Hi Vincent, I got it to work :) But there seems to be some bugs in the Haskell server certificate handling. It seems that TLS do not transfer the ST (state, as in California) parameter in the X509 subject field. It also seems that the Haskell server do not send the email-address. The reason for my suspicion is that when I connect my Java client to the Haskell server, the client sees this certificate: *** Certificate chain chain [0] = [ [ Version: V3 Subject: OU=Head office, O=Mads Inc., C=DK, CN=192.168.1.6 Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 2048 bits modulus: 2222747914719126678758768988 (the modulus is longer, but I cut it down). public exponent: 65537 Validity: [From: Tue Dec 14 11:07:05 CET 2010, To: Fri Dec 13 11:07:05 CET 2013] Issuer: OU=Head office, O=Mads Inc., C=DK, CN=192.168.1.6 SerialNumber: [ e11f077d a534af39] ] Whereas, if I connect the Java client to the Java server I get this certificate: chain [0] = [ [ Version: V3 Subject: EMAILADDRESS=mads.lindstroem@gmail.com, CN=192.168.1.6, OU=Head office, O=Mads Inc., L=Copenhagen, ST=Denmark, C=DK Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 2048 bits modulus: 2222747914719126678758768988 (the modulus is longer, but I cut it down) public exponent: 65537 Validity: [From: Tue Dec 14 11:07:05 CET 2010, To: Fri Dec 13 11:07:05 CET 2013] Issuer: EMAILADDRESS=mads.lindstroem@gmail.com, CN=192.168.1.6, OU=Head office, O=Mads Inc., L=Copenhagen, ST=Denmark, C=DK SerialNumber: [ e11f077d a534af39] Certificate Extensions: 3 [1]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: B3 F9 87 37 7D 80 53 2C F4 B1 B2 05 43 24 21 51 ...7..S,....C$!Q 0010: FD 37 4C C8 .7L. ] ] And without ST and/or email-address the Java client will not recognize the certificate. To avoid these problems I created a new certificate, using:
openssl req -new -x509 -key privkey.pem -subj "/OU=Head office, O=Mads Inc., C=DK, CN=192.168.1.6" -out cacert.pem -days 1095
That is, without email and without ST parameter. I then recreated the Java keystore. And now it works. Woohooo! I have attached the modified Java client, if anybody is interested in how to force SSL3 from Java. /Mads On Mon, 2010-12-13 at 08:51 +0000, Vincent Hanquez wrote:
On Sun, Dec 12, 2010 at 08:13:59PM +0100, Mads Lindstrøm wrote:
Hi Haskellers,
I am trying to connect a Java client to a Haskell server using the Haskell tls package, and things are not working out for me. There is a lot of steps involved and I do not know what I am doing wrong, so this is a long message. But first I create a private/public key-pair:
On Mon, Dec 13, 2010 at 01:22:17AM +0100, Mads Lindstrøm wrote:
Hi again,
I found a simpler way to test the server connection, but it is still not working. Namely,
openssl s_client -connect 192.168.1.6:8000
Hi Mads,
This one has to do with the fact that openssl try to send a SSLv2 hello message, which is not yet supported by TLS (and not in the supported Version list in the params if it was).
unfortunately lots of clients still do that for compatibility; even though that doesn't buy much since nobody should connect to a pure SSLv2 server.
For the openssl cmdline, you can add a simple -ssl3 flag or -tls1 flag to start negociating at the right version straight away.
[snip] main, WRITE: SSLv2 client hello message, length = 101 [snip]
This lines appears suspicious; I think that's exactly the same problem. I suppose there's a way to instanciate your java SSL connection to SSL3 or TLS1
It would be nice to add support to the SSLv2 hello message directly though, but I don't have any timeline for that to happens.