This discussion is archived
1 2 Previous Next 19 Replies Latest reply: Aug 18, 2011 8:06 PM by 830591 RSS

Disabling Anonymous Cipher Suites?????

880540 Newbie
Currently Being Moderated
How to disable the anon suites for some particular port?

We are enabling the anon suites in our code .
on server
socket.setEnabledCipherSuites(SERVER_SOCKET_ANON_SUITES); ----------> Only Anonymous
on client
socket.setEnabledCipherSuites( SSL_SOCKET_ANON_SUITES )----------> Only Anonymous

The code above is working fine but now we want to disable anonymous ciphers for some specific port .
We tried
on server
socket.setEnabledCipherSuites(SERVER_SOCKET_NON_ANON_SUITES);. --------------------------> by removing the ANON suites from the list of all Ciphers supported by the SSL Socket
on client
socket.setEnabledCipherSuites(SSL_SOCKET_NON_ANON_SUITES);------------------------------->by removing the ANON suites from the list of all Ciphers supported by the SSL Socket

Both the conditions have been put there depending upon the port.

Its throwing
javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
  • 1. Re: Disabling Anonymous Cipher Suites?????
    830591 Newbie
    Currently Being Moderated
    You may find some useful information from the exception message.

    But the way, it is not recommended to enabled all supported cipher suites, some of them are as weak as anonymous ones, and some of them may not suitable for your environment. You'd better choose from the default cipher suites.

    You may also interesting in the post, JSSE Oracle Provider Preference of TLS Cipher Suites: http://sim.ivi.co/2011/07/jsse-oracle-provider-preference-of-tls.html
  • 2. Re: Disabling Anonymous Cipher Suites?????
    EJP Guru
    Currently Being Moderated
    Exactly. You shouldn't have been using the anonymous suites in the first place unlss you really know what you're doing from a standpoint, meaning you have authentication built into your application protocol. The anon suites are not enabled by default, so to get the behaviour you now want you don't actually have to do anything, except remove the code that enabled them.
  • 3. Re: Disabling Anonymous Cipher Suites?????
    880540 Newbie
    Currently Being Moderated
    Thanks...........but removing the enable of annonymous cipher suites is also throwing the same exception.
  • 4. Re: Disabling Anonymous Cipher Suites?????
    EJP Guru
    Currently Being Moderated
    So that is the problem you have to solve. Your client's truststore doesn't trust the server's keystore. You have to either

    (a) export the server cert from its keystore and import into your client's truststore, or

    (b) use a CA-signed certificate at the server, and the default Java truststore at the client.
  • 5. Re: Disabling Anonymous Cipher Suites?????
    880540 Newbie
    Currently Being Moderated
    I tried to get all the suites from socket.getSupportedCipherSuites(), and then removed all the anonymous ciphers from the list.
    Then enabled rest of the suites on the socket , but got the same exception.

    It seems like I have to go ahead with the solution you provided.??
  • 6. Re: Disabling Anonymous Cipher Suites?????
    EJP Guru
    Currently Being Moderated
    You don't have to do any of that. The anonymous cipher suites are disabled by default. The lesss you do with cipher suites the better.

    You need to concentrate on getting the server certificate accepted, not this insecure bypass.
  • 7. Re: Disabling Anonymous Cipher Suites?????
    830591 Newbie
    Currently Being Moderated
    Correct. It is recommended to use default cipher suites. In reply to your questions about the exception, you can get the information from the exception message:

    javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.

    As means that you don't the certificate of the type required by the cipher suites. For example, you may only have RSA based certificate, but you enable ECC cipher suites explicitly (requires ECC based certificate), as will result in similar exception.

    Just as suggested, don't try to use supported but not default enabled cipher suites unless you really know what you're doing from a standpoint.
  • 8. Re: Disabling Anonymous Cipher Suites?????
    880540 Newbie
    Currently Being Moderated
    Thanks a lot, I will try to implement as per suggested...........
  • 9. Re: Disabling Anonymous Cipher Suites?????
    880540 Newbie
    Currently Being Moderated
    I created a self signed certificate and then
    exported the key using
    openssl pkcs12 -name test -export-in test.server.crt -inkey test.server.key -out test123.p12


    1.When I passed this file to the trust store , I got the same exception as above

         TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
    TrustManagerFactory.getDefaultAlgorithm());
    KeyStore keyStore = KeyStore.getInstance("pkcs12");
    keyStore.load( new FileInputStream(KEYSTORE), KEYSTOREPW.toCharArray());
    trustManagerFactory.init(keyStore);

         SSL_CONTEXT.init( null, trustManagerFactory..getTrustManagers(), null );

    2. When I passed this file to the keyStore , I got the excpetion "javax.net.ssl.SSLHandshakeException: no cipher suites in common "

         KeyStore ks = KeyStore.getInstance("pkcs12");
         ks.load(new FileInputStream(ksName), passphrase);
         
         KeyManagerFactory kmf = KeyManagerFactory.getInstance("IbmX509");
         kmf.init(ks, passphrase);
         SSL_CONTEXT.init( kmf.getKeyManagers(), null, null );

    I have removed all the code where we were enabling the cipher suites, so now its only dealing with default .
  • 10. Re: Disabling Anonymous Cipher Suites?????
    EJP Guru
    Currently Being Moderated
    I created a self signed certificate
    How? What parameters, algorithms, ...?
  • 11. Re: Disabling Anonymous Cipher Suites?????
    880540 Newbie
    Currently Being Moderated
    We are using openssl........like

    openSSLPath + "openssl x509 -in " + cSRFileName + " -out " + tempCACertFileName +
    " -req -signkey " + keyFile +
    " -days " + daysToUseOnCreate
  • 12. Re: Disabling Anonymous Cipher Suites?????
    880540 Newbie
    Currently Being Moderated
    After generating the self signed certificate We got two files

    server.crt
    server.key
  • 13. Re: Disabling Anonymous Cipher Suites?????
    880540 Newbie
    Currently Being Moderated
    After generating the certificate "server.cert" I did the following:

    1. created a keystore test.p12 by using following command

    "openssl pkcs12 -export -in $certFile -inkey $keyFile -out ${host}.pkcs12"

    2. Loaded the keystore using the above test.p12

              KeyManagerFactory kmf = KeyManagerFactory.getInstance( "IBMX509" );
                   KeyStore ks = KeyStore.getInstance( "pkcs12" );
                   char[] passphrase = "test".toCharArray(); //this password is same when I issued the above command
                   ks.load(new FileInputStream(ksName), passphrase);
                   kmf.init(ks, passphrase);

    3.Created our trust manager using server.cert.
                   TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("IBMX509");
                   KeyStore trustKeyStore = KeyStore.getInstance("jks");
                   char[] password = trustManagerKeystorePsswd.toCharArray(); // Trust key store password: Can be any password.
                   trustKeyStore.load(null, password); // Loading an empty key store.
                   FileInputStream file= new FileInputStream(certificateFile);
                   CertificateFactory cf = CertificateFactory.getInstance("X.509");
                   X509Certificate cert = (X509Certificate)cf.generateCertificate(file);
                   trustKeyStore.setCertificateEntry(cert.getSubjectDN().toString(), cert);
                   trustManagerFactory.init( trustKeyStore );     


    Now initiated the SSL context with the above keystore and truststore


    Got the following exception

    javax.net.ssl.SSLHandshakeException: no cipher suites in common


    I have already disabled all the code for enabling any ciphers explicitly
  • 14. Re: Disabling Anonymous Cipher Suites?????
    880540 Newbie
    Currently Being Moderated
    There was this exception as well

    javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
1 2 Previous Next

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points