'AW: [dev-crypto] Re: Using TLSv1.1, JDK-8, and TLS-PSK'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bouncycastle-crypto-dev
Subject:    AW: [dev-crypto] Re: Using TLSv1.1, JDK-8, and TLS-PSK
From:       Sebastian Oerding <sebastian.oerding () robotron ! de>
Date:       2015-11-19 7:27:35
Message-ID: 7115af24e97c421e867059af84b9c21d () RDSSW010 ! robotron ! de
[Download RAW message or body]

[Attachment #2 (unknown)]

Hi,

depending on what you actually want to do it may be more or less easy / difficult to \
use the BC code.

However if you normally use JSSE and use BouncyCastle instead due to the ciphersuite \
everything JSSE does for you has to be done by yourself.

Check https://software.robotron.de/sources/bouncycastle-tls-client/

This contains code originally taken from the PersoApp but modified to support TLS \
with client authentication (does not support server).

Depending on your actual requirements (webservice, LDAPS, ...) you may use an \
SSLSocketFactory instead without the need for an SSLContext or an SSLEngine.

With regards Sebastian

> -----Ursprüngliche Nachricht-----
> Von: Chris Ridmann [mailto:chris.ridmann@gmail.com]
> Gesendet: Donnerstag, 19. November 2015 00:07
> An: dev-crypto@bouncycastle.org
> Betreff: [dev-crypto] Re: Using TLSv1.1, JDK-8, and TLS-PSK
> 
> Hey sorry guys - when I first posted this thread I didn't see any similar issue
> on this list using the search feature...however there does seem to be a
> similar topic http://bouncycastle.org/devmailarchive/msg14319.html
> 
> I think I find myself in this boat:
> 
> "
> 3) It is feasible to implement JSSE over our lightweight TLS API if you only
> need one or two ciphersuites to be supported, and don't need to support all
> possible options etc. (I have done something similar for a client to get a PSK
> ciphersuite working for a tomcat server). Effort required would depend on
> familiarity with the JSSE and BC APIs, but at least several days I would think.
> "
> I've read through
> http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSE
> RefGuide.html and this seems pretty daunting to actually do.  Does anyone
> know of any other references or code samples from BC that could help in this
> implementation?
> 
> On Tue, Nov 17, 2015 at 10:10 PM, Chris Ridmann <chris.ridmann@gmail.com
> <mailto:chris.ridmann@gmail.com> > wrote:
> 
> 
> 	Hello,
> 
> 	I'm relatively new to BC and JCCE, so please allow a basic question ;)
> 
> 	I am using JDK 8, and need to integrate the cipher
> TLS_PSK_WITH_AES_128_CBC_SHA into JSSE using TLSv1.1.  From what I've
> gathered around other sources, BC seems to only be a JCA provider, but is
> not a JSSE provider (not sure I fully understand the difference, even after
> reading the specs).  BC is the only source I could find that provides an
> implementation of this cipher.
> 
> 	When I look at BC source code, I find this cipher in TlsUtils.java:
> https://www.google.com/url?q=https%3A%2F%2Fgithub.com%2Fbcgit%2Fb
> c-
> java%2Fblob%2Fdd3d4c4ffe31296e231e9075a26c72b399be3f05%2Fcore%2Fs
> rc%2Fmain%2Fjava%2Forg%2Fbouncycastle%2Fcrypto%2Ftls%2FTlsUtils.java
> %23L1438&sa=D&sntz=1&usg=AFQjCNFMoPhOKzotEoI2O_86WYbuvGlfJg
> 
> 	However, when I try to load the cipher in my SSLContext, I eventually
> get something like "Unsupported ciphersuite
> TLS_PSK_WITH_AES_128_CBC_SHA"
> 
> 	I am loading my SSLContext like so (scala source code):
> 
> 	Security.addProvider(new BouncyCastleProvider)
> 
> 	val context = SSLContext.getInstance("TLS")  // will probably need to
> change to TLSv1.1
> 	context.init(null, null, null)
> 	... // request for cipher in context of my app, then exception thrown
> 
> 	When I do:
> 	context.getDefaultSSLParameters.getCipherSuites.toList.sorted.fore
> ach(println)
> 
> 
> 	I get:
> 
> 	[info] SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
> 	[info] SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
> 	[info] SSL_RSA_WITH_3DES_EDE_CBC_SHA
> 	[info] SSL_RSA_WITH_RC4_128_MD5
> 	[info] SSL_RSA_WITH_RC4_128_SHA
> 	[info] TLS_DHE_DSS_WITH_AES_128_CBC_SHA
> 	[info] TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> 	[info] TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
> 	[info] TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
> 	[info] TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
> 	[info] TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
> 	[info] TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
> 	[info] TLS_ECDHE_RSA_WITH_RC4_128_SHA
> 	[info] TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
> 	[info] TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
> 	[info] TLS_ECDH_ECDSA_WITH_RC4_128_SHA
> 	[info] TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
> 	[info] TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
> 	[info] TLS_ECDH_RSA_WITH_RC4_128_SHA
> 	[info] TLS_EMPTY_RENEGOTIATION_INFO_SCSV
> 	[info] TLS_RSA_WITH_AES_128_CBC_SHA
> 
> 
> 	Which does not include the cipher, which is surprising to me as it's
> included in TlsUtils.java
> 
> 
> 	Is it possible to do what I'm trying to do, or am I barking up the wrong
> tree?  Is there any easy way to extend BC to also be a JSSE provider for this
> cipher?
> 
> 
> 	Thanks!
> 
> 
> 	--
> 
> 	Chris Ridmann
> 
> 
> 
> --
> 
> Chris Ridmann


["smime.p7s" (application/x-pkcs7-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic