This discussion is archived
8 Replies Latest reply: Oct 17, 2011 2:35 AM by EJP RSS

TLS  - 2 way authentication with PKCS11 token

user10878887 Newbie
Currently Being Moderated
I try to authenticate to a public server(www.siui.ro:443) using a PKCS11 token.
I use jdk1.6.0_25.
The error is "*main, handling exception: javax.net.ssl.SSLException: Received fatal alert: illegal_parameter*".
This is the code I used:

String configName = "c:/dist/ssl/config/schlumberger.cfg";
Provider p = new sun.security.pkcs11.SunPKCS11(configName);

System.setProperty("java.security.debug", "all");
System.setProperty("javax.net.debug","ssl");

System.setProperty("javax.net.ssl.keyStoreType", "pkcs11");
System.setProperty("javax.net.ssl.keyStore", "NONE");
System.setProperty("javax.net.ssl.keyStorePassword", "******");
System.setProperty("javax.net.ssl.keyStoreProvider", p.getName());
System.setProperty("javax.net.ssl.keyStoreProvider", "SunPKCS11-SmartCard");

Security.addProvider(p);
SSLSocketFactory factory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket socket = (SSLSocket)factory.createSocket("www.siui.ro", 443);
socket.startHandshake();

This is the complete error:

main, WRITE: TLSv1 Handshake, length = 40
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT: fatal, illegal_parameter
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLException: Received fatal alert: illegal_parameter
javax.net.ssl.SSLException: Received fatal alert: illegal_parameter
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at Client.main(Client.java:52)

Thank you
  • 1. Re: TLS  - 2 way authentication with PKCS11 token
    Luis Newbie
    Currently Being Moderated
    Hi,

    I am using jrockit-jdk1.6.0_24-R28.

    With the org.apache.http.examples.client.ClientCustomSSL of the HttpClient 4.1.2 (GA) it works for me (Check http://hc.apache.org/downloads.cgi).

    I have imported the server's certificate in my keystore (keytool -importcert ...).

    Another approaching that is working for me is to turn hostname verification off:

    .../...
    X509HostnameVerifier hostnameVerifier = new AllowAllHostnameVerifier();
    SSLSocketFactory socketFactory = new SSLSocketFactory(new TrustSelfSignedStrategy(), hostnameVerifier);
    Scheme sch = new Scheme("https", 443, socketFactory);
    httpclient.getConnectionManager().getSchemeRegistry().register(sch);

    HttpGet httpget = new HttpGet("https://myhost");

    HttpResponse response = httpclient.execute(httpget);
    .../...

    Hope it helps,

    Luis

    ps: However THIS IS NOT WORKING FOR JDK 1.7!!! Any ideas? Thanks in advance!
  • 2. Re: TLS  - 2 way authentication with PKCS11 token
    894751 Newbie
    Currently Being Moderated
    Hi Luis, were you able to fix this issue with JDK 7? If yes, could you please let us know the solution? I have the same issue with JDK 7.
  • 3. Re: TLS  - 2 way authentication with PKCS11 token
    Luis Newbie
    Currently Being Moderated
    Hi,

    In our case we are not trying to authenticate against the server. I am just trying to establish a connection through SSL.

    Unfortunately I have not been able to fix the issue. I think that the problem could be in the server side and could be related with the cipher suites, but I am not 100% sure about this.

    With jdk 1.7.0 I always get this in the console (-Djavax.net.debug=all):

    Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    Ignoring unavailable cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
    Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
    Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
    Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
    Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
    Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
    Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
    Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256
    Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA
    Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
    Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
    Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
    Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
    Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256

    It is a little bit weird, becasue according with this, http://download.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunPKCS11Provider, this cipher suites are enable by default. Maybe I am missing something...

    The problem happens against an Oracle-Application-Server-10g/10.1.3.5.0 Oracle-HTTP-Server. I have tried against an Apache Server 2.2, with SSL enabled and it works...

    You can check this guide, it is really useful: http://download.oracle.com/javase/1.5.0/docs/guide/security/jsse/ReadDebug.html

    And here you can find code samples: http://download.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#CodeExamples

    If I get any advance I will update the thread.

    Hope it helps,

    Luis

    Edited by: Luis on Oct 17, 2011 12:30 AM
  • 4. Re: TLS  - 2 way authentication with PKCS11 token
    EJP Guru
    Currently Being Moderated
    @Luis if you are trying to do two-way authentication you have no business turning off critical parts of SSL. Solve the problems, don't just bypass them. If you don't want it secure why use SSL at all?
  • 5. Re: TLS  - 2 way authentication with PKCS11 token
    Luis Newbie
    Currently Being Moderated
    Hi EJP,
    EJP wrote:
    @Luis if you are trying to do two-way authentication you have no business turning off critical parts of SSL.
    Definitely you are right, if would be trying to to do two-way authentication I should not turn off any critical part of SSL. But I am trying to do is to establish a connection using SSL: ClientHello, ServerHello...
    EJP wrote:
    Solve the problems, don't just bypass them.
    Yes, you are still right, that's way I am getting into the wild: http://download.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#CodeExamples
    EJP wrote:
    If you don't want it secure why use SSL at all?
    This is just a proof of concept. I would like to be able to do something like this: http://download.oracle.com/javase/7/docs/technotes/guides/security/jsse/samples/sockets/client/SSLSocketClient.java

    Thanks in advance,

    Luis

    ps: could it be a bug http://bugs.sun.com/view_bug.do?bug_id=6998053? I do not think so, but...

    Edited by: Luis on Oct 17, 2011 2:02 AM
  • 6. Re: TLS  - 2 way authentication with PKCS11 token
    EJP Guru
    Currently Being Moderated
    Definitely you are right, if would be trying to to do two-way authentication I should not turn off any critical part of SSL.
    Does that mean you aren't trying to do two-way authentication? If so, why are you posting in this thread which is entitled 'TLS - 2 way authentication with PKCS11 token'?
    But I am trying to do is to establish a connection using SSL: ClientHello, ServerHello...
    Yes, that's what TLS/SSL does.
    This is just a proof of concept
    You can't prove any concepts by breaking the assumptions on which those concepts rest. Implementing SSL by breaking it doesn't prove anything whatsoever.
    could it be a bug
    Could be. What happened when you tried the workarounds mentioned?
  • 7. Re: TLS  - 2 way authentication with PKCS11 token
    Luis Newbie
    Currently Being Moderated
    Hi EJP,
    EJP wrote:
    ... why are you posting in this thread which is entitled 'TLS - 2 way authentication with PKCS11 token'?
    Because I am also getting the main, handling exception: javax.net.ssl.SSLException: Received fatal alert: illegal_parameter exception.
    EJP wrote:
    ... Implementing SSL by breaking it doesn't prove anything whatsoever
    Ok, turn hostname verification off, is not the right approach. But the last sample that I mention is taken from the Java™ Secure Socket Extension (JSSE) Reference Guide. As the sample comment's says: This example demostrates how to use a SSLSocket as client to send a HTTP request and get response from an HTTPS server. So, is this breaking anything?

    Thanks in advance,

    Luis

    Edited by: Luis on Oct 17, 2011 2:20 AM
  • 8. Re: TLS  - 2 way authentication with PKCS11 token
    EJP Guru
    Currently Being Moderated
    Luis, if you aren't doing 2-way authentication with a PKCS11 token it is irrational to post your issue in a thread with that title. You won't attract the right people to answer it. It is also contrary to the convention of not hijacking threads. Please start your own thread. Locking this one.

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points