Dec 06 '10 at 05:54
  • code is little difficult ...i can see the prob ..setEnabledCypherSuites will work only with the suites we get from getEnabledCypherSuites call .in tht result i dont have SSL_RSA_WITH_NULL_MD5 .So there should be one particular way to enabled them explicitly .that is wat im mainly looking for. – Bhaswanth Dec 06 '10 at 07:05
  • That suite is supported, I checked. But make sure you *add* it, not just replace all the ones that are already enabled. You oly need to show us the code that enables the cipher suite, and where it comes in relation to creating the socket and using it. – user207421 Dec 06 '10 at 07:34
  • im not using sockets...im using channels ..using NIO .i have to replace in this case rite ..coz..if encryption is required ..i should not be providing any encryption at all .If I just add it .It might choose one common suite between server and client .If it chooses to add encryption based suite then it will wrong as per wat is required ...I created my code using the example present in http://docs.jboss.org/netty/3.2/xref/org/jboss/netty/example/securechat/package-summary.html – Bhaswanth Dec 06 '10 at 07:42
  • the change i did for that example is adding cipher suites to SSLEngine instance ..thts it . – Bhaswanth Dec 06 '10 at 07:44
  • in the call of getWantedCyphersuites if i send false .then SSL_RSA_WITH_NULL_MD5/SHA will be returned ..then i get an exception like no common cipher suites present . – Bhaswanth Dec 06 '10 at 09:29
  • I can't make head or tail of your incredible getWantedCyphers() method, especially without the data files concerned. Most of it consists of simple Set operations written out in longhand, and the final copy operation is completely unnecessary: just return wantedCiphers.toArray(new String[0]). But my question remains: are you *adding* that cipher to the existing ciphers, or *replacing* them. You seem to be doing the latter. – user207421 Dec 06 '10 at 22:43
  • first..tht code is jus a sample one..ur question should be answered by these two lines of code .. String[] enabledSuites=engine.getEnabledCipherSuites(); engine.setEnabledCipherSuites(getWantedCyphers(enabledSuites,true)); – Bhaswanth Dec 08 '10 at 07:51
  • Only if I can make sense of what getWantedCyphers() (misspelt) does. I've already commented on that. But if your code is perfect you don't need us ;-) – user207421 Dec 08 '10 at 09:45
1

The "no cipher suites in common" message is an indication of the fact that the server does not accept any of the cipher suites in the Client Hello message. This is more so because you're attempting to use the null cipher suite that does not perform any encryption of the data. Most servers do not support the null cipher suite by default, and you will have to enable this explicitly.

Vineet Reynolds
  • 76,006
  • 17
  • 150
  • 174
  • 1
    can u tell me how to enable explicitly ? actually server and client are just normal machines ..server in our context is one component of our product which can send some data to client.thts it .I can be same machine or different machine .I tried both the cases ..no use .It would be great help if u can tell me how to enable explicitly ? – Bhaswanth Dec 06 '10 at 06:00