1. Forum
  2. Usenet
  3. COMP.LANG.JAVA.PROGRAMMER

  • I disable SSL/TLS verification but I get "Fatal (HANDSHAKE_FAILURE): no

    From mike@21:1/5 to All on Fri Mar 31 12:51:08 2023
    Hi,

    I have add the following to disable SSL verification when I download files ( since it is in a testenv).

    This is the code:

    public static void disableSslVerification() {
    try {
    // Create a trust manager that does not validate certificate chains
    TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {

    @Override
    public java.security.cert.X509Certificate[] getAcceptedIssuers() {
    return new X509Certificate[0];
    }

    @Override
    public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) {// NOSONAR
    // Do nothing
    }

    @Override
    public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) {// NOSONAR
    // Do nothing
    }
    } };

    // Install the all-trusting trust manager
    SSLContext sc = SSLContext.getInstance("SSL");// NOSONAR
    sc.init(null, trustAllCerts, new java.security.SecureRandom());
    HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());

    // Create all-trusting host name verifier
    HostnameVerifier allHostsValid = (String hostname, SSLSession session) -> true; // NOSONAR

    // Install the all-trusting host verifier
    HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
    } catch (NoSuchAlgorithmException e) {
    LOGGER.error("No such algorithm", e);
    } catch (KeyManagementException e) {
    LOGGER.error("Key Management problem", e);
    }
    }

    Then I have a class where I establish the connection with the following code:

    public static synchronized HttpsURLConnection openHttpsConnection(String url) {
    HttpsURLConnection connection = null;
    try {
    URL myURL = new URL(url);
    LOGGER.debug("Opening stream to {}", myURL);
    connection = (HttpsURLConnection) myURL.openConnection(Proxy.NO_PROXY);
    handleResponse(connection);
    } catch (IOException ioe) {
    throw new ConnectionException("Could not open https connection to node ", ioe);
    }
    return connection;
    }

    Then I use a unit test to verify my code:


    public class HttpConnectionUtilsTest {

    @Test
    public void establishConnectionSuccessful() {
    // Configure WireMock to use HTTPS and the SSL/TLS certificate

    final String passwd = "secret";

    URL trustStore = HttpConnectionUtilsTest.class.getClassLoader().getResource("com/company/util/truststore_ok.jks");

    WireMockConfiguration wireMockConfiguration = wireMockConfig()
    .httpsPort(8443)
    .keystorePath(new File(trustStore.getFile()).getAbsolutePath())
    .keystorePassword(passwd).needClientAuth(false)
    .trustStorePath(new File(trustStore.getFile()).getAbsolutePath())
    .trustStorePassword(passwd);
    // Create a WireMockServer instance with the configuration
    WireMockServer wireMockServer = new WireMockServer(wireMockConfiguration);

    // start the server.
    wireMockServer.start();

    //Try to establish a connection to server over TLS/SSL.
    HttpConnectionUtils.disableSslVerification();
    HttpsURLConnection connection = HttpConnectionUtils.openHttpsConnection("https://localhost:8443/");

    // Stop the server
    wireMockServer.stop();

    }

    }

    When debugging the output from ssl I see:

    javax.net.ssl|DEBUG|1B|qtp1311315651-27|2023-03-31 17:17:00.692 CEST|SSLExtensions.java:207|Ignore unavailable extension: application_layer_protocol_negotiation
    javax.net.ssl|WARNING|1B|qtp1311315651-27|2023-03-31 17:17:00.692 CEST|SSLExtensions.java:215|Ignore impact of unsupported extension: status_request_v2
    javax.net.ssl|WARNING|1B|qtp1311315651-27|2023-03-31 17:17:00.692 CEST|SSLExtensions.java:215|Ignore impact of unsupported extension: extended_master_secret
    javax.net.ssl|WARNING|1B|qtp1311315651-27|2023-03-31 17:17:00.692 CEST|SSLExtensions.java:215|Ignore impact of unsupported extension: supported_versions
    javax.net.ssl|DEBUG|1B|qtp1311315651-27|2023-03-31 17:17:00.692 CEST|SSLExtensions.java:207|Ignore unavailable extension: renegotiation_info
    javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.696 CEST|X509Authentication.java:301|No X.509 cert selected for EC
    javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.697 CEST|X509Authentication.java:301|No X.509 cert selected for EC
    javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.697 CEST|X509Authentication.java:301|No X.509 cert selected for EC
    javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.697 CEST|X509Authentication.java:301|No X.509 cert selected for RSA
    javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.698 CEST|X509Authentication.java:301|No X.509 cert selected for RSASSA-PSS
    javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.698 CEST|X509Authentication.java:301|No X.509 cert selected for RSA
    javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.698 CEST|X509Authentication.java:301|No X.509 cert selected for RSASSA-PSS
    javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.698 CEST|X509Authentication.java:301|No X.509 cert selected for RSA
    javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.698 CEST|X509Authentication.java:301|No X.509 cert selected for RSASSA-PSS
    javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.698 CEST|X509Authentication.java:301|No X.509 cert selected for RSA
    javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.698 CEST|X509Authentication.java:301|No X.509 cert selected for RSASSA-PSS
    javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.698 CEST|X509Authentication.java:301|No X.509 cert selected for RSA
    javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.698 CEST|X509Authentication.java:301|No X.509 cert selected for RSASSA-PSS
    javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.698 CEST|X509Authentication.java:301|No X.509 cert selected for DSA
    javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.698 CEST|X509Authentication.java:301|No X.509 cert selected for RSA
    javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for RSASSA-PSS
    javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for DSA
    javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for EC
    javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for RSA
    javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for RSASSA-PSS
    javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for EC
    javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for RSA
    javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for RSASSA-PSS
    javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for RSA
    javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for RSASSA-PSS
    javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for DSA
    javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for RSA
    javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for RSASSA-PSS
    javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for DSA
    javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.700 CEST|X509Authentication.java:301|No X.509 cert selected for EC
    javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.700 CEST|X509Authentication.java:301|No X.509 cert selected for EC
    javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.700 CEST|X509Authentication.java:301|No X.509 cert selected for EC
    javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.700 CEST|X509Authentication.java:301|No X.509 cert selected for EC
    javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.700 CEST|X509Authentication.java:301|No X.509 cert selected for EC
    javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.700 CEST|X509Authentication.java:301|No X.509 cert selected for EC
    javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.701 CEST|X509Authentication.java:301|No X.509 cert selected for EC
    javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.701 CEST|X509Authentication.java:301|No X.509 cert selected for EC
    javax.net.ssl|ERROR|1B|qtp1311315651-27|2023-03-31 17:17:00.703 CEST|TransportContext.java:345|Fatal (HANDSHAKE_FAILURE): no cipher suites in common (
    "throwable" : {
    javax.net.ssl.SSLHandshakeException: no cipher suites in common

    Why do I get this when I trust all certificates?

    br,

    //mike

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From =?UTF-8?Q?Arne_Vajh=c3=b8j?=@21:1/5 to mike on Fri Mar 31 15:55:51 2023
    On 3/31/2023 3:51 PM, mike wrote:
    I have add the following to disable SSL verification when I download files ( since it is in a testenv).

    This is the code:

    TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {

    @Override
    public java.security.cert.X509Certificate[] getAcceptedIssuers() {
    return new X509Certificate[0];
    }

    @Override
    public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) {// NOSONAR
    // Do nothing
    }

    @Override
    public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) {// NOSONAR
    // Do nothing
    }
    } };

    // Install the all-trusting trust manager
    SSLContext sc = SSLContext.getInstance("SSL");// NOSONAR
    sc.init(null, trustAllCerts, new java.security.SecureRandom());
    HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());

    javax.net.ssl|ERROR|1B|qtp1311315651-27|2023-03-31 17:17:00.703 CEST|TransportContext.java:345|Fatal (HANDSHAKE_FAILURE): no cipher suites in common (
    "throwable" : {
    javax.net.ssl.SSLHandshakeException: no cipher suites in common

    Why do I get this when I trust all certificates?

    This error does not mean that the certificate was not accepted - it
    means that client and server could not agree on algorithms.

    Probably the server and client are very far apart age wise.

    Crazy guess try:

    SSLContext.getInstance("TLSv1.2")

    Arne

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Stas Markov@21:1/5 to All on Tue Nov 14 04:20:25 2023
    WOW.
    this line actually helped

    SSLContext.getInstance("TLSv1.2")

    Thanks

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)