[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[iaik-ssl]cu|| How to differentiate between Handshake problems


I'm currently evaluating the iSaSiLk library. I have the following question
(I have searched the mailinglist archive, but not found an answer):

When a handshake with startHandshake() fails, an IOException is thrown (both
on client and server side), with a message describing what went wrong ("no
matching ciphersuite", "no trusted certificate", ...). We now want more
control over things that can go wrong during handshaking, because we want to
give useful feedback to the user. Because this feedback needs to be
langauge-specific, we need to be able to determine the cause of the
handshake failure. How can this be done, when we only get an IOException
with a message? Should we use the message string as an identifier for the
kind of problem (seems unflexible and error-prone)? Or can this only be done
by writing our own ChainVerifier, making our own verifications of the
certificate chains, with our own try-catch-blocks (seems like a lot of

The different handshake problems between which we want to differentiate are
a.o. (both on client and on server side):
     - other side seems to be talking plain
     - wrong SSL version/protocol
     - no common cyphersuites
     - remote side certificate expired
     - remote side certificate corrupt
     - remote side certificate not trusted (evt. difference between end
certificate or cert in chain)
     - unsupported key length\type

Johan Corveleyn

Mailinglist-archive at http://jcewww.iaik.at/mailarchive/iaik-ssl/sslthreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content: UNSUBSCRIBE iaik-ssl