0

I took the following example and moved code around so it is better simulating an actual client and actual a server where

  • the server only has access to the trust store file
  • the client only has access to the client keystore file

At least in TLS1v2, that is how it worked. After I rework the code so there are two SSL contexts(one server side and one client side), it blows up and does not work

 javax.net.ssl.SSLHandshakeException: No available authentication scheme

The code I reworked now reads like this

public SSLEngineSimpleDemo() throws Exception {

    File baseWorkingDir = FileFactory.getBaseWorkingDir();
    File keyStoreFile = FileFactory.newFile(baseWorkingDir, "src/test/resources/client2.keystore");

    char[] passphrase = "123456".toCharArray();

    KeyStore ks = KeyStore.getInstance("JKS");
    ks.load(new FileInputStream(keyStoreFile), passphrase);
    clientCtx = SSLContext.getInstance("TLS");

    KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
    kmf.init(ks, passphrase);
    clientCtx.init(kmf.getKeyManagers(), null, null);

    File trustStoreFile = FileFactory.newFile(baseWorkingDir, "src/test/resources/server2.keystore");

    KeyStore ts = KeyStore.getInstance("JKS");
    ts.load(new FileInputStream(trustStoreFile), passphrase);
    serverCtx = SSLContext.getInstance("TLS");

    TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
    tmf.init(ts);
    serverCtx.init(null, tmf.getTrustManagers(), null);
}

I have code like this that works on TLS1v2 so I am not sure why in TLS1v3, this is not working anymore.

  • What do I have wrong here?
  • Is my assumption correct in that the trustStoreFile is my private server key?
  • Is my assumption correct in that the clientStoreFile is my public key?
  • Is my assumption correct in that the server only needs the private key?
  • Is my assumption correct in that the client only needs the public key?

Java version: /Library/Java/JavaVirtualMachines/jdk-11.0.5.jdk

Dean Hiller
  • 19,235
  • 25
  • 129
  • 212

2 Answers2

0

OMG, I am an idiot. The issue was my key generation script naming the first thing client2.keystore(Which was the server2.keystore).

once I fix script to generate the private key/public key par into server2.keystore(instead of the mistake of client2.keystore), export, import public key into client2.keystore, it all works.

I should have provided that script :(.

Dean Hiller
  • 19,235
  • 25
  • 129
  • 212
  • Unless your naming is insane, you also need(ed) to have `clientCtx.init` use the `TrustManager` for the client file containing the cert only, and `serverCtx.init` use the `KeyManager` for the server file containing the key _and_ cert, mostly backwards of what you posted. (A certificate _contains_ a public key, but it is not the same thing as a public key, and describing it as a public key is likely to confuse people.) – dave_thompson_085 Aug 18 '21 at 06:03
  • lmao, yes, I found that out too and forgot to point that out. Thanks @dave_thompson_085 as I was turning too many knobs to figure this out!! – Dean Hiller Aug 18 '21 at 15:15
-1

The exception javax.net.ssl.SSLHandshakeException: No available authentication scheme happens when the operating system running your server doesn't support the authentication method the JVM is looking for.

Additionally, TLSv1.3 can be explicitly specified using when instantiating an SSL context.

Change your clientCtx = SSLContext.getInstance("TLS"); to clientCtx = SSLContext.getInstance("TLSv1.3");

and

serverCtx = SSLContext.getInstance("TLS"); to serverCtx = SSLContext.getInstance("TLSv1.3");

Note: SSLContext supports more options such as SSLv3,TLSv1,TLSv1.1,TLSv1.2

CausingUnderflowsEverywhere
  • 1,908
  • 13
  • 33