Debugging BCJSSE

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Debugging BCJSSE

Veit Guna
Hi.

First of all, thanks that you guys are putting so much effort into
supporting old JDK versions!
Especially for legacy systems that are not easily to migrate to the
latest versions - this is a real life-safer.

Currently I'm trying to teach an old JDK5 to use the newly provided
BCJSSE provider to get TLSv1.2 support running.
I'm just testing it with a simple main class, setting up the provider
programmatically using the BC SSLSocketFactory together with
HttpsUrlConnection.

I'm making progress, but stumbling across some exceptions like this:

Exception in thread "main" java.lang.RuntimeException:
java.lang.IllegalArgumentException: 'suites' cannot be null, or contain
unsupported cipher suites
    at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:904)
    at
sun.net.www.protocol.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:1941)
    at
java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:376)
    at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:318)
....

Caused by: java.lang.IllegalArgumentException: 'suites' cannot be null,
or contain unsupported cipher suites
    at
org.bouncycastle.jsse.provider.ProvSSLSocketWrap.setEnabledCipherSuites(Unknown
Source)
    at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:399)
    at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
    at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:934)
    at
java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:367)
    ... 3 more

Before that, I got a similar exception for 'protocols'. This I could
figure out, looking at the source that it was 'https.protocols' system
property having old SSLv3 protocol set.

Now, I'm on this, figuring out what unsupported suites are passed and
how to exclude/support them. I think two things would help me and other
people out here:

1) Trying to debug this isn't working out for me, since the bctls jar
does not contain debug information (line numbers).
For the bcprov, there exists a dedicated debug jar as it seems,
containing such debug info. It would be great having the same for the
bctls jar.

2) Another thing is now, I have to figure out what unsupported cipher
suites are passed. It would be great, if the exception above (and also
the one for protocols)
would state the actual unsupported cipher/protocol :D. This would
greatly help in figuring out, what is going wrong.

Meanwhile I figured out setting 'https.cipherSuites' system property to
empty does the trick and normal SSL pages seem to work.

One problem though is https://www.nist.gov (only allowing TLSv1.2), it
returns:

INFO: Client raised fatal(2) bad_certificate(42) alert: Failed to read
record
org.bouncycastle.tls.TlsFatalAlert: bad_certificate(42)
    at
org.bouncycastle.jsse.provider.ProvTlsClient$1.notifyServerCertificate(Unknown
Source)
    at org.bouncycastle.tls.TlsUtils.processServerCertificate(Unknown
Source)
    at
org.bouncycastle.tls.TlsClientProtocol.handleServerCertificate(Unknown
Source)
    at
org.bouncycastle.tls.TlsClientProtocol.handleHandshakeMessage(Unknown
Source)
    at org.bouncycastle.tls.TlsProtocol.processHandshakeQueue(Unknown
Source)
    at org.bouncycastle.tls.TlsProtocol.processRecord(Unknown Source)
    at org.bouncycastle.tls.RecordStream.readRecord(Unknown Source)
    at org.bouncycastle.tls.TlsProtocol.safeReadRecord(Unknown Source)
    at org.bouncycastle.tls.TlsProtocol.blockForHandshake(Unknown Source)
    at org.bouncycastle.tls.TlsClientProtocol.connect(Unknown Source)
    at
org.bouncycastle.jsse.provider.ProvSSLSocketWrap.startHandshake(Unknown
Source)
    at
sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:402)
    at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
    at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:934)
    at
java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:367)
    at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:318)

But I guess this is due to my probably outdated cacerts file. I'll check
that.

Anyway, thanks for your support and effort you put into BC!

Cheers,
Veit