All geek questions in one place

SSLHandshakeException: no common cipher suites

Follow the instructions here and the newly created certificates that I previously incorrectly created. Something has changed since now I see javax.net.ssl.SSLHandshakeException: no cipher suites in common on the server and javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure on the client. Instead of errors this question

ClassFileServer.java server and associated SSLSocketClientWithClientAuth.java client

Any advice on making both ends play well, please note that I use localhost, so I assume the encryption options are the same.

Update:

Here are the steps that I used to create the files, I can mislead the key and truststore .:

On the server (following this guide):

$ keytool -genkey -alias serverkey -keyalg RSA -keypass p@ssw0rd -storepass p@ssw0rd -keystore keystore.jks

$ keytool -export -alias serverkey -storepass p@ssw0rd -file server.cer -keystore keystore.jks

$ keytool -import -v -trustcacerts -alias clientkey -file ../client/client.cer -keystore cacerts.jks -keypass p@ssw0rd -storepass p@ssw0rd

On the client side ( this guide):

$ keytool -genkey -alias clientkey -keyalg RSA -keypass changeit -storepass changeit -keystore keystore.jks

$ keytool -export -alias clientkey -storepass changeit -file client.cer -keystore keystore.jks

$ keytool -import -v -trustcacerts -alias serverkey -file ../server/server.cer -keystore cacerts.jks -keypass changeit -storepass changeit

I had to use another medium, because debugging exceeded the limits of the body of this site:

Client debugging error: http://pastebin.com/mHCmEqAk

Server debugging error: http://pastebin.com/YZbh7H8f

+6
source share
3 answers
 javax.net.ssl.SSLHandshakeException: no cipher suites in common

This has two reasons:

  • The server does not have a private key and certificate and may not have a keystore. In this case, it can only use unsafe anonymous encryption packets, which are disabled by default, and should remain so. Thus, there is no cipher suite that he can agree to use with the client.

  • Excessive restrictions on cipher suites imposed by a client or server, or both, that agreement cannot be reached.

Look for your key stores and trust stores, everything looks fine, except that you perform the four import steps, where you only need two. You do not need to import the server certificate into your own server trust server or client certificate into the client trust store. You only need this:

Server:

 $ keytool -import -v -trustcacerts -alias clientkey -file ../client/client.cer -keystore cacerts.jks -keypass p@ssw0rd -storepass p@ssw0rd

Client:

 $ keytool -import -v -trustcacerts -alias serverkey -file ../server/server.cer -keystore cacerts.jks -keypass changeit -storepass changeit

and you only need this because you use a self-signed certificate. Simple solution: no. Use a certificate with a CA certificate that is trusted by the default trust store that ships with Java.

+4
source

I got this error when configuring SSL on a Cassandra cluster. The problem was the version 2.0 documentation when describing key generation:

keytool -genkey -alias -keystore.keystore

It omits the RSA specification as an algorithm, should be ( see v1.2 docs ):

keytool -genkey -alias -keyalg RSA -keystore.keystore

+3
source

You can add trusted repositories to SSLContext using the following snippet:

 SSLContext ctx; KeyManagerFactory kmf; TrustManagerFactory tmf; KeyStore ks; TrustManager tm; ctx = SSLContext.getInstance("TLS"); kmf = KeyManagerFactory.getInstance("SunX509"); ks = KeyStore.getInstance("JKS"); ks.load(new FileInputStream(privateKey), passPhrase.toCharArray()); kmf.init(ks, passphrase); KeyStore trustKeyStore = KeyStore.getInstance("JKS"); trustKeyStore.load(new FileInputStream(trustStore), trustPassPhrase.toCharArray()); TrustManagerFactory trustMgrFactory = TrustManagerFactory.getInstance("SUNX509"); trustMgrFactory.init(trustKeyStore); ctx.init(kmf.getKeyManagers(), trustMgrFactory.getTrustManagers(), null); SSLSocketFactory f = (SSLSocketFactory) ctx.getSocketFactory(); SSLSocket s = (SSLSocket) f.createSocket(serverIp, serverPort);

Note. This client socket performs both client and server authentication. If you want to disable client authentication, pass null as the first argument when initializing SSLContext ctx .

0
source

Source: https://habr.com/ru/post/909892/

More articles:


All Articles