Using Bouncycastle to establish TLS connections

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

Using Bouncycastle to establish TLS connections

Sebastian Oerding
Hello,

I want to contact a LDAP server via LDAPS. Using Java 1.8 the algorithm is supported. However I still get a handshake_failure. This failure is probably due to Java 1.8 not supporting brainpool curves and the server requiring a brainpoolP256r1.

However when establishing a LdapContext this is deeply hidden in Java. Making Java to use BouncyCastle may solve this issue.

1. Is there any factory for SSL / TLS sockets in Bouncycastle?
2. Can I make Java use this factory by default, for example via java.net.Socket#setSocketImplFactory?

Regards,
Sebastian Oerding

smime.p7s (11K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Using Bouncycastle to establish TLS connections

Sebastian Oerding
Hello,

I want to contact a LDAP server via LDAPS. Using Java 1.8 the algorithm is supported. However I still get a handshake_failure. This failure is probably due to Java 1.8 not supporting brainpool curves and the server requiring a brainpoolP256r1.

However when establishing a LdapContext this is deeply hidden in Java. Making Java to use BouncyCastle may solve this issue.

1. Is there any factory for SSL / TLS sockets in Bouncycastle?
2. Can I make Java use this factory by default, for example via java.net.Socket#setSocketImplFactory?

Regards,
Sebastian Oerding

smime.p7s (11K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

AW: Using Bouncycastle to establish TLS connections

Sebastian Oerding
In reply to this post by Sebastian Oerding
Hello,

I tried making BouncyCastle the SecurityProvider by adding it to java.security as described under

http://www.bouncycastle.org/wiki/display/JA1/Provider+Installation

I also tried to enable it for SSL by adding BC in

security.provider.4=com.sun.net.ssl.internal.ssl.Provider BC

in the same file. However now when starting my unit test I got

  keyStore is :
  keyStore type is : jks
  keyStore provider is :
  init keystore
  init keymanager of type SunX509
  default context init failed: java.security.KeyStoreException: FIPS mode: KeyStore must be from provider BC

Is there anything more I have to configure? Do I have to convert the cacerts to a BC compliant KeyStore?

Regards,
Sebastian

> -----Ursprüngliche Nachricht-----
> Von: Sebastian Oerding [mailto:[hidden email]]
> Gesendet: Mittwoch, 5. August 2015 16:59
> An: [hidden email]
> Betreff: [Signatur gueltig] [dev-crypto] Using Bouncycastle to establish TLS
> connections
>
> Hello,
>
> I want to contact a LDAP server via LDAPS. Using Java 1.8 the algorithm is
> supported. However I still get a handshake_failure. This failure is probably
> due to Java 1.8 not supporting brainpool curves and the server requiring a
> brainpoolP256r1.
>
> However when establishing a LdapContext this is deeply hidden in Java.
> Making Java to use BouncyCastle may solve this issue.
>
> 1. Is there any factory for SSL / TLS sockets in Bouncycastle?
> 2. Can I make Java use this factory by default, for example via
> java.net.Socket#setSocketImplFactory?
>
> Regards,
> Sebastian Oerding

smime.p7s (11K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

AW: Using Bouncycastle to establish TLS connections

Sebastian Oerding
In reply to this post by Sebastian Oerding
After investigating more on this I found several results (stackoverflow and similar ones) indicating that BouncyCastle is a JCE implementation - not a JSSE implementation. Hence it was concluded that I could use BouncyCastle to implement my own SSLContext (but I have to implement to complete protocol by myself) which is then used after

SSLContext.setDefault(new MySslContext);

.

Currently I'm stuck. I have different approaches which I could follow. For none of these approaches I know whether the approach would be a successful one or how long I would need until I know whether it can be successful (but I have to implement it until tomorrow ... ).

So there are different questions:
1) Is it correct that BouncyCastle is a JCE implementation, not a JSSE implementation?
2) Can I make Java to use BouncyCastle to establish SSL connections and dhow to make and / convert the keystores accordingly? (Depending on the firster to the first question this question may become irrelevant)
3) How much effort would it require to implement an SSLContext using BouncyCastle? Which parts of BouncyCastle can I re-use to do so?

With regards
Sebastian
               

> -----Ursprüngliche Nachricht-----
> Von: Sebastian Oerding
> Gesendet: Donnerstag, 6. August 2015 09:46
> An: [hidden email]
> Betreff: AW: Using Bouncycastle to establish TLS connections
>
> Hello,
>
> I tried making BouncyCastle the SecurityProvider by adding it to java.security
> as described under
>
> http://www.bouncycastle.org/wiki/display/JA1/Provider+Installation
>
> I also tried to enable it for SSL by adding BC in
>
> security.provider.4=com.sun.net.ssl.internal.ssl.Provider BC
>
> in the same file. However now when starting my unit test I got
>
>   keyStore is :
>   keyStore type is : jks
>   keyStore provider is :
>   init keystore
>   init keymanager of type SunX509
>   default context init failed: java.security.KeyStoreException: FIPS mode:
> KeyStore must be from provider BC
>
> Is there anything more I have to configure? Do I have to convert the cacerts
> to a BC compliant KeyStore?
>
> Regards,
> Sebastian
>
> > -----Ursprüngliche Nachricht-----
> > Von: Sebastian Oerding [mailto:[hidden email]]
> > Gesendet: Mittwoch, 5. August 2015 16:59
> > An: [hidden email]
> > Betreff: [Signatur gueltig] [dev-crypto] Using Bouncycastle to
> > establish TLS connections
> >
> > Hello,
> >
> > I want to contact a LDAP server via LDAPS. Using Java 1.8 the
> > algorithm is supported. However I still get a handshake_failure. This
> > failure is probably due to Java 1.8 not supporting brainpool curves
> > and the server requiring a brainpoolP256r1.
> >
> > However when establishing a LdapContext this is deeply hidden in Java.
> > Making Java to use BouncyCastle may solve this issue.
> >
> > 1. Is there any factory for SSL / TLS sockets in Bouncycastle?
> > 2. Can I make Java use this factory by default, for example via
> > java.net.Socket#setSocketImplFactory?
> >
> > Regards,
> > Sebastian Oerding

smime.p7s (11K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: AW: Using Bouncycastle to establish TLS connections

Peter Dettman-3
Hi Sebastian,

1) It is correct that BC is currently only a JCE provider. Our TLS code
is only usable directly through the lightweight API, not as a JSSE
provider. Although we would like to see that happen, it is unlikely we
can devote the resources anytime soon.

2) If you mean to somehow get the SunJSSE provider to use BouncyCastle's
TLS code, then no, there's no way to do that. Although it's moot, the BC
provider can handle JKS keystores fine.

3) It is feasible to implement JSSE over our lightweight TLS API if you
only need one or two ciphersuites to be supported, and don't need to
support all possible options etc. (I have done something similar for a
client to get a PSK ciphersuite working for a tomcat server). Effort
required would depend on familiarity with the JSSE and BC APIs, but at
least several days I would think.

If you absolutely need to use it via JSSE (e.g. to plug in to a
webserver), then you're stuck with 3) I guess. Otherwise, using the
lightweight API directly is an option. The tests in the
org.bouncycastle.crypto.tls.test package are helpful to understand how
to use it.

Regards,
Pete Dettman

On 6/08/2015 2:56 pm, Sebastian Oerding wrote:

> After investigating more on this I found several results (stackoverflow and similar ones) indicating that BouncyCastle is a JCE implementation - not a JSSE implementation. Hence it was concluded that I could use BouncyCastle to implement my own SSLContext (but I have to implement to complete protocol by myself) which is then used after
>
> SSLContext.setDefault(new MySslContext);
>
> .
>
> Currently I'm stuck. I have different approaches which I could follow. For none of these approaches I know whether the approach would be a successful one or how long I would need until I know whether it can be successful (but I have to implement it until tomorrow ... ).
>
> So there are different questions:
> 1) Is it correct that BouncyCastle is a JCE implementation, not a JSSE implementation?
> 2) Can I make Java to use BouncyCastle to establish SSL connections and dhow to make and / convert the keystores accordingly? (Depending on the firster to the first question this question may become irrelevant)
> 3) How much effort would it require to implement an SSLContext using BouncyCastle? Which parts of BouncyCastle can I re-use to do so?
>
> With regards
> Sebastian


Reply | Threaded
Open this post in threaded view
|

Re: AW: Using Bouncycastle to establish TLS connections

Michał Zegan
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

For me the main stopper in using the tls lightweight api is no support
for any kind of nonblocking operations.

W dniu 2015-08-06 o 18:03, Peter Dettman pisze:

> Hi Sebastian,
>
> 1) It is correct that BC is currently only a JCE provider. Our TLS
> code is only usable directly through the lightweight API, not as a
> JSSE provider. Although we would like to see that happen, it is
> unlikely we can devote the resources anytime soon.
>
> 2) If you mean to somehow get the SunJSSE provider to use
> BouncyCastle's TLS code, then no, there's no way to do that.
> Although it's moot, the BC provider can handle JKS keystores fine.
>
> 3) It is feasible to implement JSSE over our lightweight TLS API if
> you only need one or two ciphersuites to be supported, and don't
> need to support all possible options etc. (I have done something
> similar for a client to get a PSK ciphersuite working for a tomcat
> server). Effort required would depend on familiarity with the JSSE
> and BC APIs, but at least several days I would think.
>
> If you absolutely need to use it via JSSE (e.g. to plug in to a
> webserver), then you're stuck with 3) I guess. Otherwise, using
> the lightweight API directly is an option. The tests in the
> org.bouncycastle.crypto.tls.test package are helpful to understand
> how to use it.
>
> Regards, Pete Dettman
>
> On 6/08/2015 2:56 pm, Sebastian Oerding wrote:
>> After investigating more on this I found several results
>> (stackoverflow and similar ones) indicating that BouncyCastle is
>> a JCE implementation - not a JSSE implementation. Hence it was
>> concluded that I could use BouncyCastle to implement my own
>> SSLContext (but I have to implement to complete protocol by
>> myself) which is then used after
>>
>> SSLContext.setDefault(new MySslContext);
>>
>> .
>>
>> Currently I'm stuck. I have different approaches which I could
>> follow. For none of these approaches I know whether the approach
>> would be a successful one or how long I would need until I know
>> whether it can be successful (but I have to implement it until
>> tomorrow ... ).
>>
>> So there are different questions: 1) Is it correct that
>> BouncyCastle is a JCE implementation, not a JSSE implementation?
>> 2) Can I make Java to use BouncyCastle to establish SSL
>> connections and dhow to make and / convert the keystores
>> accordingly? (Depending on the firster to the first question this
>> question may become irrelevant) 3) How much effort would it
>> require to implement an SSLContext using BouncyCastle? Which
>> parts of BouncyCastle can I re-use to do so?
>>
>> With regards Sebastian
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJVw4gdAAoJEHb1CzgxXKwYTk0P/R6gpcGgw3U5mZaqvUYgRqVE
KiWxg11PPPAtrTb+BhcTlmTUv0uJGtDBzFNnEAd/nzap5pcIuHmbmzENKnayM+RU
ZH61AIn+nnCEKZhtkc0rPLlxOaq00lGzZVsCWyFoYUGBIr3m+/+3lZuhF0cKrVE1
JbQo2JCRNavCqLfXZnBNMKJbKaAQckMCQkhSeGK3UhK9U/rjdzpc+K/LFdRNG0TO
c7IHge6MYez2eIHhLPvkFCSCSjW7sSpDkKdkehMijAprNHlK/hvaaVws47jigi2Y
tg4d2F0lsVZ6TcEPEQhkXmzkZ6tAwK5Z9YP7dvO4bUhWz3sI6g7QfqQm/M26o2z1
yyocbpZFpxaRdv/DfnyhJm+vT/qyMwKi11uohMy4So5mQTvpygVUjYmvZGX3tDcz
K2GG3Gqkb4YBDUNPRUU3p1LH7YJeJSsW7B0ZtZbz1AptJEHzb59oH2EPkV1wedTs
TfKdJ/fIuStQVHdjuX3rQORkom59QCyx7zgDfFvcvlojvBpOkykKqrWmJJJQ0vci
7MdF7OXKSrA4fYWIiq6bQPn/vUgFiA5XNlDtsBBo6KouILmCH2dd+FKKvnWyrDm5
6pZBiNmvIodtH1XruaJZtfQGP2Re+Yqnp+FklJCXjD0SnjY3JM9bTI7furSuogBK
chtpClRBfpcbTCpu7FXM
=cx+Y
-----END PGP SIGNATURE-----

Reply | Threaded
Open this post in threaded view
|

Re: AW: Using Bouncycastle to establish TLS connections

David Hook
In reply to this post by Sebastian Oerding

For the sake of completeness, I think if you set the keystore type to
PKCS12 you'll get past this error.

It will fall over shortly after that though - the JSSE also looks for
some KDFs which take internal Sun parameters. The regular BC API doesn't
currently support these.

Regards,

David

On 06/08/15 17:46, Sebastian Oerding wrote:

> Hello,
>
> I tried making BouncyCastle the SecurityProvider by adding it to java.security as described under
>
> http://www.bouncycastle.org/wiki/display/JA1/Provider+Installation
>
> I also tried to enable it for SSL by adding BC in
>
> security.provider.4=com.sun.net.ssl.internal.ssl.Provider BC
>
> in the same file. However now when starting my unit test I got
>
>   keyStore is :
>   keyStore type is : jks
>   keyStore provider is :
>   init keystore
>   init keymanager of type SunX509
>   default context init failed: java.security.KeyStoreException: FIPS mode: KeyStore must be from provider BC
>
> Is there anything more I have to configure? Do I have to convert the cacerts to a BC compliant KeyStore?
>
> Regards,
> Sebastian
>
>> -----Ursprüngliche Nachricht-----
>> Von: Sebastian Oerding [mailto:[hidden email]]
>> Gesendet: Mittwoch, 5. August 2015 16:59
>> An: [hidden email]
>> Betreff: [Signatur gueltig] [dev-crypto] Using Bouncycastle to establish TLS
>> connections
>>
>> Hello,
>>
>> I want to contact a LDAP server via LDAPS. Using Java 1.8 the algorithm is
>> supported. However I still get a handshake_failure. This failure is probably
>> due to Java 1.8 not supporting brainpool curves and the server requiring a
>> brainpoolP256r1.
>>
>> However when establishing a LdapContext this is deeply hidden in Java.
>> Making Java to use BouncyCastle may solve this issue.
>>
>> 1. Is there any factory for SSL / TLS sockets in Bouncycastle?
>> 2. Can I make Java use this factory by default, for example via
>> java.net.Socket#setSocketImplFactory?
>>
>> Regards,
>> Sebastian Oerding


Reply | Threaded
Open this post in threaded view
|

AW: [dev-crypto] AW: Using Bouncycastle to establish TLS connections

Sebastian Oerding
In reply to this post by Peter Dettman-3
Hello,

after some further research I found that I can the JVM-wide SSLSocketFactory by

   Security.setProperty("ssl.SocketFactory.provider", "MySocketFactoryImpl");

which causes an instance of the configured class to be used for creating connections for LDAPS using JNDI. This frees me from the burden to implement and SSLEngine and the code from persoapp gave me good guidance in what to do.

However this does not make me feel well as it affects every connection which is created. For a SOAP web service I had the same problem but I could provide an instance of the SocketFactory for every invocation. That enabled to provide different instances, for example using different certificates concurrently and does not affect the remainder of the system / JVM instance.

Is there a better way to do that?

By the way and off-topic: If I use the LGPL code from the persoapp, modify it, release it and make the changed sources available, how do I have to change / extend the copyright notice?

Regards
Sebastian

> -----Ursprüngliche Nachricht-----
> Von: Peter Dettman [mailto:[hidden email]]
> Gesendet: Donnerstag, 6. August 2015 18:03
> An: Sebastian Oerding <[hidden email]>; dev-
> [hidden email]
> Betreff: Re: [dev-crypto] AW: Using Bouncycastle to establish TLS
> connections
>
> Hi Sebastian,
>
> 1) It is correct that BC is currently only a JCE provider. Our TLS code is only
> usable directly through the lightweight API, not as a JSSE provider. Although
> we would like to see that happen, it is unlikely we can devote the resources
> anytime soon.
>
> 2) If you mean to somehow get the SunJSSE provider to use BouncyCastle's
> TLS code, then no, there's no way to do that. Although it's moot, the BC
> provider can handle JKS keystores fine.
>
> 3) It is feasible to implement JSSE over our lightweight TLS API if you only
> need one or two ciphersuites to be supported, and don't need to support all
> possible options etc. (I have done something similar for a client to get a PSK
> ciphersuite working for a tomcat server). Effort required would depend on
> familiarity with the JSSE and BC APIs, but at least several days I would think.
>
> If you absolutely need to use it via JSSE (e.g. to plug in to a webserver), then
> you're stuck with 3) I guess. Otherwise, using the lightweight API directly is
> an option. The tests in the org.bouncycastle.crypto.tls.test package are
> helpful to understand how to use it.
>
> Regards,
> Pete Dettman
>
> On 6/08/2015 2:56 pm, Sebastian Oerding wrote:
> > After investigating more on this I found several results
> > (stackoverflow and similar ones) indicating that BouncyCastle is a JCE
> > implementation - not a JSSE implementation. Hence it was concluded
> > that I could use BouncyCastle to implement my own SSLContext (but I
> > have to implement to complete protocol by myself) which is then used
> > after
> >
> > SSLContext.setDefault(new MySslContext);
> >
> > .
> >
> > Currently I'm stuck. I have different approaches which I could follow. For
> none of these approaches I know whether the approach would be a
> successful one or how long I would need until I know whether it can be
> successful (but I have to implement it until tomorrow ... ).
> >
> > So there are different questions:
> > 1) Is it correct that BouncyCastle is a JCE implementation, not a JSSE
> implementation?
> > 2) Can I make Java to use BouncyCastle to establish SSL connections
> > and dhow to make and / convert the keystores accordingly? (Depending
> > on the firster to the first question this question may become
> > irrelevant)
> > 3) How much effort would it require to implement an SSLContext using
> BouncyCastle? Which parts of BouncyCastle can I re-use to do so?
> >
> > With regards
> > Sebastian
>


smime.p7s (11K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: AW: [dev-crypto] AW: Using Bouncycastle to establish TLS connections

martijn.list
On 08/31/2015 10:32 AM, Sebastian Oerding wrote:

> after some further research I found that I can the JVM-wide
> SSLSocketFactory by
>
> Security.setProperty("ssl.SocketFactory.provider",
> "MySocketFactoryImpl");
>
> which causes an instance of the configured class to be used for
> creating connections for LDAPS using JNDI. This frees me from the
> burden to implement and SSLEngine and the code from persoapp gave me
> good guidance in what to do.
>
> However this does not make me feel well as it affects every
> connection which is created. For a SOAP web service I had the same
> problem but I could provide an instance of the SocketFactory for
> every invocation. That enabled to provide different instances, for
> example using different certificates concurrently and does not affect
> the remainder of the system / JVM instance.
>
> Is there a better way to do that?

An option might be to create an extension of SocketFactory which
delegates to your specialized SocketFactory if a certain condition is
met and delegate to the original SocketFactory (
SSLContext.getDefault().getSocketFactory()) in all other cases.
For example you might create some registry which registers for which
hosts or addresses your specialized SocketFactory should be used.
Another option might be to use a thread local to indicate that the
current thread requires your specialized SocketFactory.

Kind regards,

Martijn Brinkers

--
CipherMail email encryption

Open source email encryption gateway with support for S/MIME, OpenPGP
and PDF messaging.

https://www.ciphermail.com

Twitter: http://twitter.com/CipherMail


>> -----Ursprüngliche Nachricht----- Von: Peter Dettman
>> [mailto:[hidden email]] Gesendet: Donnerstag, 6.
>> August 2015 18:03 An: Sebastian Oerding
>> <[hidden email]>; dev- [hidden email]
>> Betreff: Re: [dev-crypto] AW: Using Bouncycastle to establish TLS
>> connections
>>
>> Hi Sebastian,
>>
>> 1) It is correct that BC is currently only a JCE provider. Our TLS
>> code is only usable directly through the lightweight API, not as a
>> JSSE provider. Although we would like to see that happen, it is
>> unlikely we can devote the resources anytime soon.
>>
>> 2) If you mean to somehow get the SunJSSE provider to use
>> BouncyCastle's TLS code, then no, there's no way to do that.
>> Although it's moot, the BC provider can handle JKS keystores fine.
>>
>> 3) It is feasible to implement JSSE over our lightweight TLS API if
>> you only need one or two ciphersuites to be supported, and don't
>> need to support all possible options etc. (I have done something
>> similar for a client to get a PSK ciphersuite working for a tomcat
>> server). Effort required would depend on familiarity with the JSSE
>> and BC APIs, but at least several days I would think.
>>
>> If you absolutely need to use it via JSSE (e.g. to plug in to a
>> webserver), then you're stuck with 3) I guess. Otherwise, using the
>> lightweight API directly is an option. The tests in the
>> org.bouncycastle.crypto.tls.test package are helpful to understand
>> how to use it.
>>
>> Regards, Pete Dettman
>>
>> On 6/08/2015 2:56 pm, Sebastian Oerding wrote:
>>> After investigating more on this I found several results
>>> (stackoverflow and similar ones) indicating that BouncyCastle is
>>> a JCE implementation - not a JSSE implementation. Hence it was
>>> concluded that I could use BouncyCastle to implement my own
>>> SSLContext (but I have to implement to complete protocol by
>>> myself) which is then used after
>>>
>>> SSLContext.setDefault(new MySslContext);
>>>
>>> .
>>>
>>> Currently I'm stuck. I have different approaches which I could
>>> follow. For
>> none of these approaches I know whether the approach would be a
>> successful one or how long I would need until I know whether it can
>> be successful (but I have to implement it until tomorrow ... ).
>>>
>>> So there are different questions: 1) Is it correct that
>>> BouncyCastle is a JCE implementation, not a JSSE
>> implementation?
>>> 2) Can I make Java to use BouncyCastle to establish SSL
>>> connections and dhow to make and / convert the keystores
>>> accordingly? (Depending on the firster to the first question this
>>> question may become irrelevant) 3) How much effort would it
>>> require to implement an SSLContext using
>> BouncyCastle? Which parts of BouncyCastle can I re-use to do so?
>>>
>>> With regards Sebastian


Reply | Threaded
Open this post in threaded view
|

AW: AW: [dev-crypto] AW: Using Bouncycastle to establish TLS connections

Sebastian Oerding
Hi,

your advice is welcome. However currently I have no idea how to achieve that.

Is there any API which allows me to register something which can decide which factory to invoke at runtime depending on conditions?

The solution which comes first in my mind is to get the default factory and set it as member of my factory and then set my factory as default. Then in my factory I can decide, for example depending on the address whether to use my implementation or to delegate to the 'old' default.

For the thread-local: I thought that setting the property applies to the whole JVM and is not limited to threads.

For the sake of completeness here is the feature:
- Request different LDAPS-Servers using TLS with authentication and with cipher suites / algorithms / named curves not supported by JDK concurrently. Each of the different servers requires different credentials. Even for the same server different credentials may be required (assuming one hosts services for different clients which are in contract with the same third party).

Regards,
Sebastian

> -----Ursprüngliche Nachricht-----
> Von: martijn.list [mailto:[hidden email]]
> Gesendet: Montag, 31. August 2015 11:21
> An: [hidden email]
> Betreff: Re: AW: [dev-crypto] AW: Using Bouncycastle to establish TLS
> connections
>
> On 08/31/2015 10:32 AM, Sebastian Oerding wrote:
> > after some further research I found that I can the JVM-wide
> > SSLSocketFactory by
> >
> > Security.setProperty("ssl.SocketFactory.provider",
> > "MySocketFactoryImpl");
> >
> > which causes an instance of the configured class to be used for
> > creating connections for LDAPS using JNDI. This frees me from the
> > burden to implement and SSLEngine and the code from persoapp gave me
> > good guidance in what to do.
> >
> > However this does not make me feel well as it affects every connection
> > which is created. For a SOAP web service I had the same problem but I
> > could provide an instance of the SocketFactory for every invocation.
> > That enabled to provide different instances, for example using
> > different certificates concurrently and does not affect the remainder
> > of the system / JVM instance.
> >
> > Is there a better way to do that?
>
> An option might be to create an extension of SocketFactory which delegates
> to your specialized SocketFactory if a certain condition is met and delegate to
> the original SocketFactory (
> SSLContext.getDefault().getSocketFactory()) in all other cases.
> For example you might create some registry which registers for which hosts
> or addresses your specialized SocketFactory should be used.
> Another option might be to use a thread local to indicate that the current
> thread requires your specialized SocketFactory.
>
> Kind regards,
>
> Martijn Brinkers
>
> --
> CipherMail email encryption
>
> Open source email encryption gateway with support for S/MIME, OpenPGP
> and PDF messaging.
>
> https://www.ciphermail.com
>
> Twitter: http://twitter.com/CipherMail
>
>
> >> -----Ursprüngliche Nachricht----- Von: Peter Dettman
> >> [mailto:[hidden email]] Gesendet: Donnerstag, 6.
> >> August 2015 18:03 An: Sebastian Oerding
> >> <[hidden email]>; dev- [hidden email]
> >> Betreff: Re: [dev-crypto] AW: Using Bouncycastle to establish TLS
> >> connections
> >>
> >> Hi Sebastian,
> >>
> >> 1) It is correct that BC is currently only a JCE provider. Our TLS
> >> code is only usable directly through the lightweight API, not as a
> >> JSSE provider. Although we would like to see that happen, it is
> >> unlikely we can devote the resources anytime soon.
> >>
> >> 2) If you mean to somehow get the SunJSSE provider to use
> >> BouncyCastle's TLS code, then no, there's no way to do that.
> >> Although it's moot, the BC provider can handle JKS keystores fine.
> >>
> >> 3) It is feasible to implement JSSE over our lightweight TLS API if
> >> you only need one or two ciphersuites to be supported, and don't need
> >> to support all possible options etc. (I have done something similar
> >> for a client to get a PSK ciphersuite working for a tomcat server).
> >> Effort required would depend on familiarity with the JSSE and BC
> >> APIs, but at least several days I would think.
> >>
> >> If you absolutely need to use it via JSSE (e.g. to plug in to a
> >> webserver), then you're stuck with 3) I guess. Otherwise, using the
> >> lightweight API directly is an option. The tests in the
> >> org.bouncycastle.crypto.tls.test package are helpful to understand
> >> how to use it.
> >>
> >> Regards, Pete Dettman
> >>
> >> On 6/08/2015 2:56 pm, Sebastian Oerding wrote:
> >>> After investigating more on this I found several results
> >>> (stackoverflow and similar ones) indicating that BouncyCastle is a
> >>> JCE implementation - not a JSSE implementation. Hence it was
> >>> concluded that I could use BouncyCastle to implement my own
> >>> SSLContext (but I have to implement to complete protocol by
> >>> myself) which is then used after
> >>>
> >>> SSLContext.setDefault(new MySslContext);
> >>>
> >>> .
> >>>
> >>> Currently I'm stuck. I have different approaches which I could
> >>> follow. For
> >> none of these approaches I know whether the approach would be a
> >> successful one or how long I would need until I know whether it can
> >> be successful (but I have to implement it until tomorrow ... ).
> >>>
> >>> So there are different questions: 1) Is it correct that BouncyCastle
> >>> is a JCE implementation, not a JSSE
> >> implementation?
> >>> 2) Can I make Java to use BouncyCastle to establish SSL connections
> >>> and dhow to make and / convert the keystores accordingly? (Depending
> >>> on the firster to the first question this question may become
> >>> irrelevant) 3) How much effort would it require to implement an
> >>> SSLContext using
> >> BouncyCastle? Which parts of BouncyCastle can I re-use to do so?
> >>>
> >>> With regards Sebastian
>


smime.p7s (11K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

AW: [dev-crypto] AW: Using Bouncycastle to establish TLS connections

Steffen Heil (Mailinglisten)
In reply to this post by Sebastian Oerding
Hi


As I understand, your basic intention is to use a certain SocketFactory for LDAPS only.
Why don't you select that factory when connecting?

        Hashtable<String,String> env = new Hashtable<>();
        env.put( Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory" );
        env.put( Context.PROVIDER_URL, ("ldaps://" + host + ":" + port );
        env.put( "java.naming.ldap.factory.socket", MyFactory.class.getName() );
        ctx = new InitialLdapContext( env, null );


Regards,
  Steffen


smime.p7s (8K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

AW: [dev-crypto] AW: Using Bouncycastle to establish TLS connections

Sebastian Oerding
Hello,

this was one of may questions.

I tried this approach but it failed with "instance is not an object of desired class" or something similar - until I implemented public static SSLSocketFactory getDefault() in my class (which returns an instance of that class).

Thanks for your hint, I fixed this issue just one hour before receiving your email :-)

However as you seem to be familiar with LDAPS I have one more question (should create a new topic if this goes further)
However I still have the problem that

new InitialLdapContext(properties, null);

blocks / does not return until a timeout occurs after approximately two minutes. Capturing the communication with wireshark the TLS layer seems to be fine now. Client and server, both send ChangeCipherSpec and handshake finish messages. When the timeout occurs some encrypted alerts are sent (probably encrypted close_notify) due to closing the connection.

Do you have any idea what could cause this problem? My properties are as follows:


Regards,
Sebastian

> -----Ursprüngliche Nachricht-----
> Von: Steffen Heil (Mailinglisten) [mailto:[hidden email]]
> Gesendet: Mittwoch, 16. September 2015 11:16
> An: Sebastian Oerding <[hidden email]>; dev-
> [hidden email]
> Betreff: [Signatur ungueltig] AW: [dev-crypto] AW: Using Bouncycastle to
> establish TLS connections
>
> Hi
>
>
> As I understand, your basic intention is to use a certain SocketFactory for
> LDAPS only.
> Why don't you select that factory when connecting?
>
> Hashtable<String,String> env = new Hashtable<>();
> env.put( Context.INITIAL_CONTEXT_FACTORY,
> "com.sun.jndi.ldap.LdapCtxFactory" );
> env.put( Context.PROVIDER_URL, ("ldaps://" + host + ":" + port );
> env.put( "java.naming.ldap.factory.socket",
> MyFactory.class.getName() );
> ctx = new InitialLdapContext( env, null );
>
>
> Regards,
>   Steffen

smime.p7s (11K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

AW: [dev-crypto] AW: Using Bouncycastle to establish TLS connections

Sebastian Oerding
Sorry, Outlook sent the mail before I pasted the missing code in.

My properties are as follows:


                final Properties env = new Properties();
                env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
                env.put(Context.PROVIDER_URL, "ldaps://ldap.energy.dev.telesec.de:636");
                // Not required when giving an LDAPS URL
                // env.put(Context.SECURITY_PROTOCOL, "ssl");
                env.put(Context.SECURITY_AUTHENTICATION, "EXTERNAL");
                env.put("java.naming.ldap.factory.socket", "de.robotron.tls.BcTlsSocketFactoryImpl");

Regards,
Sebastian

> -----Ursprüngliche Nachricht-----
> Von: Sebastian Oerding [mailto:[hidden email]]
> Gesendet: Mittwoch, 16. September 2015 11:41
> An: [hidden email]
> Betreff: [Signatur gueltig] AW: [dev-crypto] AW: Using Bouncycastle to
> establish TLS connections
>
> Hello,
>
> this was one of may questions.
>
> I tried this approach but it failed with "instance is not an object of desired
> class" or something similar - until I implemented public static
> SSLSocketFactory getDefault() in my class (which returns an instance of that
> class).
>
> Thanks for your hint, I fixed this issue just one hour before receiving your
> email :-)
>
> However as you seem to be familiar with LDAPS I have one more question
> (should create a new topic if this goes further) However I still have the
> problem that
>
> new InitialLdapContext(properties, null);
>
> blocks / does not return until a timeout occurs after approximately two
> minutes. Capturing the communication with wireshark the TLS layer seems to
> be fine now. Client and server, both send ChangeCipherSpec and handshake
> finish messages. When the timeout occurs some encrypted alerts are sent
> (probably encrypted close_notify) due to closing the connection.
>
> Do you have any idea what could cause this problem? My properties are as
> follows:
>
>
> Regards,
> Sebastian
>
> > -----Ursprüngliche Nachricht-----
> > Von: Steffen Heil (Mailinglisten) [mailto:[hidden email]]
> > Gesendet: Mittwoch, 16. September 2015 11:16
> > An: Sebastian Oerding <[hidden email]>; dev-
> > [hidden email]
> > Betreff: [Signatur ungueltig] AW: [dev-crypto] AW: Using Bouncycastle
> > to establish TLS connections
> >
> > Hi
> >
> >
> > As I understand, your basic intention is to use a certain
> > SocketFactory for LDAPS only.
> > Why don't you select that factory when connecting?
> >
> > Hashtable<String,String> env = new Hashtable<>();
> > env.put( Context.INITIAL_CONTEXT_FACTORY,
> > "com.sun.jndi.ldap.LdapCtxFactory" );
> > env.put( Context.PROVIDER_URL, ("ldaps://" + host + ":" + port );
> > env.put( "java.naming.ldap.factory.socket",
> > MyFactory.class.getName() );
> > ctx = new InitialLdapContext( env, null );
> >
> >
> > Regards,
> >   Steffen

smime.p7s (11K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

AW: [dev-crypto] AW: Using Bouncycastle to establish TLS connections

Steffen Heil (Mailinglisten)
Hi


We are using basic authentication, not external, so I am not sure I can help.
Of course you need to find out why the communication stops, so that you get a timeout. There I cannot help.
However, you can configure the timeouts:

        env.put( "com.sun.jndi.ldap.read.timeout", Long.toString( readTimeout ) );
        env.put( "com.sun.jndi.ldap.connect.timeout", Long.toString( connectTimeout ) );

(With the timeouts being specified in milliseconds.)


Good luck,
  Steffen



> -----Ursprüngliche Nachricht-----
> Von: Sebastian Oerding [mailto:[hidden email]]
> Gesendet: Mittwoch, 16. September 2015 11:42
> An: [hidden email]
> Betreff: AW: [dev-crypto] AW: Using Bouncycastle to establish TLS connections
>
> Sorry, Outlook sent the mail before I pasted the missing code in.
>
> My properties are as follows:
>
>
> final Properties env = new Properties();
> env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
> env.put(Context.PROVIDER_URL, "ldaps://ldap.energy.dev.telesec.de:636");
> // Not required when giving an LDAPS URL
> // env.put(Context.SECURITY_PROTOCOL, "ssl");
> env.put(Context.SECURITY_AUTHENTICATION, "EXTERNAL");
> env.put("java.naming.ldap.factory.socket", "de.robotron.tls.BcTlsSocketFactoryImpl");
>
> Regards,
> Sebastian
>
> > -----Ursprüngliche Nachricht-----
> > Von: Sebastian Oerding [mailto:[hidden email]]
> > Gesendet: Mittwoch, 16. September 2015 11:41
> > An: [hidden email]
> > Betreff: [Signatur gueltig] AW: [dev-crypto] AW: Using Bouncycastle to
> > establish TLS connections
> >
> > Hello,
> >
> > this was one of may questions.
> >
> > I tried this approach but it failed with "instance is not an object of desired
> > class" or something similar - until I implemented public static
> > SSLSocketFactory getDefault() in my class (which returns an instance of that
> > class).
> >
> > Thanks for your hint, I fixed this issue just one hour before receiving your
> > email :-)
> >
> > However as you seem to be familiar with LDAPS I have one more question
> > (should create a new topic if this goes further) However I still have the
> > problem that
> >
> > new InitialLdapContext(properties, null);
> >
> > blocks / does not return until a timeout occurs after approximately two
> > minutes. Capturing the communication with wireshark the TLS layer seems to
> > be fine now. Client and server, both send ChangeCipherSpec and handshake
> > finish messages. When the timeout occurs some encrypted alerts are sent
> > (probably encrypted close_notify) due to closing the connection.
> >
> > Do you have any idea what could cause this problem? My properties are as
> > follows:
> >
> >
> > Regards,
> > Sebastian
> >
> > > -----Ursprüngliche Nachricht-----
> > > Von: Steffen Heil (Mailinglisten) [mailto:[hidden email]]
> > > Gesendet: Mittwoch, 16. September 2015 11:16
> > > An: Sebastian Oerding <[hidden email]>; dev-
> > > [hidden email]
> > > Betreff: [Signatur ungueltig] AW: [dev-crypto] AW: Using Bouncycastle
> > > to establish TLS connections
> > >
> > > Hi
> > >
> > >
> > > As I understand, your basic intention is to use a certain
> > > SocketFactory for LDAPS only.
> > > Why don't you select that factory when connecting?
> > >
> > > Hashtable<String,String> env = new Hashtable<>();
> > > env.put( Context.INITIAL_CONTEXT_FACTORY,
> > > "com.sun.jndi.ldap.LdapCtxFactory" );
> > > env.put( Context.PROVIDER_URL, ("ldaps://" + host + ":" + port );
> > > env.put( "java.naming.ldap.factory.socket",
> > > MyFactory.class.getName() );
> > > ctx = new InitialLdapContext( env, null );
> > >
> > >
> > > Regards,
> > >   Steffen

smime.p7s (8K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

AW: [dev-crypto] AW: Using Bouncycastle to establish TLS connections

Sebastian Oerding
Hello,

I figured out that the timeout occurs as the socket used under the hood is blocking and using JNDI it is tried to read from the socket before writing a BindRequest to it.

Do you have any hints on making the socket non-blocking?

Currently the only approach I can think of is to wrap the stream returned by getInputStream / getOutputStream. In the wrapped stream I can  use getAvailable() (should not block) and Thread.sleep or similar stuff in a loop.

Regards,
Sebastian

> -----Ursprüngliche Nachricht-----
> Von: Steffen Heil (Mailinglisten) [mailto:[hidden email]]
> Gesendet: Mittwoch, 16. September 2015 19:38
> An: Sebastian Oerding <[hidden email]>; dev-
> [hidden email]
> Betreff: [Signatur ungueltig] AW: [dev-crypto] AW: Using Bouncycastle to
> establish TLS connections
>
> Hi
>
>
> We are using basic authentication, not external, so I am not sure I can help.
> Of course you need to find out why the communication stops, so that you
> get a timeout. There I cannot help.
> However, you can configure the timeouts:
>
> env.put( "com.sun.jndi.ldap.read.timeout", Long.toString(
> readTimeout ) );
> env.put( "com.sun.jndi.ldap.connect.timeout", Long.toString(
> connectTimeout ) );
>
> (With the timeouts being specified in milliseconds.)
>
>
> Good luck,
>   Steffen
>
>
>
> > -----Ursprüngliche Nachricht-----
> > Von: Sebastian Oerding [mailto:[hidden email]]
> > Gesendet: Mittwoch, 16. September 2015 11:42
> > An: [hidden email]
> > Betreff: AW: [dev-crypto] AW: Using Bouncycastle to establish TLS
> > connections
> >
> > Sorry, Outlook sent the mail before I pasted the missing code in.
> >
> > My properties are as follows:
> >
> >
> > final Properties env = new Properties();
> > env.put(Context.INITIAL_CONTEXT_FACTORY,
> "com.sun.jndi.ldap.LdapCtxFactory");
> > env.put(Context.PROVIDER_URL,
> "ldaps://ldap.energy.dev.telesec.de:636");
> > // Not required when giving an LDAPS URL
> > // env.put(Context.SECURITY_PROTOCOL, "ssl");
> > env.put(Context.SECURITY_AUTHENTICATION, "EXTERNAL");
> > env.put("java.naming.ldap.factory.socket",
> > "de.robotron.tls.BcTlsSocketFactoryImpl");
> >
> > Regards,
> > Sebastian
> >
> > > -----Ursprüngliche Nachricht-----
> > > Von: Sebastian Oerding [mailto:[hidden email]]
> > > Gesendet: Mittwoch, 16. September 2015 11:41
> > > An: [hidden email]
> > > Betreff: [Signatur gueltig] AW: [dev-crypto] AW: Using Bouncycastle
> > > to establish TLS connections
> > >
> > > Hello,
> > >
> > > this was one of may questions.
> > >
> > > I tried this approach but it failed with "instance is not an object
> > > of desired class" or something similar - until I implemented public
> > > static SSLSocketFactory getDefault() in my class (which returns an
> > > instance of that class).
> > >
> > > Thanks for your hint, I fixed this issue just one hour before
> > > receiving your email :-)
> > >
> > > However as you seem to be familiar with LDAPS I have one more
> > > question (should create a new topic if this goes further) However I
> > > still have the problem that
> > >
> > > new InitialLdapContext(properties, null);
> > >
> > > blocks / does not return until a timeout occurs after approximately
> > > two minutes. Capturing the communication with wireshark the TLS
> > > layer seems to be fine now. Client and server, both send
> > > ChangeCipherSpec and handshake finish messages. When the timeout
> > > occurs some encrypted alerts are sent (probably encrypted close_notify)
> due to closing the connection.
> > >
> > > Do you have any idea what could cause this problem? My properties
> > > are as
> > > follows:
> > >
> > >
> > > Regards,
> > > Sebastian
> > >
> > > > -----Ursprüngliche Nachricht-----
> > > > Von: Steffen Heil (Mailinglisten) [mailto:[hidden email]]
> > > > Gesendet: Mittwoch, 16. September 2015 11:16
> > > > An: Sebastian Oerding <[hidden email]>; dev-
> > > > [hidden email]
> > > > Betreff: [Signatur ungueltig] AW: [dev-crypto] AW: Using
> > > > Bouncycastle to establish TLS connections
> > > >
> > > > Hi
> > > >
> > > >
> > > > As I understand, your basic intention is to use a certain
> > > > SocketFactory for LDAPS only.
> > > > Why don't you select that factory when connecting?
> > > >
> > > > Hashtable<String,String> env = new Hashtable<>();
> > > > env.put( Context.INITIAL_CONTEXT_FACTORY,
> > > > "com.sun.jndi.ldap.LdapCtxFactory" );
> > > > env.put( Context.PROVIDER_URL, ("ldaps://" + host + ":" + port );
> > > > env.put( "java.naming.ldap.factory.socket",
> > > > MyFactory.class.getName() );
> > > > ctx = new InitialLdapContext( env, null );
> > > >
> > > >
> > > > Regards,
> > > >   Steffen

smime.p7s (11K) Download Attachment