Monday, December 24, 2018

A Simple HTTP Client Service Program


import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.util.Map;
import java.util.Map.Entry;

import org.apache.http.HttpResponse;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpDelete;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPatch;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.entity.StringEntity;
import org.apache.http.impl.client.HttpClientBuilder;

import com.ibm.wsdl.util.IOUtils;

public class HTTPClientService implements IProtocolService {

@SuppressWarnings("unchecked")
@Override
public T send(T t, String uri, String callMethod, Map headers) {
try {
HttpClient client = HttpClientBuilder.create().build();
HttpResponse response = null;
if (callMethod.equals("HTTP_POST")) {
HttpPost post = new HttpPost(uri);
post.setEntity(new StringEntity((String) t));
response = client.execute(post);
} else if (callMethod.equals("HTTP_GET")) {
HttpGet get = new HttpGet(uri);
response = client.execute(get);
} else if (callMethod.equals("HTTP_PATCH")) {
HttpPatch patch = new HttpPatch(uri);
response = client.execute(patch);
} else if (callMethod.equals("HTTP_DELETE")) {
HttpDelete delete = new HttpDelete(uri);
response = client.execute(delete);
}
if (headers != null) {
for (Entry entry : headers.entrySet()) {
response.setHeader(entry.getKey(), entry.getValue());
}
}
BufferedReader rd = new BufferedReader(new InputStreamReader(response.getEntity().getContent()));
String line = IOUtils.getStringFromReader(rd);
System.out.println(line);
return (T) line;
} catch (Exception e) {
e.printStackTrace();
}
return null;
}

}

Enable SSL logs in Java

To enable SSL logs add the below JVM arguments to your program.

The below JVM argument enable only the ssl logs.
-Djavax.net.debug=SSL

The below JVM argument will turn on all debugging logs .
-Djavax.net.debug=ALL
Java Command Line:
$>    java -Djavax.net.debug=SSL SampleClass

Most of the IDE will have Java VM arguments tab where you can add the above arguments to utilize at run time.

Sample Eclipse IDE:

Enabling TLSv1.2 protocol with Server - SSL handshake client hello failure

What we are trying here ?
The SSL handshake with server using TLSv1.2.

What happened ?
The SSL handshake failure followed by client hello message sent to the server.

What is expected ?
Post client hello message sent to server we expect the acknowledgement and server hello and then usual SSL handshake steps (Refer below "Complete SSL Handshake Flow").

Java Debug VM-arguments:
To enable SSL logs
-Djavax.net.debug=SSL
To enable the entire logs
-Djavax.net.debug=ALL

Whats our analysis ?
If you observe SSL handshake of client logs below the actual client hello initiated in SSLv2 message with server to say that client can support up to TLSv1.2 version. 

Client SSL handshake logs:
WRITE: TLSv1.2 Handshake, length = 329
WRITE: SSLv2 client hello message, length = 359















Whats solve for it ?
Forced/Limited our enabled protocols list to use TLSv1.2 while establishing the handshake with server.

SSLEngine.setEnabledProtocols(new String[] {"TLSv1.2"});

Complete SSL Handshake Flow:



Image result for ssl handshake flow

No trusted certificate found


What we are trying here ?
We are trying to do SSL handshake with Server using TLSv1.2 as minimum protocol version.

What happened ?
The below SSL handshake flow confirms that the certs produced by the Server are not found in our trusted repository.

Client hello ->
<-server font="" hello="">
<- certificate="" chain="" font="" server="">
Exception : No trusted cert found

What Needs to be done ?
Do enable SSL logging by following the Steps to enable SSL logging in JAVA.
On Start up logs you can find the trusted certs loaded from the trust store provided in you program, which will list down all the certs present in your truststore.

Trust Store Entries - Program Startup
adding as trusted cert:
  Subject: EMAILADDRESS=XXXX@XX.com, CN=QA Root CA, OU=Crypto Mgt, O="Test, Inc.", L=San Jose, ST=California, C=US
  Issuer:  EMAILADDRESS=XXXX@XX.com, CN=QA Root CA, OU=Crypto Mgt, O="Test, Inc.", L=San Jose, ST=California, C=US
  Algorithm: RSA; Serial number: 0xb53c709b41567e9d
  Valid from Tue Mar 26 23:08:23 IST 2013 until Sat Mar 20 23:08:23 IST 2038
Do check for your server certs submitted to you program like below sample SSL lines (*** - lines abstracted) and try to identify the cert submitted by server are exists in your trust store.

Server Cert Chain - SSL Handshake
*** ClientHello, TLSv1.2
***
*** ServerHello, TLSv1.2
***
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: EMAILADDRESS=XXXX@XX.com, CN=QA Root CA, OU=Crypto Mgt, O="Test, Inc.", L=San Jose, ST=California, C=US
Subscribe to: Posts (Atom)