0

I am attempting to create and use self-signed certificates for a spring boot gateway application, but newer versions of some dependencies have exposed a flaw in my certificate generation. I believe that this is partially addressed (and better described) by Java SSLHandshakeException: no cipher suites in common but I do not understand the certificate process enough to apply the answer to my situation.

In general, whenever I try to connect to my running application, I receive the error javax.net.ssl.SSLHandshakeException: no cipher suites in common. I am not explicitly setting or restricting cipher suites.

Certificate Creation

openssl genrsa -out myCA.key 2048
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem
openssl genrsa -out dev.domain.com.key 2048
openssl req -new -key dev.domain.com.key -out dev.domain.com.csr
vi dev.domain.com.ext # contents below
openssl x509 -req -in dev.domain.com.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out dev.domain.com.crt -days 1825 -sha256 -extfile dev.domain.com.ext
openssl pkcs12 -export -in dev.domain.com.crt -inkey dev.domain.com.key -out myserver.p12
keytool -importkeystore -srckeystore myserver.p12 -destkeystore selfsigned.keystore -srcstoretype pkcs12 -srcstorepass changeit
keytool -import -trustcacerts -alias root -file myCA.pem -keystore selfsigned.keystore
keytool -import -trustcacerts -alias myserver -file dev.domain.com.crt -keystore selfsigned.keystore

Ext file contents

I'm using this file to provide subject alternative names to my self-signed certificate. I don't think this is related to the error, but am including it for completion just in case.

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = unqualified hostname
DNS.2 = fully qualified hostname
DNS.3 = unqualified alias
DNS.4 = fully qualified alias

Usage

My actual configuration is fairly application-specific, but in general I am using selfsigned.keystore as my SSL_KEYSTORE and myCA.pem as my CERT_AUTHORITY_PEM.

Question

How can I create my self-signed certificates such that the entire chain is trusted by my application?

Daniel
  • 3,312
  • 1
  • 14
  • 31
  • 3
    *"no cipher suites in common"* - this error has nothing to do with certificate validation, i.e. it does not matter for this error that you use a self-signed certificate here. – Steffen Ullrich May 18 '22 at 19:53
  • Well, the same application works with a CA-generated certificate. – Daniel May 18 '22 at 19:57
  • Available ciphers depend only in one aspect on the certificate: ciphers requiring RSA based authentication need a RSA certificate (which you have created) while cipher requiring ECDSA authentication need an ECC certificate. I don't know if this is the difference in the other certificate you have, but in any case it is not about self-signed vs, CA created. – Steffen Ullrich May 18 '22 at 20:05
  • Interesting; thanks for the clarification! That could definitely be it...time for more google about ecc cert creation. – Daniel May 18 '22 at 20:10
  • This error usually arises when no certificate has been sent at all, or else when one or both peers has fiddled with the available cipher suites. – user207421 May 18 '22 at 23:57

0 Answers0