Re: Java SSL / SSLeay interoperability

Jeff Nisewanger (Jeff.Nisewanger@Eng)
Mon, 16 Mar 1998 14:11:10 -0800

Date: Mon, 16 Mar 1998 14:11:10 -0800
From: Jeff.Nisewanger@Eng (Jeff Nisewanger)
Message-Id: <199803162211.OAA24750@puuoo.eng.sun.com>
To: java-security@web2.javasoft.com, frank@uccs.jpl.nasa.gov
Subject: Re: Java SSL / SSLeay interoperability

> I built the latest version of SSLeay on Solaris, and I was curious to
> see what would happen if I tried to get my Java SSL client to talk to
> the demo SSLeay server app. I want to use
> SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 as my cipher suite, but I noticed
> that SSLeay defines their cipher suites differently. Here is what I got
> on the server side:
>
> [11:56am] locknis/frank % ssleay s_server -nocert
> Using default temp DH parameters
> ACCEPT
> ERROR
> 21855:error:1408A0B9:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
> cipher:s3_srvr.c:727
> shutting down SSL
> CONNECTION CLOSED
> ACCEPT
>
> Here is what I got on the Java SSL client side:
> [11:58am] locknis/frank % java SSLClient locknis 4433
> Creating SSLSocketFactory...Done.
> Creating Socket...Done.
> Setting Cipher suite...Done.
> SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
> Setting up streams...Done.
> javax.net.ssl.SSLException: Received fatal alert: handshake_failure (no
> cipher suites in common)
> javax.net.ssl.SSLException: Received fatal alert: handshake_failure (no
> cipher suites in common)
> at
> sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:951)
> at
> sun.security.ssl.SSLSocketImpl.clearPipeline(SSLSocketImpl.java:684)
> at sun.security.ssl.SSLSocketImpl.write(SSLSocketImpl.java:437)
> at
> sun.security.ssl.AppOutputStream.flush(AppOutputStream.java:77)
> at java.io.DataOutputStream.flush(DataOutputStream.java)
> at SSLClient.talk(SSLClient.java:70)
> at SSLClient.run(SSLClient.java:48)
>
> Anyone know how I can get the cipher suites to match on each side?
> thanks!

The anonymous SSL cipher suites are not turned on by
default although they are supported. To use DH_anon you need to call
the setEnabledCipherSuites() method on either SSLSocket or SSLServerSocket.
The getSupportedCipherSuites() will return an array of all the supported
suites. You could for instance, call getSupportedCipherSuites() and pass
the results to setEnabledCipherSuites() and that would have the effect
of turning on whatever suites are supported but are not part of the
default set. However, that may also include cipher suites that only
do integrity protection in addition to also including anonymous suites.

Jeff