Recently encountered some SSL problem records

Recently encountered some small problems with SSL, the special record.

We have a Java-implemented SSL TCP server that provides SSL access connections for clients (PC, Android, IOS). Recently, users have feedback on their mobile App can not connect to the normal login, other people on the phone. After a separate visit to investigate the user's mobile phone operating system is Android 6.0, after searching for Android 6.0 Google used the home of Boringssl replaced the original OpenSSL, suspected to be here in mischief.

To continue searching for a similar problem solution, find the answer in reference [1]:

In the case of SSL/TLS handshake, if cipher with Deffie-hellman key such as Tls_dhe_rsa_with_aes_128_cbc_sha is selected, the Deffie-hellman The key exchange process will use a P-parameter (prime number), the server-side provides the P parameter before JDK8 only used 768bit length, less than 1024bit security vulnerability can lead to logjam attack, will be the latest version of the browser and borings SL refused.

After understanding the reason, we had to upgrade the JDK from 6 to 8, successfully resolving the Android6.0 SSL handshake failure problem. But after this, not long after the discovery of APNS IOS push is not available, and the Apple push server to establish an SSL connection failed, unable to push the message. The only change is that by upgrading to JDK8, you naturally target the suspect to the JDK8.

Continue Google to find the same victims, he has figured out why, see reference [2]

The problem is the exported keystore (in PKCS12 format) contained the private key as well as the production certificate A ND the development certificate for push notifications. Java can use Keystores in the PKCS12 format. But Java 6 and Java 8 do not read-in the KeyStore the same. It looks like Java 6 read in the production certificate for the private key and Java 8 read in the development certificate .

The solution is also simple, using the Keytool provided by JDK6 to convert the. p12 format certificate to the. jks format. Then use the Keytool provided by JDK8 to convert the newly generated. JKS certificate to the. p12 format. The conversion command is as follows:

. P12. JKs
/JDK6/keytool -importkeystore -destkeystore apns.jks -srckeystore apns_jdk6.p12 -srcstoretype PKCS12

. JKs. P12
/JDK8/keytool -importkeystore -srckeystore apns.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore apns_jdk8.p12

Reference

[1] liuxian233. Android 6.0 HTTPS Connection Ssl3_get_server_key_exchange:bad_dh_p_length error issue
[2] Szediwy. Apple Push Notification with Java
[3] ASHISH Parab. APPLE PUSH NOTIFICATION SERVICE CERTIFICATE ISSUE with JDK 7

Write some words, draw some pictures, "wink" everything has changed. Feel good, scan two-dimensional code attention.

Recently encountered some SSL problem records