Java Security

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

SSL communication issue with JDK 1.6.0_19

843811Jun 3 2010 — edited Jun 23 2010

Hi,

I am facing issue with JDK 1.6.0_19. I have a Java client which communicate with the Server in SSL communication.so, It is able to communicate properly with the JDK <=1.6.0_18 version.But I got handling exception: javax.net.ssl.SSLException: HelloRequest followed by an unexpected handshake message exception when the client is trying to communicate with the server in JDK 1.6.0_19.
We are using mutual authentication.The client and the server both have the signed certificate.The client certificate has to be validated by the server to establish the connection.
I have seen in forum that it is a renegotiation issue.So, if I enable the renegotiation flag by -Dsun.security.ssl.allowUnsafeRenegotiation=true it's working fine.But enabling renegotiation itself is a vulnerability.So, I can't enable renegotiation.

I am using httpclient 4.0 and JSSE in client side and IIS in the server side for this SSL connection.
I am not sure which side client or server initiating the renegotiation?

Please help me out.

I have tried Openssl command from console.
The command is :

 openssl s_client -connect X.X.X:443 -CAfile "xxxxx" -cert "xxxxxxxx" -key "xxxxxxxxxx" -state -verify 20

here is the output:

Loading 'screen' into random state - done
CONNECTED(00000748)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
xxxxxxxxxxx.................
verify return:1
xxxxxxxxxxx.................
verify return:1
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
xxxxxxxxxxx.................
---
Server certificate
-----BEGIN CERTIFICATE-----
xxxxxxxxxxx.................
-----END CERTIFICATE-----
xxxxxxxxxxx.................
---
No client certificate CA names sent
---
SSL handshake has read 1839 bytes and written 392 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID: xxxxxxxxxxx
    Session-ID-ctx:
    Master-Key: xxxxxxxxxxx
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1275564626
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
read:errno=10054

If you see the console output you can see that two statement is missing those are :

SSL_connect:SSLv3 read server certificate request A

SSL_connect:SSLv3 write client certificate A

So, I like to know if this is any clue which is asking for renegotiation.

Locked Post

New comments cannot be posted to this locked post.

Locked on Jul 21 2010

Added on Jun 3 2010

#java-secure-socket-extension-jsse

3 comments

816 views