B4J Question SSL Configuration

[gpa]

Hi...
I'm using this code Below) for an SSL connection to servers.
In some cases I get handshake errors.
I think I can resolve this by adjusting the exact protocol (eg TLS versions) and ciphersuites in use.

Can someone please advise how to adjust those parameters?

Thanks!

Private Sub CreateTrustAllSSLSocket (EventName As String) As Socket
    Dim socket As Socket
    socket.Initialize(EventName)
    Dim jo As JavaObject = socket
    jo.SetField("socket", CreateTrustAllSSLSocketFactory.RunMethod("createSocket", Null))
    Return socket
End Sub

Sub CreateTrustAllSSLSocketFactory As JavaObject
    Dim tm As CustomTrustManager
    tm.InitializeAcceptAll
    Dim SSLContext As JavaObject
    SSLContext = SSLContext.InitializeStatic("javax.net.ssl.SSLContext").RunMethod("getInstance", Array("TLS"))
    SSLContext.RunMethod("init", Array(Null, tm, Null))
    Dim Factory As JavaObject = SSLContext.RunMethod("getSocketFactory", Null)
    Return Factory
End Sub

 

[Erel]

This code has nothing to do with handshake issues. This code just makes the client skip the certificate verification.

 

[gpa]

Fair enough - so how do I set the protocol type / level and ciphersuites to use? I had thought it might be in additional SSLContext settings (which already refers to TLS)?

 

[Erel]

There isn't enough information to actually say anything. Are you able to reproduce it with a specific browser or client?

 

[gpa]

My program is the client. some of the servers I need to connect to don't support all ciphersuites and all TLS versions. In python toy can specify a subset of all TLS versions or ciphersuites to suit. This resolves the issue - by limiting to TLS1.2 and AES256 only for example in one case. I assume there must be a way to set the same limits in java / b4j.
Sadly I have no control over the server end!

 

[Erel]

This is not how SSL works. The client and server find a matching algorithm and settings if such are available. You don't need to specify a subset of the supported algorithms as you will just make the client weaker.

Where is the error message? Which protocols are supported by the server?

 

[gpa]

It is how it works - both sides negotiate from their own list of supported protocol, protocol levels and supported ciphersuites - but it is often necessary to limit the selection especially with legacy devices. Normal stuff in my universe! Sure it potentially makes the link weaker - but if that's needed to get a connection then that's what has to happen!
A typical error is helpfully "unsupported ciphersuite" or "handshake failure" reported on the server - not a lot of help!
I've found a bunch of settings available in the java context init though, so hopefully those will do it.