| Re: [jetty-users] ciphersuite is not supported |
Hi,In my requirement specifications it is written:TLS implementations supporting these security frameworks shall implement at least the following ciphersuite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256Java says it provides implementation of this ciphersuite at TLSv1.2 in Java7.I am new to security, so don't know how to use it.On my client side, i am using:sslcontext = SSLContexts.custom().loadTrustMaterial(..).loadKeyMaterial(..).useProtocol("TLSv1.2").build();What i have learnt from google is that client offers a range of options to server and server needs to pick on of them. Please correct me if i am wrong.Now i want to specify it on server side, i don't know what to do If i am using jetty with secured connector:<Call name="addConnector"><Arg><New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector"><Arg><New class="org.eclipse.jetty.http.ssl.SslContextFactory"><Set name="KeyStore">./etc/keystores/server.jks</Set><Set name="KeyStorePassword">password</Set><Set name="KeyManagerPassword">password</Set><Set name="TrustStore">./etc/keystores/trust_store.jks</Set><Set name="TrustStorePassword">password</Set><Set name="wantClientAuth">true</Set><Set name="needClientAuth">true</Set></New></Arg><Set name="port">8443</Set><Set name="maxIdleTime">30000</Set></New></Arg></Call>it works,if i add following, which will enable TLSv1.1:<Set name="excludeProtocols"><Array type="java.lang.String"><Item>SSLv3</Item><Item>TLSv1.2</Item><Item>TLSv1</Item><Item>SSLv2Hello</Item></Array></Set>it will give error:> executing requestGET https://localhost:8443/ HTTP/1.1 Exception in> thread "main" javax.net.ssl.SSLHandshakeException: Server chose> TLSv1.1, but that protocol version is not enabled or not supported by> the client.But if i allow only TLSv1.2, it runs:<Set name="excludeProtocols"><Array type="java.lang.String"><Item>SSLv3</Item><Item>TLSv1.1</Item><Item>TLSv1</Item><Item>SSLv2Hello</Item></Array></Set>But here , if i specify the protocol alongwith ciphersuite specification:<Set name="IncludeCipherSuites"><Array type="java.lang.String"><Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</Item></Array></Set>I get following exception:> Exception in thread "main" javax.net.ssl.SSLHandshakeException: Remote> host closed connection during handshake at> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:912) at> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1294)> at> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1321)> at> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1305)> at> org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)> at> org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)> at> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)> at> org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)> at> org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)> at> org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)> at> org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)> at> org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)> at> org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)> at> org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)> at> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)> at> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)> at client.ClientCustomSSL.main(ClientCustomSSL.java:69) Caused by:> java.io.EOFException: SSL peer shut down incorrectly at> sun.security.ssl.InputRecord.read(InputRecord.java:352) at> sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:893) ...> 16 moreNext thing i tried is using factory on client side:SSLConnectionSocketFactory factory=new SSLConnectionSocketFactory(sslcontext, new String[]{"TLSv1.2"},sslcontext.getDefaultSSLParameters().getCipherSuites(), SSLConnectionSocketFactory.getDefaultHostnameVerifier());And i have printed these ciphersuites on my screen.sslcontext.getDefaultSSLParameters().getCipherSuites()Then i have excluded all those ciphersuites except "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256" , it gave me error<Set name="ExcludeCipherSuites"><Array type="java.lang.String"><Item>...</Item><!--<Item>TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256</Item>--></Array></Set>But if i exclude all except "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"<Set name="ExcludeCipherSuites"><Array type="java.lang.String"><Item>...</Item><!--<Item>TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256</Item>--></Array></Set>Both of these ciphersuites are in list of ciphersuites I printed on client.
Point to be noted is , both of these cipher suites are listed in java7 with FootNote1 ( which points to TLSv1.2)
It means some ciphersuites are supported by jetty while some are not.Is it so?, do we have any such list. Or is there any other way to do it. Please guide.I want to use this ciphersuite for this handshake, but i don't know how to do it.--With RegardsHimanshu Rawal
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users