[EMAIL PROTECTED] wrote: >Jim, >Here's how I obtain my keystore files: > >1. I have a client certificate information in p12 format. I then >imported it into a keystore file as key entry using sun security tool- >pkcs12import (xws-security). >2. I also have the trusted Key store file that I imported the .pem file >as trusted entry using the keytool utility > >3. server (openSSL) requires the client certificate to be sent in. The >client certificate that I send in is signed by the root certificate >which exists on the server. Therefore the client should be trusted > > >Below is the debug trace: > >trigger seeding of SecureRandom >done seeding SecureRandom >JsseJce: Using cipher AES/CBC/NoPadding from provider SunJCE >%% No cached client session >*** ClientHello, TLSv1 > Marek did a nice job of breaking down the handshake. But it appears that your problem is defined by the 'no IV' message. I did a quick search on it and didn't find much that was helpful. Some of the responses posted links to sites that explain what an Initialization Vector is:
http://www.ciphersbyritter.com/NEWS6/CBCIV.HTM http://en.wikipedia.org/wiki/Initialization_vector http://www.trumpetpower.com/Papers/Crypto/Playfair If you have any control over the server, there is some OpenSSL information on IVs in the DES doc: http://www.openssl.org/docs/crypto/des.html However, I believe that unless someone here has something to add, your best bet is to check out the JSSE Java Cryptography Extension forums. Later . . . Jim >... no IV for cipher >main, WRITE: TLSv1 Change Cipher Spec, length = 1 >JsseJCE: Using JSSE internal implementation for cipher RC4 >*** Finished >verify_data: { 250, 0, 28, 224, 143, 7, 113, 110, 246, 8, 118, 140 } >*** >[write] MD5 and SHA1 hashes: len = 16 >0000: 14 00 00 0C FA 00 1C E0 8F 07 71 6E F6 08 76 8C >..........qn..v. >Plaintext before ENCRYPTION: len = 36 >0000: 14 00 00 0C FA 00 1C E0 8F 07 71 6E F6 08 76 8C >..........qn..v. >0010: 6C 89 0D 5C 7A 89 05 83 4D 24 29 E6 0F 40 30 00 >l..\z...M$)[EMAIL PROTECTED] >0020: 0F 39 8D F5 .9.. >main, WRITE: TLSv1 Handshake, length = 36 >main, READ: TLSv1 Alert, length = 2 >main, RECV TLSv1 ALERT: fatal, handshake_failure >main, called closeSocket() >main, handling exception: javax.net.ssl.SSLHandshakeException: Received >fatal alert: handshake_failure >javax.jms.JMSSecurityException: Failed to connect via SSL to >[ssl://clldc-s-6132:7243]: Received fatal alert: handshake_failure > at >com.tibco.tibjms.TibjmsxLinkSSL.connect(TibjmsxLinkSSL.java:429) > at >com.tibco.tibjms.TibjmsConnection._create(TibjmsConnection.java:688) > at >com.tibco.tibjms.TibjmsConnection.<init>(TibjmsConnection.java:1955) > at >com.tibco.tibjms.TibjmsQueueConnection.<init>(TibjmsQueueConnection.java >:37) > at >com.tibco.tibjms.TibjmsxCFImpl._createImpl(TibjmsxCFImpl.java:187) > at >com.tibco.tibjms.TibjmsxCFImpl._createConnection(TibjmsxCFImpl.java:240) > at >com.tibco.tibjms.TibjmsQueueConnectionFactory.createQueueConnection(Tibj >msQueueConnectionFactory.java:79) > at Sender.main(Sender.java:39) > >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Jim Sansing >Sent: Wednesday, April 18, 2007 8:57 AM >To: openssl-users@openssl.org >Subject: Re: Open SSL server and JSee client > >What is the java error? > >But in the meantime, since you didn't mention it, there are a few steps >you could verify: > >1) Since you are using a local keystore, can I assume that you added the >certificate to it using the keystore command? > >2) By 'mutual authentication' do you mean that the server must >authenticate the client's (self-signed) certificate? If so, has it been >added to the server's local certificate file? > >3) If the server must authenticate multiple certificates, is it calling >SSL_CTX_use_certificate_chain_file during init? > >Later . . . Jim > > >[EMAIL PROTECTED] wrote: > >>I have a JSEE client that needs to talk to a server that implements >>openssl 0.9.8d. Mutual authentication is required. Even though I added >>the JVM parameters used to load the client certificate, I keep getting >>handshake failure. Just wonder this is a well known problem and what's >>the appropriate workaround >> >>Below are the JVM parameters : >> >>-Djavax.net.debug=all,data,trustManager >>-Djavax.net.ssl.keyStore=D:\Test\AmberPointAgent2 >>-Djavax.net.ssl.keyStorePassword=password >>-Djavax.net.ssl.trustStore=D:\Test\AmberPointAgent >>-Djavax.net.ssl.trustStorePassword=password >>-Dcom.sun.net.ssl.dhKeyExchangeFix=true >> >>Thanks >> >>Lan >> >>This message is for the designated recipient only and may contain >>privileged, proprietary, or otherwise private information. If you have >>received it in error, please notify the sender immediately and delete >>the original. Any other use of the email by you is prohibited. >> >> >______________________________________________________________________ >OpenSSL Project http://www.openssl.org >User Support Mailing List openssl-users@openssl.org >Automated List Manager [EMAIL PROTECTED] > > >This message is for the designated recipient only and may contain privileged, >proprietary, or otherwise private information. If you have received it in >error, please notify the sender immediately and delete the original. Any >other use of the email by you is prohibited. >______________________________________________________________________ >OpenSSL Project http://www.openssl.org >User Support Mailing List openssl-users@openssl.org >Automated List Manager [EMAIL PROTECTED] > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
