RMI with SSL: Failed handshake

StackOverflow https://stackoverflow.com/questions/23444004

  •  14-07-2023
  •  | 
  •  

Question

I'm writing a Client Server application with RMI and I want to secure the traffic between Client and Server. I want to use the SslRMIClientSocketFactory and SslRMIServerSocketFactory for this.

I've created a keypair for the Client and for the Server (client.private and server.private) and also a certificate for the Client and for the Server (client.public and server.public).

I think I'm correctly adding the keypair to the keystore and the certificate to the truststore. I only use the custom Socket Factory's when exporting my objects, not when I'm creating the RMI Registry. Here's my code:

Server:

public class Server implements ServerProtocol {
    public Server() {
        super();
        SecureRandom sr = new SecureRandom();
        sr.nextInt();

        KeyStore clientKeyStore = KeyStore.getInstance("JKS");
        FileInputStream client = new FileInputStream("src/client.public");
        String passphrase = //
        clientKeyStore.load(client, passphrase.toCharArray());
        client.close();

        KeyStore serverKeyStore = KeyStore.getInstance("JKS");
        FileInputStream server = new FileInputStream("src/server.private");
        String password = //
        serverKeyStore.load(server, password.toCharArray());
        server.close();

        TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
        tmf.init(clientKeyStore);

        KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
        kmf.init(serverKeyStore, password.toCharArray());

        SSLContext SSLC = SSLContext.getInstance("TLS");
        SSLC.init(kmf.getKeyManagers(), tmf.getTrustManagers(), sr);

        SslRMIClientSocketFactory csf = new SslRMIClientSocketFactory();
        SslRMIServerSocketFactory ssf = new SslRMIServerSocketFactory(null, null, true);

        LocateRegistry.createRegistry(2020).rebind("server", this);
        UnicastRemoteObject.exportObject(this, 2020, csf, ssf);
    }

    public void sayHello() {
        System.out.println("Hello");
    }
}

Client:

public class Client implements ClientProtocol {

    public Client() {
        SecureRandom sr = new SecureRandom();
        sr.nextInt();

        KeyStore serverKeyStore = KeyStore.getInstance("JKS");
        FileInputStream server = new FileInputStream("src/server.public");
        String passphrase = //
        serverKeyStore.load(server, passphrase.toCharArray());
        server.close();

        KeyStore clientKeyStore = KeyStore.getInstance("JKS");
        FileInputStream client = new FileInputStream("src/client.private");
        String password = //
        clientKeyStore.load(client, password.toCharArray());
        client.close();

        TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
        tmf.init(serverKeyStore);

        KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
        kmf.init(clientKeyStore, password.toCharArray());

        SSLContext SSLC = SSLContext.getInstance("TLS");
        SSLC.init(kmf.getKeyManagers(), tmf.getTrustManagers(), sr);

        SslRMIClientSocketFactory csf = new SslRMIClientSocketFactory();
        SslRMIServerSocketFactory ssf = new SslRMIServerSocketFactory(null, null, true);

        Registry reg = LocateRegistry.getRegistry("localhost", 2020);
        serverStub = (ServerService) reg.lookup("server");
        stub = (ClientService) UnicastRemoteObject.exportObject(this, 2020, csf, ssf);

        serverStub.sayHello();
    }
}

When I run this, I get the following error message:

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1822)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1004)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1188)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:654)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:100)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at java.io.DataOutputStream.flush(DataOutputStream.java:106)
at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:211)
at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:184)
at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:110)
at java.rmi.server.RemoteObjectInvocationHandler.invokeRemoteMethod(RemoteObjectInvocationHandler.java:178)
at java.rmi.server.RemoteObjectInvocationHandler.invoke(RemoteObjectInvocationHandler.java:132)
at com.sun.proxy.$Proxy0.sayHello(Unknown Source)
at project.Client.<init>(Client.java:100)
at project.Client.main(Client.java:785)

I used the following commands to create the keys, export and import them:

keytool -genkey -alias clientprivate -keystore client.private -storetype JKS -keyalg rsa -storepass * -keypass * -validity 360
keytool -genkey -alias serverprivate -keystore server.private -storetype JKS -keyalg rsa -storepass * -keypass * -validity 360

keytool -export -alias clientprivate -keystore client.private -file temp.key -storepass *
keytool -import -noprompt -alias clientpublic -keystore client.public -file temp.key -storepass *

keytool -export -alias serverprivate -keystore server.private -file temp.key -storepass *
keytool -import -noprompt -alias serverpublic -keystore server.public -file temp.key -storepass *

Do I need to configure something else to make this work? Something in Eclipse?

Was it helpful?

Solution 2

I was able to solve this by avoiding the build-in Java classes SslRMIClientSocketFactory and SslRMIServerSocketFactory and creating my own classes which implement the RMIClientSocketFactory and RMIServerSocketFactory interfaces.

RMIClientSocketFactory

public class MyClientSocketFactory implements RMIClientSocketFactory, Serializable {

    public MyClientSocketFactory() {}

    public Socket createSocket(String host, int port) {

        SecureRandom sr = new SecureRandom();
        sr.nextInt();

        KeyStore serverKeyStore = KeyStore.getInstance("JKS");
        FileInputStream server = new FileInputStream("src/server.public");
        String passphrase = //
        serverKeyStore.load(server, passphrase.toCharArray());
        server.close();

        KeyStore clientKeyStore = KeyStore.getInstance("JKS");
        FileInputStream client = new FileInputStream("src/client.private");
        String password = //
        clientKeyStore.load(client, password.toCharArray());
        client.close();

        TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
        tmf.init(serverKeyStore);

        KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
        kmf.init(clientKeyStore, password.toCharArray());

        SSLContext SSLC = SSLContext.getInstance("TLS");
        SSLC.init(kmf.getKeyManagers(), tmf.getTrustManagers(), sr);

        SSLSocketFactory sf = SSLC.getSocketFactory();
        SSLSocket socket = (SSLSocket) sf.createSocket(host, port);

        return socket;
    }

    public int hashCode() {
        return getClass().hashCode();
    }

    public boolean equals(Object obj) {
        if (obj == this) {
            return true;
        } else if (obj == null || getClass() != obj.getClass()) {
            return false;
        }
        return true;
    }

}

RMIServerSocketFactory

public class MyServerSocketFactory implements RMIClientSocketFactory, Serializable {

    public MyServerSocketFactory() {}

    public Socket createSocket(String host, int port) {

        SecureRandom sr = new SecureRandom();
        sr.nextInt();

        KeyStore clientKeyStore = KeyStore.getInstance("JKS");
        FileInputStream client = new FileInputStream("src/client.public");
        String passphrase = //
        clientKeyStore.load(client, passphrase.toCharArray());
        client.close();

        KeyStore serverKeyStore = KeyStore.getInstance("JKS");
        FileInputStream server = new FileInputStream("src/server.private");
        String password = //
        serverKeyStore.load(server, password.toCharArray());
        server.close();

        TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
        tmf.init(serverKeyStore);

        KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
        kmf.init(clientKeyStore, password.toCharArray());

        SSLContext SSLC = SSLContext.getInstance("TLS");
        SSLC.init(kmf.getKeyManagers(), tmf.getTrustManagers(), sr);

        SSLServerSocketFactory sf = SSLC.getServerSocketFactory();
        SSLServerSocket socket = (SSLServerSocket) sf.createServerSocket(host, port);

        return socket;
    }

    public int hashCode() {
        return getClass().hashCode();
    }

    public boolean equals(Object obj) {
        if (obj == this) {
            return true;
        } else if (obj == null || getClass() != obj.getClass()) {
            return false;
        }
        return true;
    }

}

OTHER TIPS

You're creating the Registry with SSL socket factories but you're not supplying a socket factory to getRegistry().

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top