how to allow my java code accept completing a handshake with self signed or weak sslv2 protocol

Question

I have a java code that tries to create ssl handshake with a website. When the website's ssl certificate is self signed or using insecure option, I get errors and the code can't extract the certificate.

SSLSocket socket=null;
SSLSocketFactory factory=null;
factory = HttpsURLConnection.getDefaultSSLSocketFactory();

try{
    socket = (SSLSocket) factory.createSocket(host, port);          
    System.out.println("listen on port "+port+" for host "+host);

    } //end try

    catch (IOException ex)
        {
            //remote host is not listening on port 443
            System.out.println("Can not listen on port "+port+" of host"+host);
        } //end catch

        System.out.println("Creating a SSL Socket For "+host+" on port "+port);
        SSLSession ss = socket.getSession();
        socket.startHandshake(); // start the handshake
        System.out.println("Handshake Done");

As an example, I get the following error:

Exception in thread "main" javax.net.ssl.SSLHandshakeException: Insecure renegotiation is not allowed

How can I make my java code accept completing handshake with self signed and weak ssl configurations ?

Answer 1

There are at least 3 possible issues here. Weakening your SSL/TLS configuration is almost always a bad idea.

• First you can enable some cipher suites that are not enabled by default. The ones that are supported and the ones that are enabled by default are listed in the Sun Provider documentation. You can enable specific cipher suites using setEnabledCipherSuites on your SSLSocket/SSLEngine. It's worth reading the footnotes and the notes about specific cipher suites in the TLS specification (in particular the lack of security offered by anonymous cipher suites).

• The renegotiation problem is slightly different. You can use the system property introduced in the update: sun.security.ssl.allowUnsafeRenegotiation. As the name indicates, it's unsafe.

• Accepting any certificate is another problem. In general, you should import the specific certificate you have in mind. However, you can build an SSLContext from an X509TrustManager that never throws any exception when checking the server certificate. There are many examples of this unsafe code around here or on other sites.

The JSSE default behaviour tends to be fairly sensible. Introducing unsafe behaviour should be done with caution. It can be OK to learn/experiment, but doing so in production software (or even in prototypes) is questionable.