Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
I disable SSL/TLS verification but I get "Fatal (HANDSHAKE_FAILURE): no cipher suites in common"
339 views
Skip to first unread message
mike
Mar 31, 2023, 3:51:15 PM3/31/23
to
Hi,
I have add the following to disable SSL verification when I download files ( since it is in a testenv).
This is the code:
public static void disableSslVerification() {
try {
// Create a trust manager that does not validate certificate chains
TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
@Override
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
@Override
public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) {// NOSONAR
// Do nothing
}
@Override
public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) {// NOSONAR
// Do nothing
}
} };
// Install the all-trusting trust manager
SSLContext sc = SSLContext.getInstance("SSL");// NOSONAR
sc.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
// Create all-trusting host name verifier
HostnameVerifier allHostsValid = (String hostname, SSLSession session) -> true; // NOSONAR
// Install the all-trusting host verifier
HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
} catch (NoSuchAlgorithmException e) {
LOGGER.error("No such algorithm", e);
} catch (KeyManagementException e) {
LOGGER.error("Key Management problem", e);
}
}
Then I have a class where I establish the connection with the following code:
public static synchronized HttpsURLConnection openHttpsConnection(String url) {
HttpsURLConnection connection = null;
try {
URL myURL = new URL(url);
LOGGER.debug("Opening stream to {}", myURL);
connection = (HttpsURLConnection) myURL.openConnection(Proxy.NO_PROXY);
handleResponse(connection);
} catch (IOException ioe) {
throw new ConnectionException("Could not open https connection to node ", ioe);
}
return connection;
}
Then I use a unit test to verify my code:
public class HttpConnectionUtilsTest {
@Test
public void establishConnectionSuccessful() {
// Configure WireMock to use HTTPS and the SSL/TLS certificate
final String passwd = "secret";
URL trustStore = HttpConnectionUtilsTest.class.getClassLoader().getResource("com/company/util/truststore_ok.jks");
WireMockConfiguration wireMockConfiguration = wireMockConfig()
.httpsPort(8443)
.keystorePath(new File(trustStore.getFile()).getAbsolutePath())
.keystorePassword(passwd).needClientAuth(false)
.trustStorePath(new File(trustStore.getFile()).getAbsolutePath())
.trustStorePassword(passwd);
// Create a WireMockServer instance with the configuration
WireMockServer wireMockServer = new WireMockServer(wireMockConfiguration);
// start the server.
wireMockServer.start();
//Try to establish a connection to server over TLS/SSL.
HttpConnectionUtils.disableSslVerification();
HttpsURLConnection connection = HttpConnectionUtils.openHttpsConnection("https://localhost:8443/");
// Stop the server
wireMockServer.stop();
}
}
When debugging the output from ssl I see:
javax.net.ssl|DEBUG|1B|qtp1311315651-27|2023-03-31 17:17:00.692 CEST|SSLExtensions.java:207|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|WARNING|1B|qtp1311315651-27|2023-03-31 17:17:00.692 CEST|SSLExtensions.java:215|Ignore impact of unsupported extension: status_request_v2
javax.net.ssl|WARNING|1B|qtp1311315651-27|2023-03-31 17:17:00.692 CEST|SSLExtensions.java:215|Ignore impact of unsupported extension: extended_master_secret
javax.net.ssl|WARNING|1B|qtp1311315651-27|2023-03-31 17:17:00.692 CEST|SSLExtensions.java:215|Ignore impact of unsupported extension: supported_versions
javax.net.ssl|DEBUG|1B|qtp1311315651-27|2023-03-31 17:17:00.692 CEST|SSLExtensions.java:207|Ignore unavailable extension: renegotiation_info
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.696 CEST|X509Authentication.java:301|No X.509 cert selected for EC
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.697 CEST|X509Authentication.java:301|No X.509 cert selected for EC
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.697 CEST|X509Authentication.java:301|No X.509 cert selected for EC
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.697 CEST|X509Authentication.java:301|No X.509 cert selected for RSA
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.698 CEST|X509Authentication.java:301|No X.509 cert selected for RSASSA-PSS
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.698 CEST|X509Authentication.java:301|No X.509 cert selected for RSA
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.698 CEST|X509Authentication.java:301|No X.509 cert selected for RSASSA-PSS
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.698 CEST|X509Authentication.java:301|No X.509 cert selected for RSA
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.698 CEST|X509Authentication.java:301|No X.509 cert selected for RSASSA-PSS
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.698 CEST|X509Authentication.java:301|No X.509 cert selected for RSA
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.698 CEST|X509Authentication.java:301|No X.509 cert selected for RSASSA-PSS
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.698 CEST|X509Authentication.java:301|No X.509 cert selected for RSA
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.698 CEST|X509Authentication.java:301|No X.509 cert selected for RSASSA-PSS
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.698 CEST|X509Authentication.java:301|No X.509 cert selected for DSA
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.698 CEST|X509Authentication.java:301|No X.509 cert selected for RSA
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for RSASSA-PSS
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for DSA
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for EC
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for RSA
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for RSASSA-PSS
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for EC
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for RSA
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for RSASSA-PSS
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for RSA
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for RSASSA-PSS
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for DSA
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for RSA
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for RSASSA-PSS
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for DSA
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.700 CEST|X509Authentication.java:301|No X.509 cert selected for EC
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.700 CEST|X509Authentication.java:301|No X.509 cert selected for EC
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.700 CEST|X509Authentication.java:301|No X.509 cert selected for EC
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.700 CEST|X509Authentication.java:301|No X.509 cert selected for EC
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.700 CEST|X509Authentication.java:301|No X.509 cert selected for EC
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.700 CEST|X509Authentication.java:301|No X.509 cert selected for EC
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.701 CEST|X509Authentication.java:301|No X.509 cert selected for EC
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.701 CEST|X509Authentication.java:301|No X.509 cert selected for EC
javax.net.ssl|ERROR|1B|qtp1311315651-27|2023-03-31 17:17:00.703 CEST|TransportContext.java:345|Fatal (HANDSHAKE_FAILURE): no cipher suites in common (
"throwable" : {
javax.net.ssl.SSLHandshakeException: no cipher suites in common
Why do I get this when I trust all certificates?
br,
//mike
I have add the following to disable SSL verification when I download files ( since it is in a testenv).
This is the code:
public static void disableSslVerification() {
try {
// Create a trust manager that does not validate certificate chains
TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
@Override
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
@Override
public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) {// NOSONAR
// Do nothing
}
@Override
public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) {// NOSONAR
// Do nothing
}
} };
// Install the all-trusting trust manager
SSLContext sc = SSLContext.getInstance("SSL");// NOSONAR
sc.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
// Create all-trusting host name verifier
HostnameVerifier allHostsValid = (String hostname, SSLSession session) -> true; // NOSONAR
// Install the all-trusting host verifier
HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
} catch (NoSuchAlgorithmException e) {
LOGGER.error("No such algorithm", e);
} catch (KeyManagementException e) {
LOGGER.error("Key Management problem", e);
}
}
Then I have a class where I establish the connection with the following code:
public static synchronized HttpsURLConnection openHttpsConnection(String url) {
HttpsURLConnection connection = null;
try {
URL myURL = new URL(url);
LOGGER.debug("Opening stream to {}", myURL);
connection = (HttpsURLConnection) myURL.openConnection(Proxy.NO_PROXY);
handleResponse(connection);
} catch (IOException ioe) {
throw new ConnectionException("Could not open https connection to node ", ioe);
}
return connection;
}
Then I use a unit test to verify my code:
public class HttpConnectionUtilsTest {
@Test
public void establishConnectionSuccessful() {
// Configure WireMock to use HTTPS and the SSL/TLS certificate
final String passwd = "secret";
URL trustStore = HttpConnectionUtilsTest.class.getClassLoader().getResource("com/company/util/truststore_ok.jks");
WireMockConfiguration wireMockConfiguration = wireMockConfig()
.httpsPort(8443)
.keystorePath(new File(trustStore.getFile()).getAbsolutePath())
.keystorePassword(passwd).needClientAuth(false)
.trustStorePath(new File(trustStore.getFile()).getAbsolutePath())
.trustStorePassword(passwd);
// Create a WireMockServer instance with the configuration
WireMockServer wireMockServer = new WireMockServer(wireMockConfiguration);
// start the server.
wireMockServer.start();
//Try to establish a connection to server over TLS/SSL.
HttpConnectionUtils.disableSslVerification();
HttpsURLConnection connection = HttpConnectionUtils.openHttpsConnection("https://localhost:8443/");
// Stop the server
wireMockServer.stop();
}
}
When debugging the output from ssl I see:
javax.net.ssl|DEBUG|1B|qtp1311315651-27|2023-03-31 17:17:00.692 CEST|SSLExtensions.java:207|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|WARNING|1B|qtp1311315651-27|2023-03-31 17:17:00.692 CEST|SSLExtensions.java:215|Ignore impact of unsupported extension: status_request_v2
javax.net.ssl|WARNING|1B|qtp1311315651-27|2023-03-31 17:17:00.692 CEST|SSLExtensions.java:215|Ignore impact of unsupported extension: extended_master_secret
javax.net.ssl|WARNING|1B|qtp1311315651-27|2023-03-31 17:17:00.692 CEST|SSLExtensions.java:215|Ignore impact of unsupported extension: supported_versions
javax.net.ssl|DEBUG|1B|qtp1311315651-27|2023-03-31 17:17:00.692 CEST|SSLExtensions.java:207|Ignore unavailable extension: renegotiation_info
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.696 CEST|X509Authentication.java:301|No X.509 cert selected for EC
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.697 CEST|X509Authentication.java:301|No X.509 cert selected for EC
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.697 CEST|X509Authentication.java:301|No X.509 cert selected for EC
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.697 CEST|X509Authentication.java:301|No X.509 cert selected for RSA
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.698 CEST|X509Authentication.java:301|No X.509 cert selected for RSASSA-PSS
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.698 CEST|X509Authentication.java:301|No X.509 cert selected for RSA
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.698 CEST|X509Authentication.java:301|No X.509 cert selected for RSASSA-PSS
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.698 CEST|X509Authentication.java:301|No X.509 cert selected for RSA
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.698 CEST|X509Authentication.java:301|No X.509 cert selected for RSASSA-PSS
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.698 CEST|X509Authentication.java:301|No X.509 cert selected for RSA
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.698 CEST|X509Authentication.java:301|No X.509 cert selected for RSASSA-PSS
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.698 CEST|X509Authentication.java:301|No X.509 cert selected for RSA
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.698 CEST|X509Authentication.java:301|No X.509 cert selected for RSASSA-PSS
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.698 CEST|X509Authentication.java:301|No X.509 cert selected for DSA
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.698 CEST|X509Authentication.java:301|No X.509 cert selected for RSA
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for RSASSA-PSS
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for DSA
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for EC
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for RSA
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for RSASSA-PSS
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for EC
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for RSA
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for RSASSA-PSS
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for RSA
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for RSASSA-PSS
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for DSA
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for RSA
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for RSASSA-PSS
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.699 CEST|X509Authentication.java:301|No X.509 cert selected for DSA
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.700 CEST|X509Authentication.java:301|No X.509 cert selected for EC
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.700 CEST|X509Authentication.java:301|No X.509 cert selected for EC
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.700 CEST|X509Authentication.java:301|No X.509 cert selected for EC
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.700 CEST|X509Authentication.java:301|No X.509 cert selected for EC
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.700 CEST|X509Authentication.java:301|No X.509 cert selected for EC
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.700 CEST|X509Authentication.java:301|No X.509 cert selected for EC
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.701 CEST|X509Authentication.java:301|No X.509 cert selected for EC
javax.net.ssl|ALL|1B|qtp1311315651-27|2023-03-31 17:17:00.701 CEST|X509Authentication.java:301|No X.509 cert selected for EC
javax.net.ssl|ERROR|1B|qtp1311315651-27|2023-03-31 17:17:00.703 CEST|TransportContext.java:345|Fatal (HANDSHAKE_FAILURE): no cipher suites in common (
"throwable" : {
javax.net.ssl.SSLHandshakeException: no cipher suites in common
Why do I get this when I trust all certificates?
br,
//mike
Arne Vajhøj
Mar 31, 2023, 3:56:06 PM3/31/23
to
On 3/31/2023 3:51 PM, mike wrote:
> I have add the following to disable SSL verification when I download files ( since it is in a testenv).
>
> This is the code:
> I have add the following to disable SSL verification when I download files ( since it is in a testenv).
>
> This is the code:
> TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
>
> @Override
> public java.security.cert.X509Certificate[] getAcceptedIssuers() {
> return new X509Certificate[0];
> }
>
> @Override
> public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) {// NOSONAR
> // Do nothing
> }
>
> @Override
> public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) {// NOSONAR
> // Do nothing
> }
> } };
>
> // Install the all-trusting trust manager
> SSLContext sc = SSLContext.getInstance("SSL");// NOSONAR
> sc.init(null, trustAllCerts, new java.security.SecureRandom());
> HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
>
> @Override
> public java.security.cert.X509Certificate[] getAcceptedIssuers() {
> return new X509Certificate[0];
> }
>
> @Override
> public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) {// NOSONAR
> // Do nothing
> }
>
> @Override
> public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) {// NOSONAR
> // Do nothing
> }
> } };
>
> // Install the all-trusting trust manager
> SSLContext sc = SSLContext.getInstance("SSL");// NOSONAR
> sc.init(null, trustAllCerts, new java.security.SecureRandom());
> HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
> javax.net.ssl|ERROR|1B|qtp1311315651-27|2023-03-31 17:17:00.703 CEST|TransportContext.java:345|Fatal (HANDSHAKE_FAILURE): no cipher suites in common (
> "throwable" : {
> javax.net.ssl.SSLHandshakeException: no cipher suites in common
>
> Why do I get this when I trust all certificates?
This error does not mean that the certificate was not accepted - it
> "throwable" : {
> javax.net.ssl.SSLHandshakeException: no cipher suites in common
>
> Why do I get this when I trust all certificates?
means that client and server could not agree on algorithms.
Probably the server and client are very far apart age wise.
Crazy guess try:
SSLContext.getInstance("TLSv1.2")
Arne
Stas Markov
Nov 14, 2023, 7:20:32 AM11/14/23
to
WOW.
this line actually helped
SSLContext.getInstance("TLSv1.2")
Thanks
this line actually helped
SSLContext.getInstance("TLSv1.2")
Thanks
0 new messages