Make SSLContext customizable #360

Hakky54 · 2023-06-21T21:11:57Z

No description provided.

Hakky54 · 2023-06-22T07:49:22Z

It seems like the changes are working fine, below is the output of the ssl handshake and the sslfactory configuration:

SSLFactory.builder()
        .withIdentityMaterial(keyStorePath, keyStorePassword)
        .withTrustMaterial(trustStorePath, trustStorePassword)
        .withProtocols("TLSv1.2")
        .withCiphers("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384")
        .build();

javax.net.ssl|WARNING|01|main|2023-06-22 09:56:35.416 CEST|ServerNameExtension.java:261|Unable to indicate server name
javax.net.ssl|DEBUG|01|main|2023-06-22 09:56:35.416 CEST|SSLExtensions.java:260|Ignore, context unavailable extension: server_name
javax.net.ssl|DEBUG|01|main|2023-06-22 09:56:35.417 CEST|SupportedGroupsExtension.java:384|Ignore inactive or disabled named group: ffdhe2048
javax.net.ssl|DEBUG|01|main|2023-06-22 09:56:35.417 CEST|SupportedGroupsExtension.java:384|Ignore inactive or disabled named group: ffdhe3072
javax.net.ssl|DEBUG|01|main|2023-06-22 09:56:35.417 CEST|SupportedGroupsExtension.java:384|Ignore inactive or disabled named group: ffdhe4096
javax.net.ssl|DEBUG|01|main|2023-06-22 09:56:35.417 CEST|SupportedGroupsExtension.java:384|Ignore inactive or disabled named group: ffdhe6144
javax.net.ssl|DEBUG|01|main|2023-06-22 09:56:35.417 CEST|SupportedGroupsExtension.java:384|Ignore inactive or disabled named group: ffdhe8192
javax.net.ssl|WARNING|01|main|2023-06-22 09:56:35.419 CEST|SignatureScheme.java:295|Signature algorithm, ed25519, is not supported by the underlying providers
javax.net.ssl|WARNING|01|main|2023-06-22 09:56:35.419 CEST|SignatureScheme.java:295|Signature algorithm, ed448, is not supported by the underlying providers
javax.net.ssl|DEBUG|01|main|2023-06-22 09:56:35.427 CEST|ClientHello.java:653|Produced ClientHello handshake message (
"ClientHello": {
  "client version"      : "TLSv1.2",
  "random"              : "BC 2A FF 29 83 27 45 38 E0 7D 5F 6F 13 63 42 89 C9 44 3E 3C 4D 7D 71 18 15 01 67 69 B3 75 9C 85",
  "session id"          : "",
  "cipher suites"       : "[TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030)]",
  "compression methods" : "00",
  "extensions"          : [
    "status_request (5)": {
      "certificate status type": ocsp
      "OCSP status request": {
        "responder_id": <empty>
        "request extensions": {
          <empty>
        }
      }
    },
    "supported_groups (10)": {
      "versions": [x25519, secp256r1, secp384r1, secp521r1, x448]
    },
    "ec_point_formats (11)": {
      "formats": [uncompressed]
    },
    "signature_algorithms (13)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "signature_algorithms_cert (50)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "application_layer_protocol_negotiation (16)": {
      [h2, http/1.1]
    },
    "status_request_v2 (17)": {
      "cert status request": {
        "certificate status type": ocsp_multi
        "OCSP status request": {
          "responder_id": <empty>
          "request extensions": {
            <empty>
          }
        }
      }
    },
    "extended_master_secret (23)": {
      <empty>
    },
    "supported_versions (43)": {
      "versions": [TLSv1.2]
    },
    "renegotiation_info (65,281)": {
      "renegotiated connection": [<no renegotiated connection>]
    }
  ]
}
)
javax.net.ssl|DEBUG|01|main|2023-06-22 09:56:35.453 CEST|ServerHello.java:867|Consuming ServerHello handshake message (
"ServerHello": {
  "server version"      : "TLSv1.2",
  "random"              : "5C 60 DD F9 35 E7 5B 4A CD 75 04 E7 D4 3E 50 74 A7 6B C5 DF 2C 00 56 5B 44 4F 57 4E 47 52 44 01",
  "session id"          : "FC 3A 06 BB 8B 90 78 F6 95 3F 6F F8 71 23 83 03 67 74 F5 32 8C 07 F8 E3 B2 CE F4 DD AC A7 E1 7F",
  "cipher suite"        : "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030)",
  "compression methods" : "00",
  "extensions"          : [
    "extended_master_secret (23)": {
      <empty>
    },
    "renegotiation_info (65,281)": {
      "renegotiated connection": [<no renegotiated connection>]
    }
  ]
}
)
javax.net.ssl|DEBUG|01|main|2023-06-22 09:56:35.453 CEST|SSLExtensions.java:173|Ignore unavailable extension: supported_versions
javax.net.ssl|DEBUG|01|main|2023-06-22 09:56:35.453 CEST|ServerHello.java:963|Negotiated protocol version: TLSv1.2
javax.net.ssl|DEBUG|01|main|2023-06-22 09:56:35.454 CEST|SSLExtensions.java:192|Consumed extension: renegotiation_info
javax.net.ssl|DEBUG|01|main|2023-06-22 09:56:35.454 CEST|SSLExtensions.java:173|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|01|main|2023-06-22 09:56:35.454 CEST|SSLExtensions.java:173|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|01|main|2023-06-22 09:56:35.454 CEST|SSLExtensions.java:173|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|01|main|2023-06-22 09:56:35.454 CEST|SSLExtensions.java:173|Ignore unavailable extension: ec_point_formats
javax.net.ssl|DEBUG|01|main|2023-06-22 09:56:35.454 CEST|SSLExtensions.java:173|Ignore unavailable extension: status_request_v2
javax.net.ssl|DEBUG|01|main|2023-06-22 09:56:35.454 CEST|SSLExtensions.java:192|Consumed extension: extended_master_secret
javax.net.ssl|DEBUG|01|main|2023-06-22 09:56:35.454 CEST|SSLExtensions.java:192|Consumed extension: renegotiation_info
javax.net.ssl|DEBUG|01|main|2023-06-22 09:56:35.454 CEST|SSLExtensions.java:207|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|01|main|2023-06-22 09:56:35.454 CEST|SSLExtensions.java:207|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|01|main|2023-06-22 09:56:35.454 CEST|SSLExtensions.java:207|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|01|main|2023-06-22 09:56:35.454 CEST|SSLExtensions.java:207|Ignore unavailable extension: ec_point_formats
javax.net.ssl|DEBUG|01|main|2023-06-22 09:56:35.454 CEST|SSLExtensions.java:207|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|01|main|2023-06-22 09:56:35.455 CEST|SSLExtensions.java:207|Ignore unavailable extension: status_request_v2
javax.net.ssl|WARNING|01|main|2023-06-22 09:56:35.455 CEST|SSLExtensions.java:215|Ignore impact of unsupported extension: extended_master_secret
javax.net.ssl|WARNING|01|main|2023-06-22 09:56:35.455 CEST|SSLExtensions.java:215|Ignore impact of unsupported extension: renegotiation_info
javax.net.ssl|DEBUG|01|main|2023-06-22 09:56:35.459 CEST|CertificateMessage.java:366|Consuming server Certificate handshake message (
"Certificates": [
  "certificate" : {
    "version"            : "v3",
    "serial number"      : "45 42 5B 2B",
    "signature algorithm": "SHA256withRSA",
    "issuer"             : "CN=Root-CA, OU=Certificate Authority, O=Thunderberry, C=NL",
    "not before"         : "2023-06-22 08:45:53.000 CEST",
    "not  after"         : "2033-06-19 08:45:53.000 CEST",
    "subject"            : "CN=Hakan, OU=Amsterdam, O=Thunderberry, C=NL",
    "subject public key" : "RSA",
    "extensions"         : [
      {
        ObjectId: 2.5.29.35 Criticality=false
        AuthorityKeyIdentifier [
        KeyIdentifier [
        0000: A4 29 C1 D5 20 FC 02 89   0C AF 65 C5 4E 7F D8 8D  .).. .....e.N...
        0010: D6 45 2D D6                                        .E-.
        ]
        ]
      },
      {
        ObjectId: 2.5.29.37 Criticality=false
        ExtendedKeyUsages [
          serverAuth
          clientAuth
        ]
      },
      {
        ObjectId: 2.5.29.15 Criticality=false
        KeyUsage [
          DigitalSignature
          Key_Encipherment
          Data_Encipherment
          Key_Agreement
        ]
      },
      {
        ObjectId: 2.5.29.17 Criticality=true
        SubjectAlternativeName [
          DNSName: localhost
          DNSName: raspberrypi.local
          IPAddress: 127.0.0.1
        ]
      },
      {
        ObjectId: 2.5.29.14 Criticality=false
        SubjectKeyIdentifier [
        KeyIdentifier [
        0000: 58 DD 86 FB 5E 56 6F 4B   B4 42 FE 29 95 38 03 02  X...^VoK.B.).8..
        0010: E8 62 B1 1C                                        .b..
        ]
        ]
      }
    ]},
  "certificate" : {
    "version"            : "v3",
    "serial number"      : "27 6A 79 B0",
    "signature algorithm": "SHA256withRSA",
    "issuer"             : "CN=Root-CA, OU=Certificate Authority, O=Thunderberry, C=NL",
    "not before"         : "2023-06-22 08:45:45.000 CEST",
    "not  after"         : "2033-06-19 08:45:45.000 CEST",
    "subject"            : "CN=Root-CA, OU=Certificate Authority, O=Thunderberry, C=NL",
    "subject public key" : "RSA",
    "extensions"         : [
      {
        ObjectId: 2.5.29.19 Criticality=false
        BasicConstraints:[
          CA:true
          PathLen:3
        ]
      },
      {
        ObjectId: 2.5.29.15 Criticality=false
        KeyUsage [
          DigitalSignature
          Key_CertSign
        ]
      },
      {
        ObjectId: 2.5.29.14 Criticality=false
        SubjectKeyIdentifier [
        KeyIdentifier [
        0000: A4 29 C1 D5 20 FC 02 89   0C AF 65 C5 4E 7F D8 8D  .).. .....e.N...
        0010: D6 45 2D D6                                        .E-.
        ]
        ]
      }
    ]}
]
)
javax.net.ssl|DEBUG|01|main|2023-06-22 09:56:35.479 CEST|X509TrustManagerImpl.java:238|Found trusted certificate (
  "certificate" : {
    "version"            : "v3",
    "serial number"      : "27 6A 79 B0",
    "signature algorithm": "SHA256withRSA",
    "issuer"             : "CN=Root-CA, OU=Certificate Authority, O=Thunderberry, C=NL",
    "not before"         : "2023-06-22 08:45:45.000 CEST",
    "not  after"         : "2033-06-19 08:45:45.000 CEST",
    "subject"            : "CN=Root-CA, OU=Certificate Authority, O=Thunderberry, C=NL",
    "subject public key" : "RSA",
    "extensions"         : [
      {
        ObjectId: 2.5.29.19 Criticality=false
        BasicConstraints:[
          CA:true
          PathLen:3
        ]
      },
      {
        ObjectId: 2.5.29.15 Criticality=false
        KeyUsage [
          DigitalSignature
          Key_CertSign
        ]
      },
      {
        ObjectId: 2.5.29.14 Criticality=false
        SubjectKeyIdentifier [
        KeyIdentifier [
        0000: A4 29 C1 D5 20 FC 02 89   0C AF 65 C5 4E 7F D8 8D  .).. .....e.N...
        0010: D6 45 2D D6                                        .E-.
        ]
        ]
      }
    ]}
)
javax.net.ssl|DEBUG|01|main|2023-06-22 09:56:35.487 CEST|ECDHServerKeyExchange.java:524|Consuming ECDH ServerKeyExchange handshake message (
"ECDH ServerKeyExchange": {
  "parameters": {
    "named group": "x25519"
    "ecdh public": {
      0000: 5E C0 79 05 C8 7E A7 2B   50 0B 06 F4 CB 1B EF F9  ^.y....+P.......
      0010: 34 C2 E4 E5 78 8D 3F 58   CC 9B 23 35 1E 5C B9 03  4...x.?X..#5.\..
    },
  },
  "digital signature":  {
    "signature algorithm": "rsa_pss_rsae_sha256"
    "signature": {
      0000: 2E 6B 97 1D 73 6D 86 8C   38 E1 3F 13 64 2F 60 22  .k..sm..8.?.d/`"
      0010: 70 99 69 BD CE E4 D7 B5   29 10 1E A0 B1 F4 17 69  p.i.....)......i
      0020: E4 AC 59 73 78 28 0D 90   3C 0C 8D C1 BE 7D ED 6F  ..Ysx(..<......o
      0030: 71 E0 FD 10 E0 37 AB B0   9A C6 8B 60 F5 8A 8F 69  q....7.....`...i
      0040: 44 52 3F A1 4E 19 E8 E8   CC 44 B3 2C 76 54 12 D5  DR?.N....D.,vT..
      0050: 99 56 1F 9D 19 6C DB E7   75 49 57 C1 BB 01 E8 D0  .V...l..uIW.....
      0060: CB 8A 5C BB BD B3 17 26   2C 67 F2 DD C2 D2 E2 59  ..\....&,g.....Y
      0070: 4E 22 81 19 BF 62 6B 95   F3 D2 DA 87 0A 54 B0 92  N"...bk......T..
      0080: BA 75 E1 0E E2 05 3C 3A   B3 FC 69 41 DE BC F1 C8  .u....<:..iA....
      0090: 5D 72 1F 46 04 7D E9 7A   81 99 48 A5 E8 A3 AC 14  ]r.F...z..H.....
      00A0: FA C9 2B 29 49 36 FE 97   14 09 66 40 F1 5B 08 08  ..+)I6....f@.[..
      00B0: 90 3E 92 F7 9B E7 87 C1   2C 02 96 2E B9 6A 79 F9  .>......,....jy.
      00C0: 7F 34 58 E1 D6 45 C5 9B   65 65 3A 03 EE 5B A1 BD  .4X..E..ee:..[..
      00D0: 9A AF D7 10 C6 94 D0 71   69 E1 E4 7D 57 4F 3A BE  .......qi...WO:.
      00E0: 4E 30 40 8E 92 E8 34 92   7A D6 42 CC D8 F9 A6 27  N0@...4.z.B....'
      00F0: 1B CE 6A 21 67 13 61 83   06 18 FB 4E AF 3B 92 AC  ..j!g.a....N.;..
    },
  }
}
)
javax.net.ssl|DEBUG|01|main|2023-06-22 09:56:35.488 CEST|CertificateRequest.java:692|Consuming CertificateRequest handshake message (
"CertificateRequest": {
  "certificate types": [ecdsa_sign, rsa_sign, dss_sign]
  "supported signature algorithms": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
  "certificate authorities": [CN=Root-CA, OU=Certificate Authority, O=Thunderberry, C=NL]
}
)
javax.net.ssl|ALL|01|main|2023-06-22 09:56:35.488 CEST|X509Authentication.java:246|No X.509 cert selected for EC
javax.net.ssl|WARNING|01|main|2023-06-22 09:56:35.488 CEST|CertificateRequest.java:809|Unavailable authentication scheme: ecdsa_secp256r1_sha256
javax.net.ssl|ALL|01|main|2023-06-22 09:56:35.488 CEST|X509Authentication.java:246|No X.509 cert selected for EC
javax.net.ssl|WARNING|01|main|2023-06-22 09:56:35.489 CEST|CertificateRequest.java:809|Unavailable authentication scheme: ecdsa_secp384r1_sha384
javax.net.ssl|ALL|01|main|2023-06-22 09:56:35.489 CEST|X509Authentication.java:246|No X.509 cert selected for EC
javax.net.ssl|WARNING|01|main|2023-06-22 09:56:35.489 CEST|CertificateRequest.java:809|Unavailable authentication scheme: ecdsa_secp521r1_sha512
javax.net.ssl|DEBUG|01|main|2023-06-22 09:56:35.489 CEST|SunX509KeyManagerImpl.java:401|matching alias: client
javax.net.ssl|DEBUG|01|main|2023-06-22 09:56:35.489 CEST|ServerHelloDone.java:151|Consuming ServerHelloDone handshake message (
<empty>
)
javax.net.ssl|DEBUG|01|main|2023-06-22 09:56:35.490 CEST|CertificateMessage.java:330|Produced client Certificate handshake message (
"Certificates": [
  "certificate" : {
    "version"            : "v3",
    "serial number"      : "6E 1C E9 92",
    "signature algorithm": "SHA256withRSA",
    "issuer"             : "CN=Root-CA, OU=Certificate Authority, O=Thunderberry, C=NL",
    "not before"         : "2023-06-22 08:45:53.000 CEST",
    "not  after"         : "2033-06-19 08:45:53.000 CEST",
    "subject"            : "CN=black-hole, OU=Altindag, O=Altindag, C=NL",
    "subject public key" : "RSA",
    "extensions"         : [
      {
        ObjectId: 2.5.29.35 Criticality=false
        AuthorityKeyIdentifier [
        KeyIdentifier [
        0000: A4 29 C1 D5 20 FC 02 89   0C AF 65 C5 4E 7F D8 8D  .).. .....e.N...
        0010: D6 45 2D D6                                        .E-.
        ]
        ]
      },
      {
        ObjectId: 2.5.29.37 Criticality=false
        ExtendedKeyUsages [
          serverAuth
          clientAuth
        ]
      },
      {
        ObjectId: 2.5.29.15 Criticality=false
        KeyUsage [
          DigitalSignature
          Key_Encipherment
          Data_Encipherment
          Key_Agreement
        ]
      },
      {
        ObjectId: 2.5.29.14 Criticality=false
        SubjectKeyIdentifier [
        KeyIdentifier [
        0000: 35 E3 1D 4D CB B0 9A C4   94 AD F5 0E 5B D3 BD 0C  5..M........[...
        0010: 22 71 91 2B                                        "q.+
        ]
        ]
      }
    ]},
  "certificate" : {
    "version"            : "v3",
    "serial number"      : "27 6A 79 B0",
    "signature algorithm": "SHA256withRSA",
    "issuer"             : "CN=Root-CA, OU=Certificate Authority, O=Thunderberry, C=NL",
    "not before"         : "2023-06-22 08:45:45.000 CEST",
    "not  after"         : "2033-06-19 08:45:45.000 CEST",
    "subject"            : "CN=Root-CA, OU=Certificate Authority, O=Thunderberry, C=NL",
    "subject public key" : "RSA",
    "extensions"         : [
      {
        ObjectId: 2.5.29.19 Criticality=false
        BasicConstraints:[
          CA:true
          PathLen:3
        ]
      },
      {
        ObjectId: 2.5.29.15 Criticality=false
        KeyUsage [
          DigitalSignature
          Key_CertSign
        ]
      },
      {
        ObjectId: 2.5.29.14 Criticality=false
        SubjectKeyIdentifier [
        KeyIdentifier [
        0000: A4 29 C1 D5 20 FC 02 89   0C AF 65 C5 4E 7F D8 8D  .).. .....e.N...
        0010: D6 45 2D D6                                        .E-.
        ]
        ]
      }
    ]}
]
)
javax.net.ssl|DEBUG|01|main|2023-06-22 09:56:35.503 CEST|ECDHClientKeyExchange.java:410|Produced ECDHE ClientKeyExchange handshake message (
"ECDH ClientKeyExchange": {
  "ecdh public": {
    0000: 65 AB 67 05 48 46 A9 8D   29 CE 31 2C E6 7D 50 4F  e.g.HF..).1,..PO
    0010: 0F 17 05 38 97 0C 20 B1   74 B2 E4 E2 FD 8B 4B 55  ...8.. .t.....KU
  },
}
)
javax.net.ssl|DEBUG|01|main|2023-06-22 09:56:35.556 CEST|CertificateVerify.java:764|Produced CertificateVerify handshake message (
"CertificateVerify": {
  "signature algorithm": rsa_pss_rsae_sha256
  "signature": {
    0000: 18 70 A7 C9 B3 3A 20 84   2F F0 05 4F E6 27 40 97  .p...: ./..O.'@.
    0010: 60 41 FE 5E 34 67 91 68   C9 12 2F D5 E3 5D 82 9A  `A.^4g.h../..]..
    0020: 1E 28 1B 73 C3 DF D3 DC   4E 3E 65 77 16 C8 D2 50  .(.s....N>ew...P
    0030: CE AA 96 26 38 FD A9 21   16 B2 F3 D4 1F CF 7D 3A  ...&8..!.......:
    0040: 98 ED 75 50 01 D9 AF EC   4C 4D 0A BC D9 22 E8 63  ..uP....LM...".c
    0050: 5A CF 86 E7 DE 44 98 31   8D 58 89 5E 68 17 89 1B  Z....D.1.X.^h...
    0060: C0 EB 1B DE 94 63 F9 CE   A0 ED 06 9D FE DB 10 35  .....c.........5
    0070: B7 9C 6F A8 6A 3B B4 93   74 DE 8F 23 0D 38 6E 21  ..o.j;..t..#.8n!
    0080: 22 E6 88 DF 3F 36 A2 D0   AC D4 1F E4 94 47 C5 5F  "...?6.......G._
    0090: EA 8B D8 0F 6F 42 B3 A6   BA C3 2B 2A E0 55 3F F3  ....oB....+*.U?.
    00A0: A9 5D 6F D0 27 77 EA 1E   00 F2 96 3F 65 C8 00 B8  .]o.'w.....?e...
    00B0: 70 2E 7B E1 E2 B1 DA 82   3F 79 1E 33 2A 89 86 1A  p.......?y.3*...
    00C0: 76 57 7B BD 17 C4 93 75   D1 A6 20 6C AE 39 28 5D  vW.....u.. l.9(]
    00D0: CE 8F 9A 10 0E 0A 1B 91   21 BD 2C 42 1F 34 9C 3E  ........!.,B.4.>
    00E0: B5 44 2A 51 3E 67 AF 12   46 AC 0C 7A A7 2A D7 02  .D*Q>g..F..z.*..
    00F0: 3D 6E B5 2A 8D 6E B8 52   52 34 E1 86 A3 45 5D D2  =n.*.n.RR4...E].
  }
}
)
javax.net.ssl|DEBUG|01|main|2023-06-22 09:56:35.560 CEST|ChangeCipherSpec.java:115|Produced ChangeCipherSpec message
javax.net.ssl|DEBUG|01|main|2023-06-22 09:56:35.560 CEST|Finished.java:398|Produced client Finished handshake message (
"Finished": {
  "verify data": {
    0000: 52 E0 47 DB A3 A2 22 FF   A9 04 FF 11 
  }'}
)
javax.net.ssl|DEBUG|01|main|2023-06-22 09:56:35.563 CEST|ChangeCipherSpec.java:149|Consuming ChangeCipherSpec message
javax.net.ssl|DEBUG|01|main|2023-06-22 09:56:35.565 CEST|Finished.java:535|Consuming server Finished handshake message (
"Finished": {
  "verify data": {
    0000: 67 58 52 46 81 CA 28 6F   22 99 71 D2 
  }'}
)

What do you think @woj-tek ?
The specified Cipher and Protocol within the SSLFactory is being used also during the SSLHandshake. This was already the case, but now it is more visible with the logs above.

And coming back to your earlier concern. All of the properties are consistent:

import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLSocket;
import java.io.IOException;
import java.util.Arrays;

public class App {

    public static void main(String[] args) throws IOException {
        SSLFactory sslFactory = SSLFactory.builder()
                .withDefaultTrustMaterial()
                .withProtocols("TLSv1.2")
                .withNeedClientAuthentication()
                .withCiphers("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384")
                .build();


        System.out.println("SSLFactory");
        System.out.println(sslFactory.getProtocols());

        System.out.println("SSLContext");
        System.out.println(Arrays.toString(sslFactory.getSslContext().getSupportedSSLParameters().getProtocols()));
        System.out.println(Arrays.toString(sslFactory.getSslContext().getDefaultSSLParameters().getProtocols()));

        System.out.println("SSLSocket");
        SSLSocket socket = (SSLSocket) sslFactory.getSslSocketFactory().createSocket();

        System.out.println(Arrays.toString(socket.getSupportedProtocols()));
        System.out.println(Arrays.toString(socket.getEnabledProtocols()));
        System.out.println(Arrays.toString(socket.getSupportedCipherSuites()));
        System.out.println(Arrays.toString(socket.getEnabledCipherSuites()));
        System.out.println(socket.getNeedClientAuth());
        System.out.println(socket.getWantClientAuth());

        System.out.println("SSLEngine");
        SSLEngine sslEngine = sslFactory.getSSLEngine();
        System.out.println(Arrays.toString(sslEngine.getSupportedProtocols()));
        System.out.println(Arrays.toString(sslEngine.getEnabledProtocols()));
        System.out.println(Arrays.toString(sslEngine.getSupportedCipherSuites()));
        System.out.println(Arrays.toString(sslEngine.getEnabledCipherSuites()));
        System.out.println(sslEngine.getNeedClientAuth());
        System.out.println(sslEngine.getWantClientAuth());
    }

}

SSLFactory
[TLSv1.2]
SSLContext
[TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, SSLv3, SSLv2Hello]
[TLSv1.2]
SSLSocket
[TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, SSLv3, SSLv2Hello]
[TLSv1.2]
[TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
[TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
true
false
SSLEngine
[TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, SSLv3, SSLv2Hello]
[TLSv1.2]
[TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
[TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
true
false

sonarcloud · 2023-06-22T09:08:08Z

Kudos, SonarCloud Quality Gate passed!

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

100.0% Coverage
0.0% Duplication

woj-tek · 2023-06-22T23:15:00Z

What do you think @woj-tek ? The specified Cipher and Protocol within the SSLFactory is being used also during the SSLHandshake. This was already the case, but now it is more visible with the logs above.

And coming back to your earlier concern. All of the properties are consistent:

Just tested it and it works as expected! 👍

Hakky54 added 4 commits June 21, 2023 23:11

Added new SSLContext

81315d4

Reverted to initial state

0b8777a

Simplified FenixSSLContext and added test

fd42d28

Corrected usage of ssl parameters

f3a2d7b

Hakky54 added 2 commits June 22, 2023 10:51

Added consistency check

8fe4ec1

Adjusted method name

6c9aea6

Hakky54 merged commit fc1898f into master Jun 23, 2023

Hakky54 deleted the make-sslcontext-customizable branch June 23, 2023 07:38

Hakky54 mentioned this pull request Jul 20, 2023

Potential Regression in 8.1.3 (#4c16ca8) #362

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Make SSLContext customizable #360

Make SSLContext customizable #360

Hakky54 commented Jun 21, 2023

Hakky54 commented Jun 22, 2023 •

edited

Loading

sonarcloud bot commented Jun 22, 2023

woj-tek commented Jun 22, 2023

Make SSLContext customizable #360

Make SSLContext customizable #360

Conversation

Hakky54 commented Jun 21, 2023

Hakky54 commented Jun 22, 2023 • edited Loading

sonarcloud bot commented Jun 22, 2023

woj-tek commented Jun 22, 2023

Hakky54 commented Jun 22, 2023 •

edited

Loading