Using Apache Mina with SslFilter on Android

3
votes

I'm using apache mina to make a communication between my server and android client. Everything was fine when I was connecting via unsecured connection, but several days ago I decided to protect connection using ssl. Apache mina has a filter called SslFilter deigned to accomplish the task - it uses ssl context where we provide keystore and truststore to establish secure connection. Everything works like a charm, if I am using sslfilter with mina on client written for pc, but when I'm trying to use it on android - this is not so simple. First we have to import certificate extracted from server SUN formatted keystore , and convert it to match bouncy castle provider - because it seems this is the only security provider on android. Ok I can achieve this easily using keytool and a proper command. Then I'm loading truststore to context in android, just like on pc, and after connecting to server (Note that android client security provider is BouncyCastle while server security provider is SUN) I'm getting such logs on server:

86992 [NioProcessor-3] DEBUG AuthenticationManager - Session is closed :2 260628 [NioProcessor-1] DEBUG SslFilter - Adding the SSL Filter sslFilter to the chain 260629 [NioProcessor-1] DEBUG SslHandler - Session Server[3](no sslEngine) Initializing the SSL Han dler 260642 [NioProcessor-1] DEBUG SslHandler - Session Server[3](no sslEngine) SSL Handler Initializati on done. 260644 [NioProcessor-1] DEBUG SslFilter - Session Server3 : Starting the first handshake 260646 [NioProcessor-1] DEBUG SslHandler - Session Server3 processing the NEED_UNWRAP sta te 260703 [NioProcessor-1] DEBUG SslFilter - Session Server3: Message received : HeapBuffer[ pos=0 lim=78 cap=2048: 16 03 01 00 49 01 00 00 45 03 01 C4 C4 C4 C4 80...] 260704 [NioProcessor-1] DEBUG SslHandler - Session Server3 Processing the received messag e 260709 [NioProcessor-1] DEBUG SslHandler - Session Server3 processing the NEED_UNWRAP sta te 260709 [NioProcessor-1] DEBUG SslHandler - Session Server3 processing the NEED_TASK state

260710 [NioProcessor-1] DEBUG SslHandler - Session Server3 processing the NEED_WRAP state

260711 [NioProcessor-1] DEBUG SslFilter - Session Server3: Writing Message : WriteRequest : HeapBuffer[pos=0 lim=678 cap=1057: 16 03 01 02 A1 02 00 00 46 03 01 50 5C 17 25 F6...] 260711 [NioProcessor-1] DEBUG SslHandler - Session Server3 processing the NEED_UNWRAP sta te 260712 [NioProcessor-1] DEBUG SslFilter - Session Server3: Processing the SSL Data 260867 [NioProcessor-1] DEBUG SslFilter - Session Server3: Message received : HeapBuffer[ pos=0 lim=139 cap=2048: 16 03 01 00 86 10 00 00 82 00 80 10 B7 5D AC B3...] 260868 [NioProcessor-1] DEBUG SslHandler - Session Server3 Processing the received messag e 260868 [NioProcessor-1] DEBUG SslHandler - Session Server3 processing the NEED_UNWRAP sta te 260869 [NioProcessor-1] DEBUG SslHandler - Session Server3 processing the NEED_TASK state

260876 [NioProcessor-1] DEBUG SslHandler - Session Server3 processing the NEED_UNWRAP sta te 260877 [NioProcessor-1] DEBUG SslFilter - Session Server3: Processing the SSL Data 261133 [NioProcessor-1] DEBUG SslFilter - Session Server3: Message received : HeapBuffer[ pos=0 lim=43 cap=1024: 14 03 01 00 01 01 16 03 01 00 20 65 07 FB 0F 1B...] 261134 [NioProcessor-1] DEBUG SslHandler - Session Server3 Processing the received messag e 261135 [NioProcessor-1] DEBUG SslHandler - Session Server3 processing the NEED_UNWRAP sta te 261154 [NioProcessor-1] DEBUG SslHandler - Session Server3 processing the NEED_WRAP state

261157 [NioProcessor-1] DEBUG SslFilter - Session Server3: Writing Message : WriteRequest : HeapBuffer[pos=0 lim=6 cap=8: 14 03 01 00 01 01] 261158 [NioProcessor-1] DEBUG SslHandler - Session Server3 processing the NEED_WRAP state

261159 [NioProcessor-1] DEBUG SslFilter - Session Server3: Writing Message : WriteRequest : HeapBuffer[pos=0 lim=37 cap=66: 16 03 01 00 20 83 D9 81 59 21 9E 03 32 A3 49 17...] 261159 [NioProcessor-1] DEBUG SslHandler - Session Server3 processing the FINISHED state 261160 [NioProcessor-1] DEBUG SslHandler - Session Server3 is now secured 261160 [NioProcessor-1] DEBUG SslHandler - Session Server3 processing the FINISHED state 261161 [NioProcessor-1] DEBUG SslHandler - Session Server3 is now secured 261161 [NioProcessor-1] DEBUG SslFilter - Session Server3: Processing the SSL Data

As you can see - everything is fine.

261160 [NioProcessor-1] DEBUG SslHandler - Session Server3 is now secured 261160 [NioProcessor-1] DEBUG SslHandler - Session Server3 processing the FINISHED state 261161 [NioProcessor-1] DEBUG SslHandler - Session Server3 is now secured

The above listing shows that connection is now secured. SUCCESS !! HURAY !! but not at all, because after successfull SSL 'dance' android client tries to send a message just in the same way as pc client... and then nothing happens. Just nothing.. application hangs omewhere in the invocation of SslFiter encoding method.. server doesnt receives any message. I have heard that there are some issues with ssl on android - do You think it can be the case ?

One important note. I have tried also to change the provider on Server, I've imported BouncyCastle security provider into java extension providers to match the provider used on android, then I've registered it in java.security, The result is the same, even pc client which still uses SUN provider can successfully comunicate with Server with BouncyCastle provider - so I've ensured myself that is not the case.

The above, note is not valid. I was sure that I changed the provider to BC on server, but I figured it out that it is not truth. In fact, the apache mina hides some details about SSLContext creation, and the context was created using default provider which is sun provider (I'm a bit confused now, how BKS formatted store could be loaded correctly by SUN provider then). **In fact I cannot create SSLContext which uses TSL and BouncyCastle provider on my pc 

SSLContext cdt = SSLContext.getInstance("TLS", new BouncyCastleProvider());

or

SSLContext cdt = SSLContext.getInstance("TLS", "BC");

I'm getting following exception "java.security.NoSuchAlgorithmException: no such algorithm: TLS for provider BC" - it seems because BC is JCE provider and SSLContext belongs to JSSE. So I didnt prove myself my assumption that I have problems in android "bc provider" - server "sun provider" communication because of some provider specific algorithm differences during encryption when data is exchanged.**

If there is anyone who has faced similar problem with mina, android and ssl, I'd be thankful for any advice...

1
androidsslbouncycastleapache-mina
Did you manage to figure this out? I have a similar requirement (Mina on the server with SSLFilter and Android client)Carlos N

1 Answers

0
votes

Try setting the provider statically like so:

import org.bouncycastle.jce.provider.BouncyCastleProvider;

static {
    Security.addProvider(new BouncyCastleProvider());
}