1 2 Previous Next 19 Replies Latest reply: Aug 18, 2011 10:06 PM by 830591 RSS

    Disabling Anonymous Cipher Suites?????

    880540
      How to disable the anon suites for some particular port?

      We are enabling the anon suites in our code .
      on server
      socket.setEnabledCipherSuites(SERVER_SOCKET_ANON_SUITES); ----------> Only Anonymous
      on client
      socket.setEnabledCipherSuites( SSL_SOCKET_ANON_SUITES )----------> Only Anonymous

      The code above is working fine but now we want to disable anonymous ciphers for some specific port .
      We tried
      on server
      socket.setEnabledCipherSuites(SERVER_SOCKET_NON_ANON_SUITES);. --------------------------> by removing the ANON suites from the list of all Ciphers supported by the SSL Socket
      on client
      socket.setEnabledCipherSuites(SSL_SOCKET_NON_ANON_SUITES);------------------------------->by removing the ANON suites from the list of all Ciphers supported by the SSL Socket

      Both the conditions have been put there depending upon the port.

      Its throwing
      javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
        • 1. Re: Disabling Anonymous Cipher Suites?????
          830591
          You may find some useful information from the exception message.

          But the way, it is not recommended to enabled all supported cipher suites, some of them are as weak as anonymous ones, and some of them may not suitable for your environment. You'd better choose from the default cipher suites.

          You may also interesting in the post, JSSE Oracle Provider Preference of TLS Cipher Suites: http://sim.ivi.co/2011/07/jsse-oracle-provider-preference-of-tls.html
          • 2. Re: Disabling Anonymous Cipher Suites?????
            EJP
            Exactly. You shouldn't have been using the anonymous suites in the first place unlss you really know what you're doing from a standpoint, meaning you have authentication built into your application protocol. The anon suites are not enabled by default, so to get the behaviour you now want you don't actually have to do anything, except remove the code that enabled them.
            • 3. Re: Disabling Anonymous Cipher Suites?????
              880540
              Thanks...........but removing the enable of annonymous cipher suites is also throwing the same exception.
              • 4. Re: Disabling Anonymous Cipher Suites?????
                EJP
                So that is the problem you have to solve. Your client's truststore doesn't trust the server's keystore. You have to either

                (a) export the server cert from its keystore and import into your client's truststore, or

                (b) use a CA-signed certificate at the server, and the default Java truststore at the client.
                • 5. Re: Disabling Anonymous Cipher Suites?????
                  880540
                  I tried to get all the suites from socket.getSupportedCipherSuites(), and then removed all the anonymous ciphers from the list.
                  Then enabled rest of the suites on the socket , but got the same exception.

                  It seems like I have to go ahead with the solution you provided.??
                  • 6. Re: Disabling Anonymous Cipher Suites?????
                    EJP
                    You don't have to do any of that. The anonymous cipher suites are disabled by default. The lesss you do with cipher suites the better.

                    You need to concentrate on getting the server certificate accepted, not this insecure bypass.
                    • 7. Re: Disabling Anonymous Cipher Suites?????
                      830591
                      Correct. It is recommended to use default cipher suites. In reply to your questions about the exception, you can get the information from the exception message:

                      javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.

                      As means that you don't the certificate of the type required by the cipher suites. For example, you may only have RSA based certificate, but you enable ECC cipher suites explicitly (requires ECC based certificate), as will result in similar exception.

                      Just as suggested, don't try to use supported but not default enabled cipher suites unless you really know what you're doing from a standpoint.
                      • 8. Re: Disabling Anonymous Cipher Suites?????
                        880540
                        Thanks a lot, I will try to implement as per suggested...........
                        • 9. Re: Disabling Anonymous Cipher Suites?????
                          880540
                          I created a self signed certificate and then
                          exported the key using
                          openssl pkcs12 -name test -export-in test.server.crt -inkey test.server.key -out test123.p12


                          1.When I passed this file to the trust store , I got the same exception as above

                               TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
                          TrustManagerFactory.getDefaultAlgorithm());
                          KeyStore keyStore = KeyStore.getInstance("pkcs12");
                          keyStore.load( new FileInputStream(KEYSTORE), KEYSTOREPW.toCharArray());
                          trustManagerFactory.init(keyStore);

                               SSL_CONTEXT.init( null, trustManagerFactory..getTrustManagers(), null );

                          2. When I passed this file to the keyStore , I got the excpetion "javax.net.ssl.SSLHandshakeException: no cipher suites in common "

                               KeyStore ks = KeyStore.getInstance("pkcs12");
                               ks.load(new FileInputStream(ksName), passphrase);
                               
                               KeyManagerFactory kmf = KeyManagerFactory.getInstance("IbmX509");
                               kmf.init(ks, passphrase);
                               SSL_CONTEXT.init( kmf.getKeyManagers(), null, null );

                          I have removed all the code where we were enabling the cipher suites, so now its only dealing with default .
                          • 10. Re: Disabling Anonymous Cipher Suites?????
                            EJP
                            I created a self signed certificate
                            How? What parameters, algorithms, ...?
                            • 11. Re: Disabling Anonymous Cipher Suites?????
                              880540
                              We are using openssl........like

                              openSSLPath + "openssl x509 -in " + cSRFileName + " -out " + tempCACertFileName +
                              " -req -signkey " + keyFile +
                              " -days " + daysToUseOnCreate
                              • 12. Re: Disabling Anonymous Cipher Suites?????
                                880540
                                After generating the self signed certificate We got two files

                                server.crt
                                server.key
                                • 13. Re: Disabling Anonymous Cipher Suites?????
                                  880540
                                  After generating the certificate "server.cert" I did the following:

                                  1. created a keystore test.p12 by using following command

                                  "openssl pkcs12 -export -in $certFile -inkey $keyFile -out ${host}.pkcs12"

                                  2. Loaded the keystore using the above test.p12

                                            KeyManagerFactory kmf = KeyManagerFactory.getInstance( "IBMX509" );
                                                 KeyStore ks = KeyStore.getInstance( "pkcs12" );
                                                 char[] passphrase = "test".toCharArray(); //this password is same when I issued the above command
                                                 ks.load(new FileInputStream(ksName), passphrase);
                                                 kmf.init(ks, passphrase);

                                  3.Created our trust manager using server.cert.
                                                 TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("IBMX509");
                                                 KeyStore trustKeyStore = KeyStore.getInstance("jks");
                                                 char[] password = trustManagerKeystorePsswd.toCharArray(); // Trust key store password: Can be any password.
                                                 trustKeyStore.load(null, password); // Loading an empty key store.
                                                 FileInputStream file= new FileInputStream(certificateFile);
                                                 CertificateFactory cf = CertificateFactory.getInstance("X.509");
                                                 X509Certificate cert = (X509Certificate)cf.generateCertificate(file);
                                                 trustKeyStore.setCertificateEntry(cert.getSubjectDN().toString(), cert);
                                                 trustManagerFactory.init( trustKeyStore );     


                                  Now initiated the SSL context with the above keystore and truststore


                                  Got the following exception

                                  javax.net.ssl.SSLHandshakeException: no cipher suites in common


                                  I have already disabled all the code for enabling any ciphers explicitly
                                  • 14. Re: Disabling Anonymous Cipher Suites?????
                                    880540
                                    There was this exception as well

                                    javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
                                    1 2 Previous Next