Is it possible to set the set cipher suite for a TLS connection when using TLSv1.3?

Question

Is it possible to set the set cipher suite for a TLS connection when using TLSv1.3?

I am developing an application where I am setting up a TLS connection between two devices. I am using TLSv1.3, but when I try to set the cipher suite like this:

String[] protocolCHACHA = new String[1];
protocolCHACHA[0]= "TLS_CHACHA20_POLY1305_SHA256";

String [] tlsVersion = new String[1];
tlsVersion [0] = "TLSv1.3";

SSLServerSocket serverSocket = (SSLServerSocket) serverSSLContext.getServerSocketFactory().createServerSocket(0);
serverSocket.setEnabledProtocols(tlsVersion);   
serverSocket.setEnabledCipherSuites(protocolCHACHA);

I get a javax.net.ssl.SSLHandshakeException

   2021-05-05 11:40:19.131 2932-15842/com.example.testaware W/System.err: javax.net.ssl.SSLHandshakeException: Handshake failed
2021-05-05 11:40:19.131 2932-15842/com.example.testaware W/System.err:     at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:305)
2021-05-05 11:40:19.131 2932-15842/com.example.testaware W/System.err:     at com.android.org.conscrypt.ConscryptFileDescriptorSocket.waitForHandshake(ConscryptFileDescriptorSocket.java:510)
2021-05-05 11:40:19.131 2932-15842/com.example.testaware W/System.err:     at com.android.org.conscrypt.ConscryptFileDescriptorSocket.getInputStream(ConscryptFileDescriptorSocket.java:473)
2021-05-05 11:40:19.131 2932-15842/com.example.testaware W/System.err:     at com.example.testaware.AppServer.lambda$new$0$AppServer(AppServer.java:124)
2021-05-05 11:40:19.131 2932-15842/com.example.testaware W/System.err:     at com.example.testaware.-$$Lambda$AppServer$vHnVsGrXrL1ybKsPtFi9r-AJTKQ.run(Unknown Source:8)
2021-05-05 11:40:19.131 2932-15842/com.example.testaware W/System.err:     at java.lang.Thread.run(Thread.java:919)
2021-05-05 11:40:19.131 2932-15842/com.example.testaware W/System.err: Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x7282fc4908: Failure in SSL library, usually a protocol error
2021-05-05 11:40:19.131 2932-15842/com.example.testaware W/System.err: error:100000ae:SSL routines:OPENSSL_internal:NO_CERTIFICATE_SET (external/boringssl/src/ssl/tls13_server.cc:689 0x7278a83e6b:0x00000000)
2021-05-05 11:40:19.131 2932-15842/com.example.testaware W/System.err:     at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
2021-05-05 11:40:19.131 2932-15842/com.example.testaware W/System.err:     at com.android.org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:387)
2021-05-05 11:40:19.131 2932-15842/com.example.testaware W/System.err:     at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:234)
2021-05-05 11:40:19.131 2932-15842/com.example.testaware W/System.err:  ... 5 more

Does anybody know why? Is it not possible to decide which cipher suite to use? If I remove serverSocket.setEnabledCipherSuites(protocolCHACHA); I get no Exception.

android

encryption

sslhandshakeexception

tls1.3

asked on Stack Overflow May 5, 2021 by

Ellen W • edited May 5, 2021 by

Ellen W

1 Answer

According to Conscrypt's Capabilities documentation,

The TLS 1.3 cipher suites cannot be customized; they are always enabled when TLS 1.3 is enabled, and any attempt to disable them via a call to setEnabledCipherSuites() is ignored.

Though, I actually found this thread by Googling the same "NO_CERTIFICATE_SET" error message I was getting. My code was also attempting to set ciphers, so I think you just solved my problem.

answered on Stack Overflow May 5, 2021 by

ClintonFlowers • edited May 5, 2021 by

ClintonFlowers

User contributions licensed under CC BY-SA 3.0