Unable to reach HTTPS endpoint - Keystore generated using pyJKS

[vijayrcse]

I am developing a spring boot app and created a keystore file using pyJKS

I used a certificate, certificate_chain & private key

The keystore.jks file is generated successfully. But when i deploy that in a spring sboot app and try to access the endpoint using curl, i get below error

curl -v -k https://localhost:8181/

• timeout on name lookup is not supported
• Trying 127.0.0.1...
  % Total % Received % Xferd Average Speed Time Time Time Current
  Dload Upload Total Spent Left Speed
  0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Connected to localhost (127.0.0.1) port 8181 (#0)
• ALPN, offering h2
• ALPN, offering http/1.1
• Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@strength
• successfully set certificate verify locations:
• CAfile: C:/Developer/..../ca-bundle.crt
  CApath: none
• TLSv1.2 (OUT), TLS header, Certificate Status (22):
  } [5 bytes data]
• TLSv1.2 (OUT), TLS handshake, Client hello (1):
  } [512 bytes data]
  0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* TLSv1.2 (IN), TLS header, Unknown (21):
  { [5 bytes data]
• TLSv1.2 (IN), TLS alert, Server hello (2):
  { [2 bytes data]
• error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error
  0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
• Closing connection 0
  curl: (35) error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error

Below is the code that i use to generate keystore.

cert_file = open("Certificate.txt", "rb")
cert = cert_file.read()
cert_file.close()

cert_chain_file = open("Certificate_chain.txt", "rb")
cert_chain = cert_chain_file.read()
cert_chain_file.close()

private_key_file = open("private_key.txt", "rb")
private_key = private_key_file.read()
private_key_file.close()

certs = []
certs.append(cert)
certs.append(cert_chain)

pke = jks.PrivateKeyEntry.new("test", certs,private_key, 'rsa_raw')
keystore = jks.KeyStore.new('jks', [pke])
keystore.save('./keystore.jks', 'test')

When i use keytool command , generated keystore works fine.

Can someone advise what could be wrong here ?

[magnuswatn]

I see that you are reading the certificates and keys from files named ".txt". In what format are they in? If they are in PEM format, you must decode them first, see my answer here: #44 (comment)

If they are in binary format, what exception do you get on the Java app?

[vijayrcse]

They are PEM files as text. I m reading as binary.

I don't get any exceptions in java app.

All I find is no ciphers are supported by the server once it is up and running.

All ciphers sent by client or browser is getting rejected in handshake

[magnuswatn]

As I said, you can't load PEM files directly into the JKS keystore. That'll be your problem.

Try to decode them first, and I'm guessing it will work.

[vijayrcse]

let me try that...

[vijayrcse]

thanks @magnuswatn for you help. this works now
While i am running the python program every time it is asking PASS phrase

Enter PEM pass phrase:

is there a way i can pro grammatically pass the value while generating keystore ?

[vijayrcse]

@magnuswatn please ignore , i found it.

I would like to add or contribute an example of this to the documentation. is it possible ? ( a complete example of generating a keystore using certs )

[magnuswatn]

That's not up to me, but if you create a pull request, I'm sure it will be accepted. More documentation is never wrong :-)