TSL client for server utilizing SNI

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

TSL client for server utilizing SNI

William Thorp

I'm failing to get Bouncy Castle working as a (OpenJDK 6) TLS client against a web server that requires the use of Server Name Indication (SNI).
I'm obviously new to Bouncy Castle, and am getting the following error when I run the attached code:

Exception in thread "main" java.io.IOException: Internal TLS error, this could be an attack
        at org.bouncycastle.crypto.tls.TlsProtocol.processAlert(Unknown Source)
        at org.bouncycastle.crypto.tls.TlsProtocol.processRecord(Unknown Source)
        at org.bouncycastle.crypto.tls.RecordStream.readRecord(Unknown Source)
        at org.bouncycastle.crypto.tls.TlsProtocol.safeReadRecord(Unknown Source)
        at org.bouncycastle.crypto.tls.TlsProtocol.blockForHandshake(Unknown Source)
        at org.bouncycastle.crypto.tls.TlsClientProtocol.connect(Unknown Source)

Thank you!


Bouncy.java (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TSL client for server utilizing SNI

Peter Dettman-3
Hi William,
Fixing these uninformative exceptions is still on our shortlist for TLS,
but in the meantime you can log any underlying exception (with a much
more useful stack trace) in the notifyAlertRaised method (override this
in your DefaultTlsClient implementation). There's also
notifyAlertReceived for alerts received from the peer, but if the error
is coming from the server, the only information you'll get is the
"AlertDescription" value, which is not always helpful.

Anyway, for the SNI I think you just need to override (DefaultTlsClient
again) the getClientExtensions method:

    public Hashtable getClientExtensions() throws IOException
    {
        Hashtable clientExtensions =
TlsExtensionsUtils.ensureExtensionsInitialised(super.getClientExtensions());

        Vector serverNames = new Vector(1);
        serverNames.addElement(new ServerName(NameType.host_name,
"www.example.com"));
        TlsExtensionsUtils.addServerNameExtension(clientExtensions, new
ServerNameList(serverNames));

        return clientExtensions;
    }

Regards,
Pete Dettman


On 7/04/2017 10:52 PM, William Thorp wrote:

> I'm failing to get Bouncy Castle working as a (OpenJDK 6) TLS client
> against a web server that requires the use of Server Name Indication (SNI).
> I'm obviously new to Bouncy Castle, and am getting the following error
> when I run the attached code:
>
> Exception in thread "main" java.io.IOException: Internal TLS error, this
> could be an attack
>         at org.bouncycastle.crypto.tls.TlsProtocol.processAlert(Unknown
> Source)
>         at org.bouncycastle.crypto.tls.TlsProtocol.processRecord(Unknown
> Source)
>         at org.bouncycastle.crypto.tls.RecordStream.readRecord(Unknown
> Source)
>         at
> org.bouncycastle.crypto.tls.TlsProtocol.safeReadRecord(Unknown Source)
>         at
> org.bouncycastle.crypto.tls.TlsProtocol.blockForHandshake(Unknown Source)
>         at org.bouncycastle.crypto.tls.TlsClientProtocol.connect(Unknown
> Source)
>
> Thank you!
>


Loading...