SSLHandshakeException: no cipher suites in common

Question

Followed the instructions here and recreated certificates that I previously incorrectly created. Something has changed as I am now seeing javax.net.ssl.SSLHandshakeExc

Answer 1

javax.net.ssl.SSLHandshakeException: no cipher suites in common

This has two causes:

1. The server doesn't have a private key and certificate, and possibly doesn't have a keystore at all. In such a case it can only use the insecure anonymous cipher suites, which are disabled by default, and should stay that way. So there is no cipher suite that it can agree to use with the client.

2. Excessive restrictions on cipher suites imposed by client or server or both such that there can be no agreement.

Re your keystores and truststores, that all looks OK except that you are doing four import steps where you only need two. You don't need to import the server's certificate into the server's own truststore, or the client's certificate into the client's truststore. You only need this:

Server:

$ keytool -import -v -trustcacerts -alias clientkey -file ../client/client.cer -keystore cacerts.jks -keypass p@ssw0rd -storepass p@ssw0rd

Client:

$ keytool -import -v -trustcacerts -alias serverkey -file ../server/server.cer -keystore cacerts.jks -keypass changeit -storepass changeit

and you only need it because you're using a self-signed certificate. Simple solution: don't. Use a CA-signed certificate, which is trusted by the default truststore shipped with Java.

Answer 2

I got this error when setting up SSL on a Cassandra cluster. The problem turned out to be in the documentation of version 2.0 when describing generating the keys:

keytool -genkey -alias -keystore .keystore

It omits the specification of RSA as the algorithm, should be (see v1.2 docs):

keytool -genkey -alias -keyalg RSA -keystore .keystore

Answer 3

As an alternative to passing trustStores as JVM argument, -Djavax.net.ssl.trustStore=<cacerts_file.jks>, one can also add truststores to SSLContext and then create SSLSocketFactory as the following snippet,

SSLContext ctx;
KeyManagerFactory kmf;
TrustManagerFactory tmf;
KeyStore ks;
TrustManager tm;

ctx = SSLContext.getInstance("TLS");

kmf = KeyManagerFactory.getInstance("SunX509");
ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream(privateKey), passPhrase.toCharArray());
kmf.init(ks, passphrase);

KeyStore trustKeyStore = KeyStore.getInstance("JKS");
trustKeyStore.load(new FileInputStream(trustStore), trustPassPhrase.toCharArray());

TrustManagerFactory trustMgrFactory = TrustManagerFactory.getInstance("SUNX509");
trustMgrFactory.init(trustKeyStore);

ctx.init(kmf.getKeyManagers(), trustMgrFactory.getTrustManagers(), null);

SSLSocketFactory f = (SSLSocketFactory) ctx.getSocketFactory();

SSLSocket s = (SSLSocket) f.createSocket(serverIp, serverPort);

Note: This client socket does both client as well as server authentication. If you want to disable client authentication, pass null as first argument while initializing SSLContext ctx.