continuation of handshake problem

Nell Rehn (nellrehn@midway.uchicago.edu)
Mon, 30 Aug 1999 15:33:11 -0500 (CDT)

Date: Mon, 30 Aug 1999 15:33:11 -0500 (CDT)
From: Nell Rehn <nellrehn@midway.uchicago.edu>
To: java-security@Sun.COM
Subject: continuation of handshake problem

Hello-

I downloaded a well-hidden program of netscape's (its in the pcks11
utility package), which lets you snoop on what is going on in an
ssl connection.

So here is what I have:
Client output:
/sandbox/jdk1.2/bin/java -classpath
.:./lib/jndi.jar:./lib/providerutil.jar:./lib/ldap.jar:/sandbox/jdk1.2/jre/lib/rt.jar:.:.:/homes/rehn/jsse1.0/lib/jcert.jar:/homes/rehn/jsse1.0/lib/jnet.jar:/homes/rehn/jsse1.0/lib/jsse.jar
https_test pitcairn.mcs.anl.gov 4444
Number of trusts is: 1
Accepted issuer:CN=Globus Certification Authority, O=Globus, C=US
Accpeted subject:CN=Nell Rehn, OU=Mathematics and Computer Science
Division, O=Argonne National Laboratory, O=Globus, C=US
Accepted issuer:CN=Globus Certification Authority, O=Globus, C=US
Accpeted subject:CN=Globus Certification Authority, O=Globus, C=US
Enabled: SSL_RSA_WITH_NULL_MD5
Supported suite: SSL_DH_anon_WITH_DES_CBC_SHA
Supported suite: SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
Supported suite: SSL_DHE_DSS_WITH_DES_CBC_SHA
Supported suite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Supported suite: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
Supported suite: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
Supported suite: SSL_RSA_WITH_RC4_128_MD5
Supported suite: SSL_RSA_WITH_RC4_128_SHA
Supported suite: SSL_RSA_WITH_DES_CBC_SHA
Supported suite: SSL_RSA_WITH_3DES_EDE_CBC_SHA
Supported suite: SSL_DH_anon_WITH_RC4_128_MD5
Supported suite: SSL_RSA_EXPORT_WITH_RC4_40_MD5
Supported suite: SSL_RSA_WITH_NULL_MD5
Supported suite: SSL_RSA_WITH_NULL_SHA
Supported suite: SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
Enabled cipher suite: SSL_NULL_WITH_NULL_NULL
Last Accessed time: 936044778311
java.io.IOException: connection is closed
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(Compiled Code)
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Compiled Code)
at https_test.main(Compiled Code)

Server output (with ssleay debugging turned on):
[pitcairn] <globus_gass_server> % ./globus-gass-server
acquire_cred:
Using cert_dir = /homes/rehn/.globus/certdir
checkstat:/homes/rehn/.globus/certdir:uid:812:995
Using x509_user_cert=/tmp/x509up_u995
x509_user_key =/tmp/x509up_u995
proxy_load_user_cert
proxy_load_user_key
Loading from user_proxy subject:/C=US/O=Globus/O=Argonne National
Laboratory/OU=Mathematics and Computer Science Division/CN=Nell
Rehn/CN=proxy
Loading from user_proxy subject:/C=US/O=Globus/O=Argonne National
Laboratory/OU=Mathematics and Computer Science Division/CN=Nell Rehn
ciphers=15
acquire_cred:major_status:00000000
inquire_cred:
https://pitcairn.mcs.anl.gov:47907
acquire_cred:
Using cert_dir = /homes/rehn/.globus/certdir
checkstat:/homes/rehn/.globus/certdir:uid:812:995
Using x509_user_cert=/tmp/x509up_u995
x509_user_key =/tmp/x509up_u995
proxy_load_user_cert
proxy_load_user_key
Loading from user_proxy subject:/C=US/O=Globus/O=Argonne National
Laboratory/OU=Mathematics and Computer Science Division/CN=Nell
Rehn/CN=proxy
Loading from user_proxy subject:/C=US/O=Globus/O=Argonne National
Laboratory/OU=Mathematics and Computer Science Division/CN=Nell Rehn
ciphers=15
acquire_cred:major_status:00000000

Snoop output:
[pitcairn] <solaris> % ./ssltap -sx -p 4444 pitcairn.mcs.anl.gov:47907
Looking up "pitcairn.mcs.anl.gov"...
Proxy socket ready and listening
Connected to pitcairn.mcs.anl.gov:47907
--> [
alloclen = 46 bytes
[ssl2] ClientHelloV2 {
version = {0x03, 0x01}
cipher-specs-length = 3 (0x03)
sid-length = 0 (0x00)
challenge-length = 32 (0x20)
cipher-suites = {
SSL3/RSA/NULL/MD5(0x000001)
}
session-id = { }
challenge = { 0x37ca 0xe8ea 0x1a31 0x4eb8 0x0722 0xfb65 0x9c35
0xbab2 0xd99f 0x2a31 0x87d9 0x2c40 0x8f93 0x451a 0x88e1 0x48d0 }
]
Server socket closed.

Notice here that the connection is closed immediately after the
client hello... there is never any server hello or transmission of
certificates.

And once again the code:
import javax.net.*;
import javax.net.ssl.*;
import com.sun.net.ssl.*;
import java.security.*;
import java.security.cert.*;
import java.io.*;

public class https_test {
public static void main(String[] argv) {

Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider());

String hostname = argv[0];
int port = Integer.parseInt(argv[1]);

SSLContext context = null;
try {
context = SSLContext.getInstance("SSL");
} catch (NoSuchAlgorithmException none) {
none.printStackTrace();
}


TrustManagerFactory trust_man = null;
try {
trust_man = TrustManagerFactory.getInstance("SunX509");
} catch(java.security.NoSuchAlgorithmException none2) {
none2.printStackTrace();
}

FileInputStream in = null;
try {
in =
new FileInputStream("/homes/rehn/sun_https_test/keystore1");
} catch(java.io.FileNotFoundException not_found) {
not_found.printStackTrace();
}
KeyStore ks = null;
try {
ks = KeyStore.getInstance("JKS");
}catch (java.security.KeyStoreException k) {
k.printStackTrace();
}
try {
ks.load(in, null);
trust_man.init(ks);
} catch(Exception e) {
e.printStackTrace();
}

TrustManager[] trusts = trust_man.getTrustManagers();
System.out.println("Number of trusts is: " + trusts.length);
X509TrustManager the_trust = (X509TrustManager)trusts[0];
X509Certificate[] trusted = the_trust.getAcceptedIssuers();
for (int i2=0;i2<trusted.length;i2++) {
System.out.println("Accepted issuer:" + trusted[i2].getIssuerDN());
System.out.println("Accpeted subject:" +
trusted[i2].getSubjectDN());
}

KeyManagerFactory key_man = null;
try {
key_man = KeyManagerFactory.getInstance("SunX509");
} catch(java.security.NoSuchAlgorithmException none3) {
none3.printStackTrace();
}

SSLSocketFactory f = context.getSocketFactory();
SSLSocket connection = null;
try {
connection = (SSLSocket)f.createSocket(hostname,port);
} catch(java.net.UnknownHostException unknown) {
unknown.printStackTrace();
} catch(java.io.IOException io) {
io.printStackTrace();
}
EndHandshakeListener h = new EndHandshakeListener();
connection.addHandshakeCompletedListener(h);

String[] suites = {"SSL_RSA_WITH_NULL_MD5"};
connection.setEnabledCipherSuites(suites);
connection.setUseClientMode(true);
connection.setNeedClientAuth(false);
String[] enab = connection.getEnabledCipherSuites();
System.out.println("Enabled: " + enab[0]);
String[] pp = connection.getSupportedCipherSuites();
for (int i = 0;i<pp.length;i++) {
System.out.println("Supported suite: " + pp[i]);
}
SSLSession sess = connection.getSession();
System.out.println("Enabled cipher suite: " + sess.getCipherSuite());
System.out.println("Last Accessed time: " +
sess.getLastAccessedTime());

try {
connection.startHandshake();
}catch(java.io.IOException io2) {
io2.printStackTrace();
}
}
}

Any help would be greatly, greatly appreciated, since I'm pretty stuck
right now.

Thanks,
Helen
-------------------------------------------------------------------------------------
http://www.mcs.anl.gov/~rehn