如何将SSLEngine限制为TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 CipherSuite?

时间:2017-08-17 03:54:47

标签: java bouncycastle sslengine

我有以下代码:

SSLContext sslContext = SSLContext.getInstance("TLS", BouncyCastleProvider.PROVIDER_NAME);
sslContext.init(keyManagerFactory.getKeyManagers(), null, null);
SSLEngine sslEngine = sslContext.createSSLEngine();
String[] suites = { "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8" };
sslEngine.setEnabledCipherSuites(suites);

感谢。

修改: 我发现我应该使用需要BouncyCastleJsseProvider对象的SecureRandom,如下所示:

sslContext.init(keyManagerFactory.getKeyManagers(), null, new SecureRandom());

使用新的提供程序后,我在我的代码库中获得了以下堆栈跟踪,据我所知,它应该像以前一样工作:

Aug 17, 2017 8:47:32 PM org.bouncycastle.jsse.provider.ProvTlsServer notifyAlertRaised
INFO: Server raised fatal(2) handshake_failure(40) alert: Failed to read record
org.bouncycastle.tls.TlsFatalAlert: handshake_failure(40)
    at org.bouncycastle.tls.AbstractTlsServer.getSelectedCipherSuite(Unknown Source)
    at org.bouncycastle.jsse.provider.ProvTlsServer.getSelectedCipherSuite(Unknown Source)
    at org.bouncycastle.tls.TlsServerProtocol.sendServerHelloMessage(Unknown Source)
    at org.bouncycastle.tls.TlsServerProtocol.handleHandshakeMessage(Unknown Source)
    at org.bouncycastle.tls.TlsProtocol.processHandshakeQueue(Unknown Source)
    at org.bouncycastle.tls.TlsProtocol.processRecord(Unknown Source)
    at org.bouncycastle.tls.RecordStream.readRecord(Unknown Source)
    at org.bouncycastle.tls.TlsProtocol.safeReadRecord(Unknown Source)
    at org.bouncycastle.tls.TlsProtocol.offerInput(Unknown Source)
    at org.bouncycastle.jsse.provider.ProvSSLEngine.unwrap(Unknown Source)

1 个答案:

答案 0 :(得分:2)

我做了以下工作以使其正常工作。

  • 添加提供商:BouncyCastleProviderBouncyCastleJsseProvider 

    Security.addProvider(new BouncyCastleProvider());
Security.addProvider(new BouncyCastleJsseProvider());

  • 使用SSLContext

    创建BouncyCastleJsseProvider 
    SSLContext sslContext = SSLContext.getInstance("TLS", BouncyCastleJsseProvider.PROVIDER_NAME);

  • 使用sslContext SecureRandom的实例初始化BouncyCastleProvider 

    sslContext.init(
        keyManagers,
        trustManagers,
        SecureRandom.getInstance("DEFAULT", BouncyCastleProvider.PROVIDER_NAME));

  • 您可能需要使用KeyManagerFactoryBouncyCastleJsseProvider算法创建PKIX 

    KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("PKIX", BouncyCastleJsseProvider.PROVIDER_NAME);

  • 现在,我们可以启用密码套件

    SSLEngine sslEngine = sslContext.createSSLEngine();
String[] suites = { "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8" };
sslEngine.setEnabledCipherSuites(suites);
相关问题
最新问题