Discussions
Categories
- 197K All Categories
- 2.5K Data
- 546 Big Data Appliance
- 1.9K Data Science
- 450.8K Databases
- 221.9K General Database Discussions
- 3.8K Java and JavaScript in the Database
- 31 Multilingual Engine
- 552 MySQL Community Space
- 479 NoSQL Database
- 7.9K Oracle Database Express Edition (XE)
- 3.1K ORDS, SODA & JSON in the Database
- 556 SQLcl
- 4K SQL Developer Data Modeler
- 187.2K SQL & PL/SQL
- 21.4K SQL Developer
- 296.4K Development
- 17 Developer Projects
- 139 Programming Languages
- 293K Development Tools
- 110 DevOps
- 3.1K QA/Testing
- 646.1K Java
- 28 Java Learning Subscription
- 37K Database Connectivity
- 158 Java Community Process
- 105 Java 25
- 22.1K Java APIs
- 138.2K Java Development Tools
- 165.3K Java EE (Java Enterprise Edition)
- 19 Java Essentials
- 162 Java 8 Questions
- 86K Java Programming
- 81 Java Puzzle Ball
- 65.1K New To Java
- 1.7K Training / Learning / Certification
- 13.8K Java HotSpot Virtual Machine
- 94.3K Java SE
- 13.8K Java Security
- 205 Java User Groups
- 24 JavaScript - Nashorn
- Programs
- 468 LiveLabs
- 39 Workshops
- 10.2K Software
- 6.7K Berkeley DB Family
- 3.5K JHeadstart
- 5.7K Other Languages
- 2.3K Chinese
- 175 Deutsche Oracle Community
- 1.1K Español
- 1.9K Japanese
- 233 Portuguese
Disabling Anonymous Cipher Suites?????

880540
Member Posts: 10
How to disable the anon suites for some particular port?
We are enabling the anon suites in our code .
on server
socket.setEnabledCipherSuites(SERVER_SOCKET_ANON_SUITES); ----------> Only Anonymous
on client
socket.setEnabledCipherSuites( SSL_SOCKET_ANON_SUITES )----------> Only Anonymous
The code above is working fine but now we want to disable anonymous ciphers for some specific port .
We tried
on server
socket.setEnabledCipherSuites(SERVER_SOCKET_NON_ANON_SUITES);. --------------------------> by removing the ANON suites from the list of all Ciphers supported by the SSL Socket
on client
socket.setEnabledCipherSuites(SSL_SOCKET_NON_ANON_SUITES);------------------------------->by removing the ANON suites from the list of all Ciphers supported by the SSL Socket
Both the conditions have been put there depending upon the port.
Its throwing
javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
We are enabling the anon suites in our code .
on server
socket.setEnabledCipherSuites(SERVER_SOCKET_ANON_SUITES); ----------> Only Anonymous
on client
socket.setEnabledCipherSuites( SSL_SOCKET_ANON_SUITES )----------> Only Anonymous
The code above is working fine but now we want to disable anonymous ciphers for some specific port .
We tried
on server
socket.setEnabledCipherSuites(SERVER_SOCKET_NON_ANON_SUITES);. --------------------------> by removing the ANON suites from the list of all Ciphers supported by the SSL Socket
on client
socket.setEnabledCipherSuites(SSL_SOCKET_NON_ANON_SUITES);------------------------------->by removing the ANON suites from the list of all Ciphers supported by the SSL Socket
Both the conditions have been put there depending upon the port.
Its throwing
javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
Answers
-
You may find some useful information from the exception message.
But the way, it is not recommended to enabled all supported cipher suites, some of them are as weak as anonymous ones, and some of them may not suitable for your environment. You'd better choose from the default cipher suites.
You may also interesting in the post, JSSE Oracle Provider Preference of TLS Cipher Suites: http://sim.ivi.co/2011/07/jsse-oracle-provider-preference-of-tls.html -
Exactly. You shouldn't have been using the anonymous suites in the first place unlss you really know what you're doing from a standpoint, meaning you have authentication built into your application protocol. The anon suites are not enabled by default, so to get the behaviour you now want you don't actually have to do anything, except remove the code that enabled them.
-
Thanks...........but removing the enable of annonymous cipher suites is also throwing the same exception.
-
So that is the problem you have to solve. Your client's truststore doesn't trust the server's keystore. You have to either
(a) export the server cert from its keystore and import into your client's truststore, or
(b) use a CA-signed certificate at the server, and the default Java truststore at the client. -
I tried to get all the suites from socket.getSupportedCipherSuites(), and then removed all the anonymous ciphers from the list.
Then enabled rest of the suites on the socket , but got the same exception.
It seems like I have to go ahead with the solution you provided.?? -
You don't have to do any of that. The anonymous cipher suites are disabled by default. The lesss you do with cipher suites the better.
You need to concentrate on getting the server certificate accepted, not this insecure bypass. -
Correct. It is recommended to use default cipher suites. In reply to your questions about the exception, you can get the information from the exception message:
javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
As means that you don't the certificate of the type required by the cipher suites. For example, you may only have RSA based certificate, but you enable ECC cipher suites explicitly (requires ECC based certificate), as will result in similar exception.
Just as suggested, don't try to use supported but not default enabled cipher suites unless you really know what you're doing from a standpoint. -
Thanks a lot, I will try to implement as per suggested...........
-
I created a self signed certificate and then
exported the key using
openssl pkcs12 -name test -export-in test.server.crt -inkey test.server.key -out test123.p12
1.When I passed this file to the trust store , I got the same exception as above
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm());
KeyStore keyStore = KeyStore.getInstance("pkcs12");
keyStore.load( new FileInputStream(KEYSTORE), KEYSTOREPW.toCharArray());
trustManagerFactory.init(keyStore);
SSL_CONTEXT.init( null, trustManagerFactory..getTrustManagers(), null );
2. When I passed this file to the keyStore , I got the excpetion "javax.net.ssl.SSLHandshakeException: no cipher suites in common "
KeyStore ks = KeyStore.getInstance("pkcs12");
ks.load(new FileInputStream(ksName), passphrase);
KeyManagerFactory kmf = KeyManagerFactory.getInstance("IbmX509");
kmf.init(ks, passphrase);
SSL_CONTEXT.init( kmf.getKeyManagers(), null, null );
I have removed all the code where we were enabling the cipher suites, so now its only dealing with default . -
I created a self signed certificateHow? What parameters, algorithms, ...?
This discussion has been closed.