"no cipher suites in common" between J2ME client and J2SE server

[jangozo]

Hi guys,

I've setup my server to accept SSL connections using the following code:

Code:

ServerSocket servSock = null;
Socket clientSock = null;
SSLServerSocketFactory ssocketFactory = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
try {
  SSLServerSocket ssocket = (SSLServerSocket) ssocketFactory.createServerSocket(5555);
  ssocket.setEnabledCipherSuites(ssocketFactory.getSupportedCipherSuites());
  running = true;
  while (running) {
    clientSock = ssocket.accept();
    ClientHandler ch = new ClientHandler(clientSock);
    ch.start();
    }
} catch (IOException ex) {
  Logger.getLogger(main.class.getName()).log(Level.SEVERE, null, ex);
  running = false;
}

and my J2ME 3.0 SDK

Code:

sc = (SecureConnection)Connector.open("ssl://localhost:5555");

On the server side I get the following exception,

javax.net.ssl.SSLHandshakeException: no cipher suites in common

and another unreadable exception on my MIDP.

java.io.IOException: Alert (2,40) at com.sun.midp.ssl.Record.rdRec(), bci=231 at com.sun.midp.ssl.Handshake.getNextMsg(), bci=14)

.

I print out a list of the enabled cipher suites on the server and compare the allowed SSLv3 suites (as stated by MIDP Application Security 2: Understanding SSL and TLS) and "SSL_RSA_WITH_DES_CBC_SHA" matches on both.

Now, what am I doing wrong here?

Thanks,
Vladimir

[traud]

sc = (SecureConnection)Connector.open("ssl://localhost:5555");

Several J2ME runtimes (for example the Sun emulator and Series 40 emulator and phones) are very strict when it comes to secure connections and do not show a warning if the domain name mismatches or the certificate authority is unknown. If you face such a problem, you get the wildest exceptions within Java.

First of all, I do not recommend to type cast to the most specialised (SecureConnection) but to the most general (SocketConnection) interface except you really, really need the method getSecurityInfo. Anyway, that is just a matter of coding style.

Using localhost as domain, requires the use of a self-signed certificate authority which must be known to your Java runtime. No well-known authority will certify that. Furthermore, localhost must be present as domain name in the certificate of your server. I do not think this is a good strategy for testing. Therefore, please, go through this …

[jangozo]

thank you for the reply, I have read through the link but little seemed to be relevant to my case.

I think my problem is far simpler than this. I only need to get it working on an emulator. I have WTK, J2ME SDK and LG SDK. I managed to export a certificate I made on my computer onto the J2ME SDK and WTK emulators but now I get "The signature of the content provider certificate is invalid."

What changes do I have to make?

Any help is appreciated, I've been working on this for the past 8 hours.

Does my server setup look at ok at least?

Thanks,
Vladimir

[traud]

You have to import a certificate authority (CA) then. By the way, if that other post does not make sense to you at all (it answers all your questions), you should go out and buy a VeriSign certificate immediately – otherwise you waste even more time.

[jangozo]

I'm sorry for being such a newbie, it's basics for u guys but I still can't seem to get the hang of it.

Is this what I need to do on the emulator side? This certificate is one which is imported into my Netbeans keystore manager too.

I'm also using stunnel, which listens for SSL connection on port 5555 (the one my midlet connects on), handles all SSL tasks and forwards connections to port 6666, where the server listens for normal connections.

I've also tried with the initial server setup from my first post on the topic. Doesn't the server have to know the certificate to work with or does it get it from the Netbeans Keystores?

On running the Midlet I get the following:
*** Error ***
A problem occurred during deploying application from http://127.0.0.1:51970/SecureIM_MIDP.jad
Reason:
The signature of the content provider certificate is invalid.

Thanks,
Vladimir

[traud]

I'm sorry for being such a newbie, it's basics for u guys but I still can't seem to get the hang of it.

No, do not get me wrong. The trick is not to bother with SecureConnection, yet. Just develop and test your MIDlet with SocketConnection and do not connect to a secured port. Beside that development and testing, go out for a (fully paid) certificate of a well-known certificate authority (I recommend VeriSign). When your certificate arrives, you are at the stage of final one-device testing. You change your URL from socket to ssl, install the certificate in your server and run the whole code from within your device.

Currently, you try do something very complex which you do not need anytime later again. First of all, your certificate authority certificate must be known to your emulator and devices. For a well-known certificate authority you do not have to install that certificate. Secondly, to trust to localhost or an IP-address, you have to know about FQDN, common name and alternative subject-name (1, 2). All this is a bit complex and is hard to describe. The first issue should be discussed in a support forum of your emulator and/or device. Although I went that way already, the second issue is general SSL/TLS stuff and should be ask elsewhere.

If this project is academic and you cannot afford a certificate, then contact your supervisor and discuss this. From my point of view, something like that is just a bonus and does not show or help to judge what you have learned.

If you have other reasons for going this very terrible complicated path with your own certificate authority, just say so and we go through every step together. First secure your server correctly, then install its authority certificate into your (emulated) devices, then do the debugging.

Doesn't the server have to know the certificate to work with or does it get it from the Netbeans Keystores?

I recommend to ask this specific somewhere else. Nevertheless, with

Code:

openssl s_client -crlf -connect localhost:5555

you are able to test that yourself. Adding the -CAfile parameter, OpenSSL even tells you whether everything is correct. By the way, you should use another port number.

A problem occurred during deploying application from http://127.0.0.1:51970/SecureIM_MIDP.jad
Reason:
The signature of the content provider certificate is invalid.

Not sure where you got that report from, however, it sounds like you have signed the MIDlet: MIDlet-Jar-RSA-SHA1 is present in the JAD. This code signing is a complete different area than securing an Internet connection. I do not think this helps at all in your case.

[jangozo]

I finally figured it out, it turned out there was a problem on both sides. The server wasn't reading the keystore and I shouldn't have been signing it at all but still import the certificate. Now I'm able to establish the connection and get information on it, such as the suite used, protocol, certificate info etc.

Thanks for the guidance traud

[BigPepe]

Can you post your code please?

[jangozo]

Server:

Code:

        SSLServerSocketFactory ssocketFactory = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
        try {
            SSLServerSocket ssocket = (SSLServerSocket) ssocketFactory.createServerSocket(PORT);
            running = true;
            while (running) {
                clientSock = ssocket.accept();
                // Start create my client object and start() it.
            }
        } catch (IOException ex) {
            Logger.getLogger(main.class.getName()).log(Level.SEVERE, null, ex);
            running = false;
        }

Client:

Code:

                    sc = (SecureConnection) Connector.open("ssl://localhost:5555");
                    SecurityInfo info = sc.getSecurityInfo();
                    System.out.println("Suite " + info.getCipherSuite() + "\nCertificate: " + info.getServerCertificate() + "\nProtocol " + info.getProtocolName());
                    DataInputStream reader = sc.openDataInputStream();
                    writer = sc.openDataOutputStream();
                    // create my listener class
                    System.out.println("Connection established on MIDP");

It's basically your standard setup for connecting but it's the certificates that matter.

Make sure you tell your server to use the keystore where you have imported the certificate with the following command flags:
-Djavax.net.ssl.keyStore=SecIM_keystore.jks -Djavax.net.ssl.keyStorePassword=yourPass

You should also use the mekeytool.exe in your J2ME SDK to import the certificate into the emulator. If you're using J2ME SDK 3 then you may be better off using the GUI.

REMEMBER: FILL IN ALL FIELDS ON YOUR CERTIFICATE WHEN YOU CREATE IT
(that's if you create your own)

Vladimir

[BigPepe]

Thank you for your answer, but how can i add my certificate to my MIDlet application??

You should also use the mekeytool.exe in your J2ME SDK to import the certificate into the emulator. If you're using J2ME SDK 3 then you may be better off using the GUI.

REMEMBER: FILL IN ALL FIELDS ON YOUR CERTIFICATE WHEN YOU CREATE IT
(that's if you create your own)

Vladimir

[jangozo]

Thank you for your answer, but how can i add my certificate to my MIDlet application??

The device onto which you run your application has a bunch of certificates available. This device could be a phone or an emulator. It is not possible (AFAIK) to include the certificate as part of the MIDlet app, it must be imported into a secure place on the device. Otherwise all kinds of applications would play around with your certificates. Maybe OTA installation may ask to accept a certificate and then use it as the Midlet app, but you'll have to research that yourself.

If you want to run it on an emulator follow the instructions I've given. If you want to run it on a real device then I think there are other threads that help u with that.