[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[iaik-ssl] iSaSiLk w/o RSA talking to SSL web server



I'm trying to evaluate JCE and iSaSiLk for use in intranet applications
withing UPS.  Our goal is to use your software to issue HTTP requests
over a secure socket to our suite of Netscape Enterprise web servers.  I
have downloaded and installed JCE v2.51 (without RSA support) and
iSaSiLk v3.0 on a Solaris 2.6 machine with a Netscape Enterprise Server
v3.5.1 running on it with SSL support enabled.

I'm having a problem getting a good match between the cipher suites
defined in the JCE/iSaSiLk package and those listed as supported in my
Netscape Enterprise web server.  The webserver is configured to accept
the following SSL 3.0 ciphers:

    RC4 with 128 bit encryption and MD5 message authentication
    RC4 with 40 bit encryption and MD5 message authentication
    Triple DES with 168 bit encryption and SHA message authentication
    DES with 56 bit encryption and SHA message authentication
    RC2 with 40 bit encryption and MD5 message authentication

I do not wish to deal with patent issues with RSA, so I'm trying to use
a cipher suite that does not involve RC4 encryption.  I'm assuming the
following subset of the previous list would suffice:

    Triple DES with 168 bit encryption and SHA message authentication
    DES with 56 bit encryption and SHA message authentication

So I need to enable a cipher suite in the JCE/iSaSiLk that will match
one of these two cipher suites defined in the Enterprise web server. 
Unfortunately, I do not know how to do this.

The program I'm trying to use to test my connection to the web server is
the SSLClient application provided in your src/demo/client directory. 
When I run this program with the complete set of CipherSuites enabled, I
get the following message (as expected):

-------------------------------------------------------------- 
ssl_debug(1): Starting handshake...
ssl_debug(1): Sending v3 client_hello message, requesting version 3.1...
ssl_debug(1): Received v3 server_hello handshake message.
ssl_debug(1): Server selected SSL version 3.0.
ssl_debug(1): CipherSuite selected by server:
SSL_RSA_EXPORT_WITH_RC4_40_MD5
ssl_debug(1): CompressionMethod selected by server: NULL
ssl_debug(1): Received certificate handshake message with server
certificate.
ssl_debug(1): Exception while handshaking:
iaik.security.ssl.SSLException: Error decoding Certificate:
java.security.cert.CertificateException: PublicKey algorithm not
implemented: rsaEncryption
ssl_debug(1): Shutting down SSL...
--------------------------------------------------------------

As you can see, the web server selected the RC4 w/MD5 cipher suite. 
This is expected because I did not disable any of the RSA suites from
the handshake.  So I proceed to remove all the RSA suites from the list
of supported suites sent to the server.  I do this by changing the
following lines in SSLClient.java:

--------------------------------------------------------------
    CipherSuite[] cs = {
      CipherSuite.SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
      CipherSuite.SSL_DH_DSS_WITH_DES_CBC_SHA,
      CipherSuite.SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA,
 
      CipherSuite.SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
      CipherSuite.SSL_DHE_DSS_WITH_DES_CBC_SHA,
      CipherSuite.SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
 
      CipherSuite.SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
      CipherSuite.SSL_DH_anon_WITH_DES_CBC_SHA,
      CipherSuite.SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,
    };
 
    context.setEnabledCipherSuites(cs);
--------------------------------------------------------------

I then re-compile and run the SSLClient program and get the following
error message:

-------------------------------------------------------------- 
Connect to ismdev1.roadnet.ups.com:443

ssl_debug(1): Starting handshake...
ssl_debug(1): Sending v3 client_hello message, requesting version 3.1...
ssl_debug(1): Received alert message: Alert Fatal: handshake failure
ssl_debug(1): Exception while handshaking:
iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: handshake
failure
ssl_debug(1): Shutting down SSL...
-------------------------------------------------------------- 

I assume this exception is being thrown because the server did not like
any of the cipher suites sent to it.  I do not know, however, what to do
about.  I believe I might be able to just define a new CipherSuite (much
like the "myBlowfish" example in SSLClient.java) to define the
parameters of one of the cipher suites accepted by my web server, but
again, I don't know how to do this.

Could you please let me know whether this is possible and, if so, what I
would need to do to pull it off?  In the meantime, I suppose I'm gonna
start talking with RSA to see about using their SSL-J package, although
I'd really rather not do that.  :-(

Thomas Dorris
United Parcel Service
--
Mailinglist-archive at http://jcewww.iaik.tu-graz.ac.at/mailarchive/iaik-ssl/maillist.html

To unsubscribe send an email to listserv@iaik.tu-graz.ac.at with the folowing content: UNSUBSCRIBE iaik-ssl