CODEWITHSUNDEEP
javasslopensslssl-certificate
silent_dev
silent_dev

Reputation: 1616

How to connect to an SSL Server in Java that doesn't send a certificate?

I have a situation where an Open SSL server is running without a certificate as follows : openssl s_server -accept 4443 -nocert

How do I connect to this server using Java? Also, how do I start my server in Java to accept no certificate?

I have attached the code for Client.java and Server.java that I have been using.

Error while running the attached code on the client side:

   javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
    at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1959)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1077)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
    at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:702)
    at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
    at sun.nio.cs.StreamEncoder.writeBytes(StreamEncoder.java:221)
    at sun.nio.cs.StreamEncoder.implFlushBuffer(StreamEncoder.java:291)
    at sun.nio.cs.StreamEncoder.implFlush(StreamEncoder.java:295)
    at sun.nio.cs.StreamEncoder.flush(StreamEncoder.java:141)
    at java.io.OutputStreamWriter.flush(OutputStreamWriter.java:229)
    at Client.main(Client.java:27)

Error on the Server Side : 

ERROR
140387701290656:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1358:
shutting down SSL
CONNECTION CLOSED
ACCEPT

Client.java

public class Client {
public static void main(String[] arstring) {
    try {
        SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
        SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket("localhost", 4443);            
        //sslsocket.setEnabledCipherSuites(sslsocket.getSupportedCipherSuites());
        sslsocket.setEnabledCipherSuites(new String[] { "TLS_DH_anon_WITH_AES_128_CBC_SHA" }); //Added upon suggestion from Steffan

        boolean test = sslsocket.isConnected();
        System.out.println(test);
        InputStream inputstream = sslsocket.getInputStream();
        InputStreamReader inputstreamreader = new InputStreamReader(inputstream);
        BufferedReader bufferedreader = new BufferedReader(inputstreamreader);
        System.out.println("1");
        OutputStream outputstream = sslsocket.getOutputStream();
        System.out.println("2");
        OutputStreamWriter outputstreamwriter = new OutputStreamWriter(outputstream,"UTF-8");
        String str = "hello\n";
        outputstreamwriter.write(str,0,str.length());
        //outputstreamwriter.flush();
        BufferedWriter bufferedwriter = new BufferedWriter(outputstreamwriter);

        String string = null;
        int count = 0;
        string = bufferedreader.readLine();
        while (true) {
            System.out.println(string);                
            System.out.flush();
            System.out.println(++count);
            string = bufferedreader.readLine();
            if (inputstream.available()==0)
                break;
            else{
                System.out.print("StreamData:");
                System.out.println(inputstream.available());
            }


        }
        System.out.println("Out");
    } catch (Exception exception) {
        exception.printStackTrace();
    }
}
}

Server.java

public class Server {
public static  void main(String[] arstring) {
    try {
        SSLServerSocketFactory sslServersocketFactory =
                (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
        SSLServerSocket sslServerSocket =
                (SSLServerSocket) sslServersocketFactory.createServerSocket(4443);
        SSLSocket sslSocket = (SSLSocket) sslServerSocket.accept();
        sslSocket.setEnabledCipherSuites(sslSocket.getSupportedCipherSuites());

        if (sslSocket.isConnected())
            System.out.println("Connected to a client");

        InputStream inputStream = sslSocket.getInputStream();
        InputStreamReader inputStreamReader = new InputStreamReader(inputStream);
        BufferedReader bufferedReader = new BufferedReader(inputStreamReader);
        String command = "";
        String response = "";

        while ((command = bufferedReader.readLine()) != null) {

                System.out.println("Command Recieved: "+command);

                if (command.toLowerCase().compareTo("hello")==0)
                    response = "Bingo !! You got it write!\n";
                else
                    response = "Type Hello to see a response\n";


                OutputStream outputStream = sslSocket.getOutputStream();
                OutputStreamWriter outputStreamWriter = new OutputStreamWriter(outputStream,"UTF-8");
                outputStreamWriter.write(response, 0, response.length());
                outputStreamWriter.flush();
        }
    } catch (Exception exception) {
        exception.printStackTrace();
    }
}

}

Edit:

I think I need to use the anonymous DH Cipher but it's still not working. May be I am doing it wrong. The code has been edited too.

Upvotes: 1

Views: 1709

Answers (1)

jww
jww

Reputation: 102464

How to connect to an SSL Server in Java that doesn't send a certificate?

If its not sending a certificate, then its probably using (1) one of the preshared keys cipher suites, like TLS-SRP or TLS-PSK, or (2) its using Anonymous Diffie-Hellman.

The preshared key cipher suites are usually choices because they provide mutual authentication and channel binding.

Anonymous Diffie-Hellman is usually a bad choice because it lacks server authentication.

I have a situation where an Open SSL server is running without a certificate as follows : openssl s_server -accept 4443 -nocert

Well, there you have it.

How do I connect to this server using Java? Also, how do I start my server in Java to accept no certificate?

Use a cipher suite that includes an anonymous exchange, like:

  • ADH-DES-CBC3-SHA
  • ADH-AES128-SHA
  • ADH-AES256-SHA
  • ADH-CAMELLIA128-SHA
  • ADH-CAMELLIA256-SHA
  • ADH-SEED-SHA
  • ADH-AES128-SHA256
  • ADH-AES256-SHA256
  • ADH-AES128-GCM-SHA256
  • ADH-AES256-GCM-SHA384

You can get the mapping of ADH-AES128-SHA to TLS_DH_anon_WITH_AES_128_CBC_SHA at the openssl ciphers man page.

You might try the command:

openssl s_server -accept 4443 -tls1 -nocert -cipher "HIGH"

By enabling TLS1, you side step any potential issues where one side or the other disables SSLv2 and SSLv3 (which is a good thing), but you only provide SSLv3 (which is a bad thing).

The cipher suite list string "HIGH" includes ADH by default (in production, usually you do "HIGH:!ADH:!RC4:!MD5...").

Upvotes: 2

Related Questions