Bug #306
closedTLS 1.2 Support
0%
Description
We want to force the eID-Clients connecting to Governikus Autent to use TLS 1.2 accordingly to TR-0316-4 section 2.1:
Für die Konformität zu dieser Technischen Richtlinie muss mindestens die TLS-Version 1.2 [15]
unterstützt werden. Eine TLS Session darf eine Lebensdauer von 2 Tagen nicht überschreiten. Dies
gilt auch bei der Verwendung von Session-Resumption.
It looks like that the Open eCard App does not support TLS 1.2, in Version 1.0.5:
2014-05-30 17:41:04,016 [Thread-4] ERROR o.o.c.module.tctoken.TCTokenGrabber:-1 - Connecting to the TCToken-URL with TLSv1.1 failed. Falling back to TLSv1.0.
2014-05-30 17:41:04,039 [Thread-4] ERROR o.o.c.b.h.h.HttpTCTokenHandler:-1 - Failed to fetch TCToken.
org.openecard.control.module.tctoken.TCTokenException: Failed to fetch TCToken.
at org.openecard.control.module.tctoken.GenericTCTokenHandler.parseTCTokenRequestURI(Unknown Source) ~[OpeneCardApp-1.0.5.jar:na]
at org.openecard.control.module.tctoken.GenericTCTokenHandler.parseRequestURI(Unknown Source) ~[OpeneCardApp-1.0.5.jar:na]
at org.openecard.control.binding.http.handler.HttpTCTokenHandler.handle(Unknown Source) [OpeneCardApp-1.0.5.jar:na]
at org.openecard.apache.http.protocol.HttpService.doService(HttpService.java:375) [OpeneCardApp-1.0.5.jar:na]
at org.openecard.apache.http.protocol.HttpService.handleRequest(HttpService.java:290) [OpeneCardApp-1.0.5.jar:na]
at org.openecard.control.binding.http.HTTPService$1.run(Unknown Source) [OpeneCardApp-1.0.5.jar:na]
Caused by: java.net.ConnectException: Connection refused
at java.net.PlainSocketImpl.socketConnect(Native Method) ~[na:1.7.0_60]
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:339) ~[na:1.7.0_60]
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:200) ~[na:1.7.0_60]
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:182) ~[na:1.7.0_60]
at java.net.Socket.connect(Socket.java:579) ~[na:1.7.0_60]
at org.openecard.common.io.ProxySettings.getSocket(Unknown Source) ~[OpeneCardApp-1.0.5.jar:na]
at org.openecard.control.module.tctoken.TCTokenGrabber.getStream(Unknown Source) ~[OpeneCardApp-1.0.5.jar:na]
at org.openecard.control.module.tctoken.TCTokenGrabber.getResource(Unknown Source) ~[OpeneCardApp-1.0.5.jar:na]
at org.openecard.control.module.tctoken.TCTokenGrabber.getResource(Unknown Source) ~[OpeneCardApp-1.0.5.jar:na]
at org.openecard.control.module.tctoken.TCTokenFactory.generateTCToken(Unknown Source) ~[OpeneCardApp-1.0.5.jar:na]
... 6 common frames omitted
I tested this with our development server at: https://dev-demo.governikus-eid.de:8443/Autent-DemoApplication/
The software version installed there changes often and sometimes does not work.
Updated by Hauke Mehrtens over 10 years ago
Sorry I misconfigurated some network setting that broke this use case and your error message when you can not connect to the server at all is a little bit misleading. But I still see that you are using TLS 1.1 for your SSL connections and not TLS 1.2.
Updated by Tobias Wich over 10 years ago
TLS 1.2 support is missing in version 1.0.5 because this was only added to bouncycastle in a later release. The current development version has a fix for that already.
It is available for non production use under http://jnlp-dev.openecard.org.
Unless there are problems with current production eID Servers or eServices we do not plan to fix this in version 1.0.x.