Saturday, August 30, 2014

Java/JSSE Handshake SSL/TLS exceptions

If you are facing some of the below errors, it might mean you are using a Java that does not have the support for the thing you are trying to do:

Example 1: Illegal argument exceptions for protocol version
You are enabling TLS 1.1 and TLS 1.2, but it may give you an exception if you are using Java 1.6. 1.6 does not support TLS 1.1 and TLS 1.2. You can check here as it supports only SSLv3 and TLSv1 (See Support classes and Interfaces section and see the possible values for SSLContext):


http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html

...
String[] protocols = {"TLSv1.1", "TLSv1.2"};
socket = (SSLSocket) factory.createSocket(hostname, port);
    socket.setEnabledProtocols(protocols);
...

-------------------------
Protocol : TLSv1.1
java.lang.IllegalArgumentException: TLSv1.1
    at com.sun.net.ssl.internal.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:133)
    at com.sun.net.ssl.internal.ssl.ProtocolList.(ProtocolList.java:38)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.setEnabledProtocols(SSLSocketImpl.java:2202)
    at com.ssl.test.SSLTesting.testSSL(SSLTesting.java:177)
    at com.ssl.test.SSLTesting.main(SSLTesting.java:154)
-------------------------
Protocol : TLSv1.2
java.lang.IllegalArgumentException: TLSv1.2
    at com.sun.net.ssl.internal.ssl.ProtocolVersion.valueOf(ProtocolVersion.java:133)
    at com.sun.net.ssl.internal.ssl.ProtocolList.(ProtocolList.java:38)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.setEnabledProtocols(SSLSocketImpl.java:2202)
    at com.ssl.test.SSLTesting.testSSL(SSLTesting.java:177)
    at com.ssl.test.SSLTesting.main(SSLTesting.java:164)


So, as an example, when I check, I see that my eclipse is still using 1.6 for execution.


So I need to change it to 1.7 to destroy these ugly exceptions. :D. You can check the page for JSSE 7.
http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html and see the values for SSLContext. Changed to 1.7.



Example 2: Cannot support cipher exceptions:

Cannot support exceptions again point to the use of an incorrect JRE like 1.6. However, unsupported exception (that you can get while using 1.7) might mean that the ciphersuite is still not implemented in JSSE 1.7.
To get a list of a complete list of JSSE cipher names you can use this link:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#ciphersuites

However, you must know that these are only the names that JSSE is going to use, some of the ciphers are still not implemented and can be expected to be implemented in Java 8. To see what all ciphers are implemendted in 1.7, you can use this link, check the Cipher suite section:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider

java.lang.IllegalArgumentException: Cannot support TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA with currently installed providers
    at com.sun.net.ssl.internal.ssl.CipherSuiteList.(CipherSuiteList.java:79)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.setEnabledCipherSuites(SSLSocketImpl.java:2162)
    at com.ssl.test.SSLTesting.testSSL(SSLTesting.java:186)

No comments:

Post a Comment