You can load trusted key stores dynamically at runtime. // load your key store as a stream and initialize a KeyStore InputStream trustStream = … KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType()); // if your store is password protected then declare it (it can be null however) char[] trustPassword = … // load the stream to your store … Read more
As you can see in the standard names documentation, all entries (SSLv3, TLSv1.0, TLSv1.1, …) say that they may support other versions. In practice, in the Oracle JDK (and OpenJDK), they all do. If you look at the source code, the TLS10Context class is what’s used for TLS, SSL, SSLv3 and TLS10, TLS11Context is used … Read more
This piece of code is a bit raw. please use with care. public class PreferredCipherSuiteSSLSocketFactory extends SSLSocketFactory { private static final String PREFERRED_CIPHER_SUITE = “TLS_RSA_WITH_AES_128_CBC_SHA”; private final SSLSocketFactory delegate; public PreferredCipherSuiteSSLSocketFactory(SSLSocketFactory delegate) { this.delegate = delegate; } @Override public String[] getDefaultCipherSuites() { return setupPreferredDefaultCipherSuites(this.delegate); } @Override public String[] getSupportedCipherSuites() { return setupPreferredSupportedCipherSuites(this.delegate); } @Override public … Read more
Sun’s JSSE doesn’t support SSLv2 but it supports the SSlv2ClientHello, to support some SSL servers that require it. You can turn it off by removing it from the enabled protocols. IBM’s JSSE does support SSLv2 entirely. From the JSSE Reference Guide: For example, some older server implementations speak only SSLv3 and do not understand TLS. … Read more
I ended up using Jsch– it was pretty straightforward, and seemed to scale up pretty well (I was grabbing a few thousand files every few minutes).
There are a few more types than what’s listed in the standard name list you’ve linked to. You can find more in the cryptographic providers documentation. The most common are certainly JKS (the default) and PKCS12 (for PKCS#12 files, often with extension .p12 or sometimes .pfx). JKS is the most common if you stay within … Read more
You have a typo – it is trustStore. Apart from setting the variables with System.setProperty(..), you can also use -Djavax.net.ssl.keyStore=path/to/keystore.jks
Raz’s answer was a great start, but wasn’t quite flexible enough to meet my needs. The MultiStoreKeyManager explicitly checks the custom KeyManager and then falls back to the jvm KeyManager if an operation fails. I actually want to check jvm certs first; the best solution should be able to handle either case. Additionally, the answer … Read more
On Java 1.8 default TLS protocol is v1.2. On Java 1.6 and 1.7 default is obsoleted TLS1.0. I get this error on Java 1.8, because url use old TLS1.0 (like Your – You see ClientHello, TLSv1). To resolve this error You need to use override defaults for Java 1.8. System.setProperty(“https.protocols”, “TLSv1”); More info on the … Read more
Finally solved it ;). Got a strong hint here (Gandalfs answer touched a bit on it as well). The missing links was (mostly) the first of the parameters below, and to some extent that I overlooked the difference between keystores and truststores. The self-signed server certificate must be imported into a truststore: keytool -import -alias … Read more