[prev in list] [next in list] [prev in thread] [next in thread]
List: bouncycastle-crypto-dev
Subject: AW: [dev-crypto] Re: Using TLSv1.1, JDK-8, and TLS-PSK
From: Sebastian Oerding <sebastian.oerding () robotron ! de>
Date: 2015-11-19 7:27:35
Message-ID: 7115af24e97c421e867059af84b9c21d () RDSSW010 ! robotron ! de
[Download RAW message or body]
[Attachment #2 (unknown)]
Hi,
depending on what you actually want to do it may be more or less easy / difficult to \
use the BC code.
However if you normally use JSSE and use BouncyCastle instead due to the ciphersuite \
everything JSSE does for you has to be done by yourself.
Check https://software.robotron.de/sources/bouncycastle-tls-client/
This contains code originally taken from the PersoApp but modified to support TLS \
with client authentication (does not support server).
Depending on your actual requirements (webservice, LDAPS, ...) you may use an \
SSLSocketFactory instead without the need for an SSLContext or an SSLEngine.
With regards Sebastian
> -----Ursprüngliche Nachricht-----
> Von: Chris Ridmann [mailto:chris.ridmann@gmail.com]
> Gesendet: Donnerstag, 19. November 2015 00:07
> An: dev-crypto@bouncycastle.org
> Betreff: [dev-crypto] Re: Using TLSv1.1, JDK-8, and TLS-PSK
>
> Hey sorry guys - when I first posted this thread I didn't see any similar issue
> on this list using the search feature...however there does seem to be a
> similar topic http://bouncycastle.org/devmailarchive/msg14319.html
>
> I think I find myself in this boat:
>
> "
> 3) It is feasible to implement JSSE over our lightweight TLS API if you only
> need one or two ciphersuites to be supported, and don't need to support all
> possible options etc. (I have done something similar for a client to get a PSK
> ciphersuite working for a tomcat server). Effort required would depend on
> familiarity with the JSSE and BC APIs, but at least several days I would think.
> "
> I've read through
> http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSE
> RefGuide.html and this seems pretty daunting to actually do. Does anyone
> know of any other references or code samples from BC that could help in this
> implementation?
>
> On Tue, Nov 17, 2015 at 10:10 PM, Chris Ridmann <chris.ridmann@gmail.com
> <mailto:chris.ridmann@gmail.com> > wrote:
>
>
> Hello,
>
> I'm relatively new to BC and JCCE, so please allow a basic question ;)
>
> I am using JDK 8, and need to integrate the cipher
> TLS_PSK_WITH_AES_128_CBC_SHA into JSSE using TLSv1.1. From what I've
> gathered around other sources, BC seems to only be a JCA provider, but is
> not a JSSE provider (not sure I fully understand the difference, even after
> reading the specs). BC is the only source I could find that provides an
> implementation of this cipher.
>
> When I look at BC source code, I find this cipher in TlsUtils.java:
> https://www.google.com/url?q=https%3A%2F%2Fgithub.com%2Fbcgit%2Fb
> c-
> java%2Fblob%2Fdd3d4c4ffe31296e231e9075a26c72b399be3f05%2Fcore%2Fs
> rc%2Fmain%2Fjava%2Forg%2Fbouncycastle%2Fcrypto%2Ftls%2FTlsUtils.java
> %23L1438&sa=D&sntz=1&usg=AFQjCNFMoPhOKzotEoI2O_86WYbuvGlfJg
>
> However, when I try to load the cipher in my SSLContext, I eventually
> get something like "Unsupported ciphersuite
> TLS_PSK_WITH_AES_128_CBC_SHA"
>
> I am loading my SSLContext like so (scala source code):
>
> Security.addProvider(new BouncyCastleProvider)
>
> val context = SSLContext.getInstance("TLS") // will probably need to
> change to TLSv1.1
> context.init(null, null, null)
> ... // request for cipher in context of my app, then exception thrown
>
> When I do:
> context.getDefaultSSLParameters.getCipherSuites.toList.sorted.fore
> ach(println)
>
>
> I get:
>
> [info] SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
> [info] SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
> [info] SSL_RSA_WITH_3DES_EDE_CBC_SHA
> [info] SSL_RSA_WITH_RC4_128_MD5
> [info] SSL_RSA_WITH_RC4_128_SHA
> [info] TLS_DHE_DSS_WITH_AES_128_CBC_SHA
> [info] TLS_DHE_RSA_WITH_AES_128_CBC_SHA
> [info] TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
> [info] TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
> [info] TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
> [info] TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
> [info] TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
> [info] TLS_ECDHE_RSA_WITH_RC4_128_SHA
> [info] TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
> [info] TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
> [info] TLS_ECDH_ECDSA_WITH_RC4_128_SHA
> [info] TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
> [info] TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
> [info] TLS_ECDH_RSA_WITH_RC4_128_SHA
> [info] TLS_EMPTY_RENEGOTIATION_INFO_SCSV
> [info] TLS_RSA_WITH_AES_128_CBC_SHA
>
>
> Which does not include the cipher, which is surprising to me as it's
> included in TlsUtils.java
>
>
> Is it possible to do what I'm trying to do, or am I barking up the wrong
> tree? Is there any easy way to extend BC to also be a JSSE provider for this
> cipher?
>
>
> Thanks!
>
>
> --
>
> Chris Ridmann
>
>
>
> --
>
> Chris Ridmann
["smime.p7s" (application/x-pkcs7-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic