TLS 1.2 + Java 1.6 + BouncyCastle

by

If you look at RFC 4492 5.2, you’ll see that the server CAN send the “ec_point_formats” extension, but is only supposed to do so “when negotiating an ECC cipher suite”. If you want TLSClient to just ignore the extra extension instead of raising an exception, I suggest overriding TlsClient.allowUnexpectedServerExtension(…) to allow ec_point_formats in the same way the default implementation allows elliptic_curves:

protected boolean allowUnexpectedServerExtension(Integer extensionType, byte[] extensionData)
    throws IOException
{
    switch (extensionType.intValue())
    {
    case ExtensionType.ec_point_formats:
        /*
         * Exception added based on field reports that some servers send Supported
         * Point Format Extension even when not negotiating an ECC cipher suite.
         * If present, we still require that it is a valid ECPointFormatList.
         */
        TlsECCUtils.readSupportedPointFormatsExtension(extensionData);
        return true;
    default:
        return super.allowUnexpectedServerExtension(extensionType, extensionData);
    }
}

If this is a widespread problem, we might consider adding this case to the default implementation.

For logging, there are the (TLSPeer) methods notifyAlertRaised and notifyAlertReceived that you can override on your TLSClient implementation.

More Related Contents:

  1. How to use TLS 1.2 in Java 6
  2. Read RSA private key of format PKCS1 in JAVA
  3. How do I do TLS with BouncyCastle?
  4. How can I use different certificates on specific connections?
  5. Java: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  6. Unable to find valid certification path to requested target – error even after cert imported
  7. Why does SSL handshake give ‘Could not generate DH keypair’ exception?
  8. Problems using Maven and SSL behind proxy
  9. javax.net.ssl.SSLException: Received fatal alert: protocol_version
  10. How to programmatically set the SSLContext of a JAX-WS client?
  11. How to find what SSL/TLS version is used in Java
  12. Keystore type: which one to use?
  13. Sign CSR using Bouncy Castle
  14. java – ignore expired ssl certificate
  15. Java SSL: how to disable hostname verification
  16. javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found
  17. Problems connecting via HTTPS/SSL through own Java client
  18. How to enable SSL 3 in Java
  19. Choosing SSL client certificate in Java
  20. Using JavaMail with TLS
  21. How do I run my application as superuser from Eclipse?
  22. Java SSLHandshakeException: no cipher suites in common
  23. Java and SSL – java.security.NoSuchAlgorithmException
  24. Self signed X509 Certificate with Bouncy Castle in Java
  25. java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
  26. Why can Java not connect to MySQL 5.7 after the latest JDK update and how should it be fixed? (ssl.SSLHandshakeException: No appropriate protocol)
  27. How to make Java 6, which fails SSL connection with “SSL peer shut down incorrectly”, succeed like Java 7?
  28. SNI client-side mystery using Java8
  29. Java Keytool error after importing certificate , “keytool error: java.io.FileNotFoundException & Access Denied”
  30. Can we load multiple Certificates & Keys in a Key Store?

Leave a Comment