Hello Mark, I was creating my certificates using KeyTool IUI. This application is available for free to download here http://www.icewalkers.com/Linux/Software/530730/KeyTool-IUI.html
The reason why I could not use the standard java keytool is that android does not support JKS keystore. It supports only BKS keystore and I was not able to add support for JKS to android. However I was able to add support for BKS in standard Java using library from Bouncy Castle http://www.bouncycastle.org/ as following: Security.addProvider(new BouncyCastleProvider()); Anyway if I understand the handshake process correctly, I don't need to provide any certificate. The point is that client generates keys (private and public). Then he sends the public key to the server which generates his private and public keys. The server then sends the public key back to the client. Now the client can use the server public key to encrypt his messages and the server will decrypt them using his private key. As well the server can encrypt messages with the client public key and the client can decrypt them using his private key. Providing certificate in the beginning of the handshake process can help to prevent attack "Man In the Middle" but the process should work even without the certificate. So what I tried to do after I got the error with standard setup which I can see in http://mina.apache.org/report/trunk/xref/org/apache/mina/example/echoserver/ssl/BogusSSLContextFactory.htmlwas that I used empty keystores without any keys or certificates. The error was still there. I suppose therefore that the problem is not that I used incorrect keys. The keys that are generated in the handshake process are somehow invalid and when the exception mentions a public key, I believe it means the public key that was generated in the handshake process and sent to it from the server. If I am wrong please correct me. I should also correct my previous statement when I said that the error occurs when I send a message. The error occurs even if I don't send any message. I get the connection and after a while it fails. I suppose that the handshake process is executed in separated thread and that is why the error occurs with some delay. Thank you for any help Pavol Kaiser On 20 April 2010 16:07, Mark <[email protected]> wrote: > How are you creating your certificates? > > > On Tue, Apr 20, 2010 at 5:22 AM, Pavol Kaiser <[email protected]> > wrote: > > Hello, > > > > I am trying to establish a SSL connection from a client application > running > > on Android to a server running on Windows machine. > > Connection seems to be established but when I try to send a message I get > an > > error (see below). When implementing this I was following the EchoServer > > example here > > > http://mina.apache.org/report/trunk/xref/org/apache/mina/example/echoserver/ > > . > > The same code works when I try to connect from a client running on > Windows. > > Unsecure connection works even on Android correctly. > > > > Below is the exception that I get: > > > > 04-20 08:47:32.168: ERROR/ConnectionManager(217): > > javax.net.ssl.SSLHandshakeException: SSL handshake failed. > > 04-20 08:47:32.168: ERROR/ConnectionManager(217): at > > org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:416) > > 04-20 08:47:32.168: ERROR/ConnectionManager(217): at > > > org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:299) > > 04-20 08:47:32.168: ERROR/ConnectionManager(217): at > > > org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilterChain.java:53) > > 04-20 08:47:32.168: ERROR/ConnectionManager(217): at > > > org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:648) > > 04-20 08:47:32.168: ERROR/ConnectionManager(217): at > > > org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java:220) > > 04-20 08:47:32.168: ERROR/ConnectionManager(217): at > > > org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(ExecutorFilter.java:264) > > 04-20 08:47:32.168: ERROR/ConnectionManager(217): at > > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1068) > > 04-20 08:47:32.168: ERROR/ConnectionManager(217): at > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:561) > > 04-20 08:47:32.168: ERROR/ConnectionManager(217): at > > > org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51) > > 04-20 08:47:32.168: ERROR/ConnectionManager(217): at > > java.lang.Thread.run(Thread.java:1096) > > 04-20 08:47:32.168: ERROR/ConnectionManager(217): Caused by: > > javax.net.ssl.SSLException: Error occured in delegated > > task:javax.net.ssl.SSLException: Unexpected exception > > 04-20 08:47:32.168: ERROR/ConnectionManager(217): at > > > org.apache.harmony.xnet.provider.jsse.HandshakeProtocol.fatalAlert(HandshakeProtocol.java:324) > > 04-20 08:47:32.168: ERROR/ConnectionManager(217): at > > > org.apache.harmony.xnet.provider.jsse.HandshakeProtocol.wrap(HandshakeProtocol.java:276) > > 04-20 08:47:32.168: ERROR/ConnectionManager(217): at > > > org.apache.harmony.xnet.provider.jsse.SSLEngineImpl.wrap(SSLEngineImpl.java:708) > > 04-20 08:47:32.168: ERROR/ConnectionManager(217): at > > javax.net.ssl.SSLEngine.wrap(SSLEngine.java:462) > > 04-20 08:47:32.168: ERROR/ConnectionManager(217): at > > org.apache.mina.filter.support.SSLHandler.handshake(SSLHandler.java:514) > > 04-20 08:47:32.168: ERROR/ConnectionManager(217): at > > > org.apache.mina.filter.support.SSLHandler.messageReceived(SSLHandler.java:306) > > 04-20 08:47:32.168: ERROR/ConnectionManager(217): at > > org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:392) > > 04-20 08:47:32.168: ERROR/ConnectionManager(217): ... 9 more > > 04-20 08:47:32.168: ERROR/ConnectionManager(217): Caused by: > > org.apache.harmony.xnet.provider.jsse.AlertException: > > javax.net.ssl.SSLException: Unexpected exception > > 04-20 08:47:32.168: ERROR/ConnectionManager(217): at > > > org.apache.harmony.xnet.provider.jsse.HandshakeProtocol.fatalAlert(HandshakeProtocol.java:324) > > 04-20 08:47:32.168: ERROR/ConnectionManager(217): at > > > org.apache.harmony.xnet.provider.jsse.ClientHandshakeImpl.processServerHelloDone(ClientHandshakeImpl.java:421) > > 04-20 08:47:32.168: ERROR/ConnectionManager(217): at > > > org.apache.harmony.xnet.provider.jsse.ClientHandshakeImpl$1.run(ClientHandshakeImpl.java:287) > > 04-20 08:47:32.168: ERROR/ConnectionManager(217): at > > > org.apache.harmony.xnet.provider.jsse.ClientHandshakeImpl$1.run(ClientHandshakeImpl.java:286) > > 04-20 08:47:32.168: ERROR/ConnectionManager(217): at > > > java.security.AccessController.doPrivilegedImpl(AccessController.java:205) > > 04-20 08:47:32.168: ERROR/ConnectionManager(217): at > > java.security.AccessController.doPrivileged(AccessController.java:178) > > 04-20 08:47:32.168: ERROR/ConnectionManager(217): at > > > org.apache.harmony.xnet.provider.jsse.DelegatedTask.run(DelegatedTask.java:54) > > 04-20 08:47:32.168: ERROR/ConnectionManager(217): at > > org.apache.mina.filter.support.SSLHandler.doTasks(SSLHandler.java:685) > > 04-20 08:47:32.168: ERROR/ConnectionManager(217): at > > org.apache.mina.filter.support.SSLHandler.handshake(SSLHandler.java:486) > > 04-20 08:47:32.168: ERROR/ConnectionManager(217): ... 11 more > > 04-20 08:47:32.168: ERROR/ConnectionManager(217): Caused by: > > javax.net.ssl.SSLException: Unexpected exception > > 04-20 08:47:32.168: ERROR/ConnectionManager(217): ... 20 more > > 04-20 08:47:32.168: ERROR/ConnectionManager(217): Caused by: > > java.security.InvalidKeyException: The public key in the certificate > cannot > > be used for ENCRYPT_MODE > > 04-20 08:47:32.168: ERROR/ConnectionManager(217): at > > javax.crypto.Cipher.init(Cipher.java:815) > > 04-20 08:47:32.168: ERROR/ConnectionManager(217): at > > javax.crypto.Cipher.init(Cipher.java:747) > > 04-20 08:47:32.168: ERROR/ConnectionManager(217): at > > > org.apache.harmony.xnet.provider.jsse.ClientHandshakeImpl.processServerHelloDone(ClientHandshakeImpl.java:418) > > 04-20 08:47:32.168: ERROR/ConnectionManager(217): ... 18 more > > > > > > I found out in the Cipher class that this exception is thrown if one > wants > > to use a certificate for encryption and the certificate has set extension > > "critical" but doesn't have extension "encipherOnly". Is it possible that > > these attributes are not correctly set by Mina or Android during the > > creation of a Certificate? > > Is Mina supported on Android? If not do you plan to support it in near > > future (next few months)? > > Do you know any possible workaround for this? > > > > I was trying to solve this for last few days and I am quite desperate. > Any > > help is welcome. > > > > Thank you > > > > Pavol Kaiser > > >
