Topic
  • 1 reply
  • Latest Post - ‏2013-06-21T20:00:19Z by tzhao
tzhao
tzhao
2 Posts

Pinned topic HTTPClient library can't connect to server with SuiteB 192 bits security mode

‏2013-06-15T20:46:15Z |

The server is WebSphere liberty profile with IBM JDK1.7SR1. It configured with SuiteB 192 bits security mode.
The client is also running with IBM JDK1.7SR1, but it can't connect to the server throguht the HTTPS port when using Apache HTTPClient library. I tried with HTTPClient 4.2.1 and 4.2.5.
The error message in the server side is:
[6/15/13 16:22:27:735 EDT] 00000087 SystemOut     O   Session ID:  
[6/15/13 16:22:27:735 EDT] 00000087 SystemOut     O   {}
[6/15/13 16:22:27:736 EDT] 00000087 SystemOut     O   Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_RSA_WITH_AES_256_CBC_SHA256, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384, SSL_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ECDH_RSA_WITH_RC4_128_SHA, SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5]
[6/15/13 16:22:27:736 EDT] 00000087 SystemOut     O   Compression Methods:  {
[6/15/13 16:22:27:736 EDT] 00000087 SystemOut     O   0
[6/15/13 16:22:27:737 EDT] 00000087 SystemOut     O    }
[6/15/13 16:22:27:737 EDT] 00000087 SystemOut     O   Extension elliptic_curves, curve names: {secp256r1, secp192r1, secp224r1, secp384r1, secp521r1, secp160k1, secp160r1, secp160r2, secp192k1, secp224k1, secp256k1}
[6/15/13 16:22:27:737 EDT] 00000087 SystemOut     O   Extension ec_point_formats, formats: [uncompressed]
[6/15/13 16:22:27:738 EDT] 00000087 SystemOut     O   Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA256withDSA, SHA1withDSA, MD5withRSA
[6/15/13 16:22:27:738 EDT] 00000087 SystemOut     O   ***
[6/15/13 16:22:27:739 EDT] 00000087 SystemOut     O   %% Initialized:  [Session-51, SSL_NULL_WITH_NULL_NULL]
[6/15/13 16:22:27:739 EDT] 00000087 SystemOut     O   Default Executor-thread-59, fatal error: 40: no cipher suites in common
javax.net.ssl.SSLHandshakeException: no cipher suites in common
[6/15/13 16:22:27:740 EDT] 00000087 SystemOut     O   %% Invalidated:  [Session-51, SSL_NULL_WITH_NULL_NULL]
[6/15/13 16:22:27:740 EDT] 00000087 SystemOut     O   Default Executor-thread-59
[6/15/13 16:22:27:740 EDT] 00000087 SystemOut     O   , SEND TLSv1.2 ALERT:  
[6/15/13 16:22:27:741 EDT] 00000087 SystemOut     O   fatal,
[6/15/13 16:22:27:741 EDT] 00000087 SystemOut     O   description = handshake_failure
[6/15/13 16:22:27:741 EDT] 00000087 SystemOut     O   Default Executor-thread-59, WRITE: TLSv1.2 Alert, length = 2
[6/15/13 16:22:27:741 EDT] 00000087 SSLUtils      1   before wrap:
    encBuf: hc=51166382 pos=0 lim=24576 cap=24576
[6/15/13 16:22:27:742 EDT] 00000087 SystemOut     O   Default Executor-thread-59, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: no cipher suites in common
[6/15/13 16:22:27:745 EDT] 00000087 SSLHandshakeE E   CWWKO0801E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired. Exception is javax.net.ssl.SSLHandshakeException: no cipher suites in common
    at com.ibm.jsse2.ab.y(ab.java:423)
    at com.ibm.jsse2.nc.b(nc.java:177)
    at com.ibm.jsse2.nc.c(nc.java:43)
    at com.ibm.jsse2.nc.wrap(nc.java:411)

It looks like the issue is that the client side missing SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 cipher suite. But I can't figure out how to add it.

Intesting thing is that URLConnection code is working from the same client applicaiton. And the server side trace shows the following information.
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1354425382 bytes = { 67, 32, 214, 118, 151, 170, 157, 137, 169, 238, 131, 57, 130, 134, 128, 196, 39, 179, 102, 31, 88, 68, 194, 179, 220, 198, 85, 83 }
Session ID:  {}
Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_RSA_WITH_AES_256_CBC_SHA256, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384, SSL_DHE_RSA_WITH_AES_256_CBC_SHA256, SSL_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ECDHE_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_ECDH_ECDSA_WITH_RC4_128_SHA, SSL_ECDH_RSA_WITH_RC4_128_SHA, SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, SSL_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_RSA_WITH_AES_256_GCM_SHA384, SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384, SSL_DHE_DSS_WITH_AES_256_GCM_SHA384, SSL_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_DH_anon_WITH_AES_256_CBC_SHA256, SSL_ECDH_anon_WITH_AES_256_CBC_SHA, SSL_DH_anon_WITH_AES_256_CBC_SHA, SSL_DH_anon_WITH_AES_256_GCM_SHA384, SSL_DH_anon_WITH_AES_128_GCM_SHA256, SSL_DH_anon_WITH_AES_128_CBC_SHA256, SSL_ECDH_anon_WITH_AES_128_CBC_SHA, SSL_DH_anon_WITH_AES_128_CBC_SHA, SSL_ECDH_anon_WITH_RC4_128_SHA, SSL_DH_anon_WITH_RC4_128_MD5, SSL_ECDH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_NULL_SHA256, SSL_ECDHE_ECDSA_WITH_NULL_SHA, SSL_ECDHE_RSA_WITH_NULL_SHA, SSL_RSA_WITH_NULL_SHA, SSL_ECDH_ECDSA_WITH_NULL_SHA, SSL_ECDH_RSA_WITH_NULL_SHA, SSL_ECDH_anon_WITH_NULL_SHA, SSL_RSA_WITH_NULL_MD5, SSL_KRB5_WITH_RC4_128_SHA, SSL_KRB5_WITH_RC4_128_MD5, SSL_KRB5_WITH_3DES_EDE_CBC_SHA, SSL_KRB5_WITH_3DES_EDE_CBC_MD5]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp192r1, secp224r1, secp384r1, secp521r1, secp160k1, secp160r1, secp160r2, secp192k1, secp224k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA256withDSA, SHA1withDSA, MD5withRSA
***
main, WRITE: TLSv1.2 Handshake, length = 271
main, READ: TLSv1.2 Handshake, length = 1954
*** ServerHello, TLSv1.2
RandomCookie:  GMT: 1354425382 bytes = { 54, 154, 50, 186, 181, 67, 201, 3, 93, 233, 225, 202, 114, 183, 133, 148, 13, 239, 83, 101, 121, 24, 190, 236, 134, 187, 236, 197 }
Session ID:  {81, 187, 228, 38, 17, 34, 49, 27, 193, 182, 47, 99, 158, 214, 25, 136, 48, 99, 86, 75, 205, 110, 60, 76, 150, 148, 48, 248, 48, 205, 70, 246}
Cipher Suite: SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Compression Method: 0
Extension renegotiation_info, ri_length: 0, ri_connection_data: { null }
Extension ec_point_formats, formats: [uncompressed]
***
JsseJCE:  Using MessageDigest SHA-384 from provider IBMJCE version 1.7
%% Initialized:  [Session-1, SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384]
** SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

Could somebody please help?

Thanks,
Ting
 

  • tzhao
    tzhao
    2 Posts
    ACCEPTED ANSWER

    Re: HTTPClient library can't connect to server with SuiteB 192 bits security mode

    ‏2013-06-21T20:00:19Z  

    I found that I have to set the cipher suite to the socket directly. So I have two options:
    1. For HTTPClient 4.2.1, I have to subclass org.apache.http.conn.ssl.SSLSocketFactory, so that I can access the socket through override the method
    protected void prepareSocket(final SSLSocket socket) throws IOException
    2. For HttpClient 4.3 and above, I can instantiate the org.apache.http.conn.ssl.SSLSocketFactory with this constructor:
        public SSLSocketFactory(
                final SSLContext sslContext,
                final String[] supportedProtocols,
                final String[] supportedCipherSuites,
                final X509HostnameVerifier hostnameVerifier)

    For now, I am limited to option 1 since I have to use HTTPClient 4.2.1.

  • tzhao
    tzhao
    2 Posts

    Re: HTTPClient library can't connect to server with SuiteB 192 bits security mode

    ‏2013-06-21T20:00:19Z  

    I found that I have to set the cipher suite to the socket directly. So I have two options:
    1. For HTTPClient 4.2.1, I have to subclass org.apache.http.conn.ssl.SSLSocketFactory, so that I can access the socket through override the method
    protected void prepareSocket(final SSLSocket socket) throws IOException
    2. For HttpClient 4.3 and above, I can instantiate the org.apache.http.conn.ssl.SSLSocketFactory with this constructor:
        public SSLSocketFactory(
                final SSLContext sslContext,
                final String[] supportedProtocols,
                final String[] supportedCipherSuites,
                final X509HostnameVerifier hostnameVerifier)

    For now, I am limited to option 1 since I have to use HTTPClient 4.2.1.