Why am I getting \"Ignoring unavailable cipher suite\" and \"no cipher suites in common\" errors when using `SSLContext.init` with a null KeyManager array?

You're initializing your SSLContext with a null KeyManager array.

The key manager is what handles the server certificate (on the server side), and this is what you're probably aiming to set when using javax.net.ssl.keyStore.

However, as described in the JSSE Reference Guide, using null for the first parameter doesn't do what you seem to think it does:

If the KeyManager[] parameter is null, then an empty KeyManager will
be defined for this context. If the TrustManager[] parameter is null,
the installed security providers will be searched for the
highest-priority implementation of the TrustManagerFactory, from which
an appropriate TrustManager will be obtained. Likewise, the
SecureRandom parameter may be null, in which case a default
implementation will be used.

An empty KeyManager doesn't contain any RSA or DSA certificates. Therefore, all the default cipher suites that would rely on such a certificate are disabled. This is why you get all these "Ignoring unavailable cipher suite" messages, which ultimately result in a "no cipher suites in common" message.

If you want your keystore to be used as a keystore, you'll need to load it and initialise a KeyManagerFactory with it:

KeyStore ks = KeyStore.getInstance("JKS");
InputStream ksIs = new FileInputStream("...");
try {

ks.load(ksIs, "password".toCharArray());

} finally {

if (ksIs != null) {
    ksIs.close();
}

}

KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory

    .getDefaultAlgorithm());

kmf.init(ks, "keypassword".toCharArray());

Use kmf.getKeyManagers() as the first parameter to SSLContext.init().

For the other two parameters, since you're visibly not requesting client-certificate authentication, you should leave the trust manager to its default value (null) instead of copying/pasting a trust manager that's a potential cause of vulnerability, and you can also use the default null SecureRandom.

The above is the detailed content of Why am I getting \"Ignoring unavailable cipher suite\" and \"no cipher suites in common\" errors when using `SSLContext.init` with a null KeyManager array?. For more information, please follow other related articles on the PHP Chinese website!