Disabling Anonymous Cipher Suites?????

880540

How to disable the anon suites for some particular port?

We are enabling the anon suites in our code .
on server
socket.setEnabledCipherSuites(SERVER_SOCKET_ANON_SUITES); ----------> Only Anonymous
on client
socket.setEnabledCipherSuites( SSL_SOCKET_ANON_SUITES )----------> Only Anonymous

The code above is working fine but now we want to disable anonymous ciphers for some specific port .
We tried
on server
socket.setEnabledCipherSuites(SERVER_SOCKET_NON_ANON_SUITES);. --------------------------> by removing the ANON suites from the list of all Ciphers supported by the SSL Socket
on client
socket.setEnabledCipherSuites(SSL_SOCKET_NON_ANON_SUITES);------------------------------->by removing the ANON suites from the list of all Ciphers supported by the SSL Socket

Both the conditions have been put there depending upon the port.

Its throwing
javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.

Xuelei-Oracle

You may find some useful information from the exception message.

But the way, it is not recommended to enabled all supported cipher suites, some of them are as weak as anonymous ones, and some of them may not suitable for your environment. You'd better choose from the default cipher suites.

You may also interesting in the post, JSSE Oracle Provider Preference of TLS Cipher Suites: http://sim.ivi.co/2011/07/jsse-oracle-provider-preference-of-tls.html

EJP

Exactly. You shouldn't have been using the anonymous suites in the first place unlss you really know what you're doing from a standpoint, meaning you have authentication built into your application protocol. The anon suites are not enabled by default, so to get the behaviour you now want you don't actually have to do anything, except remove the code that enabled them.

880540

Thanks...........but removing the enable of annonymous cipher suites is also throwing the same exception.

EJP

So that is the problem you have to solve. Your client's truststore doesn't trust the server's keystore. You have to either

(a) export the server cert from its keystore and import into your client's truststore, or

(b) use a CA-signed certificate at the server, and the default Java truststore at the client.

880540

I tried to get all the suites from socket.getSupportedCipherSuites(), and then removed all the anonymous ciphers from the list.
Then enabled rest of the suites on the socket , but got the same exception.

It seems like I have to go ahead with the solution you provided.??

EJP

You don't have to do any of that. The anonymous cipher suites are disabled by default. The lesss you do with cipher suites the better.

You need to concentrate on getting the server certificate accepted, not this insecure bypass.

Xuelei-Oracle

Correct. It is recommended to use default cipher suites. In reply to your questions about the exception, you can get the information from the exception message:

javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.

As means that you don't the certificate of the type required by the cipher suites. For example, you may only have RSA based certificate, but you enable ECC cipher suites explicitly (requires ECC based certificate), as will result in similar exception.

Just as suggested, don't try to use supported but not default enabled cipher suites unless you really know what you're doing from a standpoint.

880540

Thanks a lot, I will try to implement as per suggested...........

880540

I created a self signed certificate and then
exported the key using
openssl pkcs12 -name test -export-in test.server.crt -inkey test.server.key -out test123.p12


1.When I passed this file to the trust store , I got the same exception as above

TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm());
KeyStore keyStore = KeyStore.getInstance("pkcs12");
keyStore.load( new FileInputStream(KEYSTORE), KEYSTOREPW.toCharArray());
trustManagerFactory.init(keyStore);

SSL_CONTEXT.init( null, trustManagerFactory..getTrustManagers(), null );

2. When I passed this file to the keyStore , I got the excpetion "javax.net.ssl.SSLHandshakeException: no cipher suites in common "

KeyStore ks = KeyStore.getInstance("pkcs12");
ks.load(new FileInputStream(ksName), passphrase);

KeyManagerFactory kmf = KeyManagerFactory.getInstance("IbmX509");
kmf.init(ks, passphrase);
SSL_CONTEXT.init( kmf.getKeyManagers(), null, null );

I have removed all the code where we were enabling the cipher suites, so now its only dealing with default .

EJP

I created a self signed certificate

How? What parameters, algorithms, ...?