Help using the JSSE provider in BC v1.56

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Help using the JSSE provider in BC v1.56

William Konitzer

Hi,

 

Is there any documentation on using the new  JSSE provider in BC v1.56? I’d like to give it a go with a project.

 

Thanks,

Will

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Help using the JSSE provider in BC v1.56

David Hook-3

We're still working on it. At the moment the best I can recommend is looking at the tests, if you have any specific questions we'll do our best to answer them.

Regards,

David

On 17/02/17 04:46, William Konitzer wrote:

Hi,

 

Is there any documentation on using the new  JSSE provider in BC v1.56? I’d like to give it a go with a project.

 

Thanks,

Will


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Help using the JSSE provider in BC v1.56

William Konitzer

Hi David,

 

Thanks – I’ll take a look at the test cases!

 

Some quick questions before I play around..

Does it work as a straight drop in for the sunjsse? To play around to start with I was going to drop the bcprov-jdk15on-156.jar and bctls-jdk15on-156.jar files into my .. /java/jre/lib/ext directory and then change the JRE java.security file to read

 

security.provider.1=sun.security.provider.Sun

security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider

security.provider.3=org.bouncycastle.jce.provider.BouncyCastleProvider

security.provider.4=sun.security.jgss.SunProvider

security.provider.5=com.sun.security.sasl.Provider

security.provider.6=org.jcp.xml.dsig.internal.dom.XMLDSigRI

security.provider.7=sun.security.smartcardio.SunPCSC

 

Or is there more work required?

 

On another side question can you set the client TLS protocol on startup?

 

Thanks,

Will

 

 

 

From: David Hook [mailto:[hidden email]]
Sent: Friday, February 17, 2017 10:16 AM
To: [hidden email]
Subject: Re: [dev-crypto] Help using the JSSE provider in BC v1.56

 


We're still working on it. At the moment the best I can recommend is looking at the tests, if you have any specific questions we'll do our best to answer them.

Regards,

David

On 17/02/17 04:46, William Konitzer wrote:

Hi,

 

Is there any documentation on using the new  JSSE provider in BC v1.56? I’d like to give it a go with a project.

 

Thanks,

Will

 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Help using the JSSE provider in BC v1.56

David Hook-3

It should work as a straight drop in (well that's the idea, it works for a lot of things, but it's not 100% yet).

If you run into any issues, grab the latest beta first (or maybe just do that now anyway).

https://www.bouncycastle.org/betas

You can't configure the TLS protocol on startup at the moment, I will add it to the list.

Regards,

David

On 18/02/17 05:50, William Konitzer wrote:

Hi David,

 

Thanks – I’ll take a look at the test cases!

 

Some quick questions before I play around..

Does it work as a straight drop in for the sunjsse? To play around to start with I was going to drop the bcprov-jdk15on-156.jar and bctls-jdk15on-156.jar files into my .. /java/jre/lib/ext directory and then change the JRE java.security file to read

 

security.provider.1=sun.security.provider.Sun

security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider

security.provider.3=org.bouncycastle.jce.provider.BouncyCastleProvider

security.provider.4=sun.security.jgss.SunProvider

security.provider.5=com.sun.security.sasl.Provider

security.provider.6=org.jcp.xml.dsig.internal.dom.XMLDSigRI

security.provider.7=sun.security.smartcardio.SunPCSC

 

Or is there more work required?

 

On another side question can you set the client TLS protocol on startup?

 

Thanks,

Will

 

 

 

From: David Hook [[hidden email]]
Sent: Friday, February 17, 2017 10:16 AM
To: [hidden email]
Subject: Re: [dev-crypto] Help using the JSSE provider in BC v1.56

 


We're still working on it. At the moment the best I can recommend is looking at the tests, if you have any specific questions we'll do our best to answer them.

Regards,

David

On 17/02/17 04:46, William Konitzer wrote:

Hi,

 

Is there any documentation on using the new  JSSE provider in BC v1.56? I’d like to give it a go with a project.

 

Thanks,

Will

 


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Help using the JSSE provider in BC v1.56

William Konitzer

OK, I gave this a quick go and it looks promising J. I’m hitting the following error though, is this me configuring the JRE wrong or do I need to go in and adjust my code?

 

java.net.SocketException: java.security.NoSuchAlgorithmException: Default SSLContext not available

 

Thanks,

Will

 

From: David Hook [mailto:[hidden email]]
Sent: Friday, February 17, 2017 3:46 PM
To: William Konitzer <[hidden email]>; [hidden email]
Subject: Re: [dev-crypto] Help using the JSSE provider in BC v1.56

 


It should work as a straight drop in (well that's the idea, it works for a lot of things, but it's not 100% yet).

If you run into any issues, grab the latest beta first (or maybe just do that now anyway).

https://www.bouncycastle.org/betas

You can't configure the TLS protocol on startup at the moment, I will add it to the list.

Regards,

David

On 18/02/17 05:50, William Konitzer wrote:

Hi David,

 

Thanks – I’ll take a look at the test cases!

 

Some quick questions before I play around..

Does it work as a straight drop in for the sunjsse? To play around to start with I was going to drop the bcprov-jdk15on-156.jar and bctls-jdk15on-156.jar files into my .. /java/jre/lib/ext directory and then change the JRE java.security file to read

 

security.provider.1=sun.security.provider.Sun

security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider

security.provider.3=org.bouncycastle.jce.provider.BouncyCastleProvider

security.provider.4=sun.security.jgss.SunProvider

security.provider.5=com.sun.security.sasl.Provider

security.provider.6=org.jcp.xml.dsig.internal.dom.XMLDSigRI

security.provider.7=sun.security.smartcardio.SunPCSC

 

Or is there more work required?

 

On another side question can you set the client TLS protocol on startup?

 

Thanks,

Will

 

 

 

From: David Hook [[hidden email]]
Sent: Friday, February 17, 2017 10:16 AM
To: [hidden email]
Subject: Re: [dev-crypto] Help using the JSSE provider in BC v1.56

 


We're still working on it. At the moment the best I can recommend is looking at the tests, if you have any specific questions we'll do our best to answer them.

Regards,

David

On 17/02/17 04:46, William Konitzer wrote:

Hi,

 

Is there any documentation on using the new  JSSE provider in BC v1.56? I’d like to give it a go with a project.

 

Thanks,

Will

 

 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Help using the JSSE provider in BC v1.56

Peter Dettman-3
Hi Will,
There appear to be some problems with the BCJSSE handling of
SSLContext.getDefault() at the moment (i.e. when SunJSSE isn't available
to handle it). We're looking into it.

For the moment, I would recommend using:
        SSLContext.getInstance("TLS");
        SSLContext.init(...)

which means you'll need to explicitly establish any keystore and
truststore (BCJSSE also has "PKIX" KeyManagerFactory and
TrustManagerFactory). Also, "TLS" doesn't currently imply the same
initial set of enabled protocols/ciphersuites, so when testing I
recommend being explicit about these. It might be useful to check the
defaults and supported lists:

        SSLContext.getDefaultSSLParameters()
        SSLContext.getSupportedSSLParameters()


We'll hopefully get a new beta up with the fixed getDefault before too
long if you don't want to fiddle with explicit initialization.

We are aiming to work as a drop-in replacement as far as possible (plus
support for a wider range of cipher suites, TLS 1.2 back to JDK 1.5 and
other extensions), but there are a lot of small details and we very much
appreciate all reports of discrepancies.

Regards,
Pete Dettman


On 18/02/2017 7:49 AM, William Konitzer wrote:

> OK, I gave this a quick go and it looks promising J. I’m hitting the
> following error though, is this me configuring the JRE wrong or do I
> need to go in and adjust my code?
>
>  
>
> java.net.SocketException: java.security.NoSuchAlgorithmException:
> Default SSLContext not available
>
>  
>
> Thanks,
>
> Will


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Help using the JSSE provider in BC v1.56

William Konitzer
Hi Peter,

Understood. Do you have a timeline for when the fixed getDefault might be available for testing?

Also can I clarify the following comment ""TLS" doesn't currently imply the same initial set of enabled protocols/ciphersuites", do you mean defaults for the SunJSSE vs BCJSSE? If so do you happen to know what the differences are?

Regards,
Will

-----Original Message-----
From: Peter Dettman [mailto:[hidden email]]
Sent: Saturday, February 18, 2017 1:35 AM
To: [hidden email]
Subject: Re: [dev-crypto] Help using the JSSE provider in BC v1.56

Hi Will,
There appear to be some problems with the BCJSSE handling of
SSLContext.getDefault() at the moment (i.e. when SunJSSE isn't available to handle it). We're looking into it.

For the moment, I would recommend using:
        SSLContext.getInstance("TLS");
        SSLContext.init(...)

which means you'll need to explicitly establish any keystore and truststore (BCJSSE also has "PKIX" KeyManagerFactory and TrustManagerFactory). Also, "TLS" doesn't currently imply the same initial set of enabled protocols/ciphersuites, so when testing I recommend being explicit about these. It might be useful to check the defaults and supported lists:

        SSLContext.getDefaultSSLParameters()
        SSLContext.getSupportedSSLParameters()


We'll hopefully get a new beta up with the fixed getDefault before too long if you don't want to fiddle with explicit initialization.

We are aiming to work as a drop-in replacement as far as possible (plus support for a wider range of cipher suites, TLS 1.2 back to JDK 1.5 and other extensions), but there are a lot of small details and we very much appreciate all reports of discrepancies.

Regards,
Pete Dettman


On 18/02/2017 7:49 AM, William Konitzer wrote:

> OK, I gave this a quick go and it looks promising J. I'm hitting the
> following error though, is this me configuring the JRE wrong or do I
> need to go in and adjust my code?
>
>  
>
> java.net.SocketException: java.security.NoSuchAlgorithmException:
> Default SSLContext not available
>
>  
>
> Thanks,
>
> Will



Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Help using the JSSE provider in BC v1.56

Peter Dettman-3
Hi Will,
For timeline, probably after the coming weekend.

Regarding SSLContext.getInstance("TLS"), see
http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SSLContext
for a list of what each algorithm name means. As you can see it's
(intentionally?) vague. I _think_ all versions of TLS are _supported_ no
matter which algorithm you use, but the initially _enabled_ protocols
are different - it's really best if you test it out yourself as I have
no idea if/how the behaviour changes b/w JDKs or versions.

BCJSSE currently only provides "TLS", which enables just the TLSv1.2
protocol, but it will still support TLSv1.1 or TLSv1.0 if you explicitly
enable them subsequently (e.g. SSLSocket.setEnabledProtocols). We will
eventually support the other SSLContext algorithms (well at least the
TLS ones), but these will only change what protocols are enabled by default.

As for cipher suites, we support most of the ones in SunJSSE, plus e.g.
CHACHA20_POLY1305, CCM and GCM (not in SunJSSE before JDK7) - at least
when used with the BC crypto provider. The list of enabled-by-default
ciphersuites is quite different at the moment, as we haven't really
settled on this yet.

I guess the larger point is that "drop-in" will never be quite
guaranteed, though it should be achievable for simple/common cases. Code
that wants to be "JSSE-agile" may need to be a little more explicit
about things, and less reliant on defaults.

Regards,
Pete Dettman

On 20/02/2017 4:14 AM, William Konitzer wrote:

> Hi Peter,
>
> Understood. Do you have a timeline for when the fixed getDefault might be available for testing?
>
> Also can I clarify the following comment ""TLS" doesn't currently imply the same initial set of enabled protocols/ciphersuites", do you mean defaults for the SunJSSE vs BCJSSE? If so do you happen to know what the differences are?
>
> Regards,
> Will
>
> -----Original Message-----
> From: Peter Dettman [mailto:[hidden email]]
> Sent: Saturday, February 18, 2017 1:35 AM
> To: [hidden email]
> Subject: Re: [dev-crypto] Help using the JSSE provider in BC v1.56
>
> Hi Will,
> There appear to be some problems with the BCJSSE handling of
> SSLContext.getDefault() at the moment (i.e. when SunJSSE isn't available to handle it). We're looking into it.
>
> For the moment, I would recommend using:
> SSLContext.getInstance("TLS");
> SSLContext.init(...)
>
> which means you'll need to explicitly establish any keystore and truststore (BCJSSE also has "PKIX" KeyManagerFactory and TrustManagerFactory). Also, "TLS" doesn't currently imply the same initial set of enabled protocols/ciphersuites, so when testing I recommend being explicit about these. It might be useful to check the defaults and supported lists:
>
>         SSLContext.getDefaultSSLParameters()
>         SSLContext.getSupportedSSLParameters()
>
>
> We'll hopefully get a new beta up with the fixed getDefault before too long if you don't want to fiddle with explicit initialization.
>
> We are aiming to work as a drop-in replacement as far as possible (plus support for a wider range of cipher suites, TLS 1.2 back to JDK 1.5 and other extensions), but there are a lot of small details and we very much appreciate all reports of discrepancies.
>
> Regards,
> Pete Dettman
>
>
> On 18/02/2017 7:49 AM, William Konitzer wrote:
>> OK, I gave this a quick go and it looks promising J. I'm hitting the
>> following error though, is this me configuring the JRE wrong or do I
>> need to go in and adjust my code?
>>
>>  
>>
>> java.net.SocketException: java.security.NoSuchAlgorithmException:
>> Default SSLContext not available
>>
>>  
>>
>> Thanks,
>>
>> Will
>
>
>


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Help using the JSSE provider in BC v1.56

William Konitzer
Hi Peter 

Thanks for the quick response! This all looks good and informative. 

I'll push on with my own testing but please do let me know when a beta with a fix for getDefault is available.

Regard
Will


_____________________________
From: Peter Dettman <[hidden email]>
Sent: Monday, February 20, 2017 6:44 AM
Subject: Re: [dev-crypto] Help using the JSSE provider in BC v1.56
To: <[hidden email]>


Hi Will,
For timeline, probably after the coming weekend.

Regarding SSLContext.getInstance("TLS"), see
http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SSLContext
for a list of what each algorithm name means. As you can see it's
(intentionally?) vague. I _think_ all versions of TLS are _supported_ no
matter which algorithm you use, but the initially _enabled_ protocols
are different - it's really best if you test it out yourself as I have
no idea if/how the behaviour changes b/w JDKs or versions.

BCJSSE currently only provides "TLS", which enables just the TLSv1.2
protocol, but it will still support TLSv1.1 or TLSv1.0 if you explicitly
enable them subsequently (e.g. SSLSocket.setEnabledProtocols). We will
eventually support the other SSLContext algorithms (well at least the
TLS ones), but these will only change what protocols are enabled by default.

As for cipher suites, we support most of the ones in SunJSSE, plus e.g.
CHACHA20_POLY1305, CCM and GCM (not in SunJSSE before JDK7) - at least
when used with the BC crypto provider. The list of enabled-by-default
ciphersuites is quite different at the moment, as we haven't really
settled on this yet.

I guess the larger point is that "drop-in" will never be quite
guaranteed, though it should be achievable for simple/common cases. Code
that wants to be "JSSE-agile" may need to be a little more explicit
about things, and less reliant on defaults.

Regards,
Pete Dettman

On 20/02/2017 4:14 AM, William Konitzer wrote:
> Hi Peter,
>
> Understood. Do you have a timeline for when the fixed getDefault might be available for testing?
>
> Also can I clarify the following comment ""TLS" doesn't currently imply the same initial set of enabled protocols/ciphersuites", do you mean defaults for the SunJSSE vs BCJSSE? If so do you happen to know what the differences are?
>
> Regards,
> Will
>
> -----Original Message-----
> From: Peter Dettman [[hidden email]]
> Sent: Saturday, February 18, 2017 1:35 AM
> To: [hidden email]
> Subject: Re: [dev-crypto] Help using the JSSE provider in BC v1.56
>
> Hi Will,
> There appear to be some problems with the BCJSSE handling of
> SSLContext.getDefault() at the moment (i.e. when SunJSSE isn't available to handle it). We're looking into it.
>
> For the moment, I would recommend using:
> SSLContext.getInstance("TLS");
> SSLContext.init(...)
>
> which means you'll need to explicitly establish any keystore and truststore (BCJSSE also has "PKIX" KeyManagerFactory and TrustManagerFactory). Also, "TLS" doesn't currently imply the same initial set of enabled protocols/ciphersuites, so when testing I recommend being explicit about these. It might be useful to check the defaults and supported lists:
>
> SSLContext.getDefaultSSLParameters()
> SSLContext.getSupportedSSLParameters()
>
>
> We'll hopefully get a new beta up with the fixed getDefault before too long if you don't want to fiddle with explicit initialization.
>
> We are aiming to work as a drop-in replacement as far as possible (plus support for a wider range of cipher suites, TLS 1.2 back to JDK 1.5 and other extensions), but there are a lot of small details and we very much appreciate all reports of discrepancies.
>
> Regards,
> Pete Dettman
>
>
> On 18/02/2017 7:49 AM, William Konitzer wrote:
>> OK, I gave this a quick go and it looks promising J. I'm hitting the
>> following error though, is this me configuring the JRE wrong or do I
>> need to go in and adjust my code?
>>
>>
>>
>> java.net.SocketException: java.security.NoSuchAlgorithmException:
>> Default SSLContext not available
>>
>>
>>
>> Thanks,
>>
>> Will
>
>
>




Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Help using the JSSE provider in BC v1.56

George Stanchev

This discussion is very informative for me and I don’t want to derail this thread. But I found interesting the remark about TLS1.2 going back to Java 1.5. On unrelated note, is there any thought about adding TLS 1.3 support to BCJCCE in near future? I realize it is still in draft stage but FF (NSS) and Chrome already have some support for it. Looking at the working group page [1] there are some servers that can be set up for test. It would be awesome to see BC on the bleeding edge.

 

Regards,

George

 

 

[1] https://github.com/tlswg/tls13-spec/wiki/Implementations

 

From: William Konitzer [mailto:[hidden email]]
Sent: Tuesday, February 21, 2017 11:35 AM
To: [hidden email]; [hidden email]
Subject: Re: [dev-crypto] Help using the JSSE provider in BC v1.56

 

Hi Peter 

 

Thanks for the quick response! This all looks good and informative. 

 

I'll push on with my own testing but please do let me know when a beta with a fix for getDefault is available.

 

Regard

Will

 

_____________________________
From: Peter Dettman <[hidden email]>
Sent: Monday, February 20, 2017 6:44 AM
Subject: Re: [dev-crypto] Help using the JSSE provider in BC v1.56
To: <[hidden email]>


Hi Will,
For timeline, probably after the coming weekend.

Regarding SSLContext.getInstance("TLS"), see
http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SSLContext
for a list of what each algorithm name means. As you can see it's
(intentionally?) vague. I _think_ all versions of TLS are _supported_ no
matter which algorithm you use, but the initially _enabled_ protocols
are different - it's really best if you test it out yourself as I have
no idea if/how the behaviour changes b/w JDKs or versions.

BCJSSE currently only provides "TLS", which enables just the TLSv1.2
protocol, but it will still support TLSv1.1 or TLSv1.0 if you explicitly
enable them subsequently (e.g. SSLSocket.setEnabledProtocols). We will
eventually support the other SSLContext algorithms (well at least the
TLS ones), but these will only change what protocols are enabled by default.

As for cipher suites, we support most of the ones in SunJSSE, plus e.g.
CHACHA20_POLY1305, CCM and GCM (not in SunJSSE before JDK7) - at least
when used with the BC crypto provider. The list of enabled-by-default
ciphersuites is quite different at the moment, as we haven't really
settled on this yet.

I guess the larger point is that "drop-in" will never be quite
guaranteed, though it should be achievable for simple/common cases. Code
that wants to be "JSSE-agile" may need to be a little more explicit
about things, and less reliant on defaults.

Regards,
Pete Dettman

On 20/02/2017 4:14 AM, William Konitzer wrote:
> Hi Peter,
>
> Understood. Do you have a timeline for when the fixed getDefault might be available for testing?
>
> Also can I clarify the following comment ""TLS" doesn't currently imply the same initial set of enabled protocols/ciphersuites", do you mean defaults for the SunJSSE vs BCJSSE? If so do you happen to know what the differences are?
>
> Regards,
> Will
>
> -----Original Message-----
> From: Peter Dettman [[hidden email]]
> Sent: Saturday, February 18, 2017 1:35 AM
> To: [hidden email]
> Subject: Re: [dev-crypto] Help using the JSSE provider in BC v1.56
>
> Hi Will,
> There appear to be some problems with the BCJSSE handling of
> SSLContext.getDefault() at the moment (i.e. when SunJSSE isn't available to handle it). We're looking into it.
>
> For the moment, I would recommend using:
> SSLContext.getInstance("TLS");
> SSLContext.init(...)
>
> which means you'll need to explicitly establish any keystore and truststore (BCJSSE also has "PKIX" KeyManagerFactory and TrustManagerFactory). Also, "TLS" doesn't currently imply the same initial set of enabled protocols/ciphersuites, so when testing I recommend being explicit about these. It might be useful to check the defaults and supported lists:
>
> SSLContext.getDefaultSSLParameters()
> SSLContext.getSupportedSSLParameters()
>
>
> We'll hopefully get a new beta up with the fixed getDefault before too long if you don't want to fiddle with explicit initialization.
>
> We are aiming to work as a drop-in replacement as far as possible (plus support for a wider range of cipher suites, TLS 1.2 back to JDK 1.5 and other extensions), but there are a lot of small details and we very much appreciate all reports of discrepancies.
>
> Regards,
> Pete Dettman
>
>
> On 18/02/2017 7:49 AM, William Konitzer wrote:
>> OK, I gave this a quick go and it looks promising J. I'm hitting the
>> following error though, is this me configuring the JRE wrong or do I
>> need to go in and adjust my code?
>>
>>
>>
>> java.net.SocketException: java.security.NoSuchAlgorithmException:
>> Default SSLContext not available
>>
>>
>>
>> Thanks,
>>
>> Will
>
>
>



Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Help using the JSSE provider in BC v1.56

Peter Dettman-3
Hi George,
Yes, BCJSSE supports TLS 1.2 and will currently build/run on JDK 1.5 or
later. In fact the underlying TLS implementation is fully functional on
even older JDKs.

TLS 1.3 is certainly something we want to implement, but for which we
will need to get funding from somewhere if it is to arrive in the "near
future".

Regards,
Pete Dettman

On 23/02/2017 4:12 AM, George Stanchev wrote:

> This discussion is very informative for me and I don’t want to derail
> this thread. But I found interesting the remark about TLS1.2 going back
> to Java 1.5. On unrelated note, is there any thought about adding TLS
> 1.3 support to BCJCCE in near future? I realize it is still in draft
> stage but FF (NSS) and Chrome already have some support for it. Looking
> at the working group page [1] there are some servers that can be set up
> for test. It would be awesome to see BC on the bleeding edge.
>
>  
>
> Regards,
>
> George


Loading...