Configuration Problems
CertificateException: (while handshaking)
Problem: When negotiating an SSL connection, the client or server throws a CertificateException.
Cause 1: This is generally caused by the remote side sending a certificate that is unknown to the local side.
Cause 2: The system clock is not set correctly.
Solution 2: If the clock is not set correctly, the perceived time may be outside the validity period on one of the certificates, and unless the certificate can be replaced with a valid one from a truststore, the system must assume that the certificate is invalid, and therefore throw the exception.
Runtime Exception: SSL Service Not Available
Exception in thread "main" java.net.SocketException: no SSL Server Sockets
Exception in thread "main": SSL implementation not available
Cause: There was a problem with SSLContext
initialization,
for example due to an incorrect password on a keystore or a corrupted
keystore.
(Note: On one occasion, a development-kit vendor shipped a keystore in an unknown format, which caused this error.)
Also verify that the
JSSE provider specified is in the provider list.
Solution: Check initialization parameters. Ensure any keystores specified are valid and that the passwords specified are correct. (One way you can check these things is by trying to use the keytool to examine the keystore(s) and the relevant contents.)
Exception No available certificate
corresponding to the SSL cipher suites which are enabled
Exception in thread "main" javax.net.ssl.SSLException:
No available certificate corresponding to the SSL cipher suites which are enabled...
Cause: Various cipher suites require certain
types of key material. For example, if an RSA cipher suite is enabled,
an RSA keyEntry
must be available in the keystore.
If no such key is available, this cipher suite cannot be used. If
there are no available key entries for all of the cipher suites enabled,
this exception is thrown.
Runtime Exception: No Cipher Suites in Common
Problem 1: When handshaking, the client and/or server throw this exception.
Cause 1: Both sides of an SSL connection must agree on a common ciphersuite. If the intersection of the client's ciphersuite set with the server's ciphersuite set is empty, then you will see this exception.
Solution
1: Configure the enabled cipher suites to include common ciphersuites,
and be sure to provide an appropriate keyEntry
for
asymmetric ciphersuites. (See Exception No available certificate corresponding to the SSL cipher suites which are enabled in
this section.)
Problem 2: When using Netscape Navigator or Microsoft Internet Explorer (IE) to access files on a server that only has DSA-based certificates, a runtime exception occurs indicating that there are no cipher suites in common.
Cause 2: By default, keyEntries
created
with keytool use DSA public keys. If only DSA keyEntries
exist
in the keystore, only DSA-based ciphersuites can be used. By default,
Navigator and IE send only RSA-based ciphersuites. Since the intersection
of client and server ciphersuite sets is empty, this exception is
thrown.
-keyalg
RSA option when using
keytool. For example:
keytool -genkey -alias duke -keystore testkeys -keyalg rsa