EC2 Linux机器上安装的OpenJDK 8不支持ECDHE密码套件

时间:2015-08-12 17:12:17

标签: jetty java-8 openjdk jce jetty-9

在EC2 Amazon Linux计算机上运行jetty-distribution-9.3.0.v20150612时启动openjdk 1.8.0_51,打印时不支持所有已配置的ECDHE套件。 

2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA not supported

这些已在jetty/etc/jetty-ssl-context.xml -

中启用 
<Set name="IncludeCipherSuites">
<Array type="java.lang.String">
 <!-- TLS 1.2 AEAD only (all are SHA-2 as well) -->
  <Item>TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256</Item>
  <Item>TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256</Item>
  <Item>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</Item>
  <Item>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</Item>
  <Item>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384</Item>
  <Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item>
...

我读过Oracle Java 8 should support these protocols,但OpenJDK可能不支持它?或者我应该以某种方式启用它?

更新

Oracle的JCE加密提供程序安装在jre/lib/security/下,但没有帮助。

4 个答案:

答案 0 :(得分:15)

所以我正在运行类似的设置,其中一个AWS框运行openjdk-1.8.0.51。 为我解决的是将bouncycastle添加为提供者,如下所示:

  • bcprov-<verion>.jar添加到/usr/lib/jvm/jre/lib/ext

  • 修改/usr/lib/jvm/jre/lib/security/java.security将以下行添加到提供商列表中:

    security.provider.6=org.bouncycastle.jce.provider.BouncyCastleProvider

(我将其添加为第6个条目,但如果您愿意,可以在订单中添加更高的颜色)

重新启动了我的应用程序,并能够使用基于EC的密码套件,例如TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

答案 1 :(得分:8)

根本原因是CentOS / RHEL / Amazon Linux上带有OpenJDK的OpenJDK根本没有附带所需的本机库来支持EC。 Unlimited Policy Files 是一个红色的鲱鱼,任何 un -disable各种算法等的尝试都是如此。如果图书馆不在那里,你可以&#39 ; t使用这些功能。

&#34;安装Bouncy Castle&#34;因为BC提供了所有所需算法的纯Java实现,因此可以正常工作。理想情况下,JDK将提供可以产生更高性能的本机实现。

看起来亚马逊Linux上的OpenJDK只需要等待。 :(

参考:http://armoredbarista.blogspot.de/2013/10/how-to-use-ecc-with-openjdk.html

另外:https://security.stackexchange.com/questions/117975/how-to-enable-ecdhe-in-openjdk-1-8-0-in-centos-6-7

更新2016-11-09

似乎Oracle的Elliptic曲线原生库(libsunec.so)是根据GPL许可的。您可以转到Oracle's download page,单击Third Party Licenses,然后查看您的Java版本的自述文件来确认这一点。

这意味着,如果您可以获取目标平台和体系结构的Oracle JRE / JDK副本,则可以从中获取libsunec.so库并将其合法安装到OpenJDK安装中。

对我来说,这意味着从Oracle Java 8 JRE中抓取文件$JAVA_HOME/jre/lib/amd64/libsunec.so并将其放入例如/usr/lib/jvm/jre-1.8.0/lib/amd64/。这就是启用Elliptic-Curve算法所需的全部内容。

更新2018-03-08

Oracle Java 9将包含&#34;无限强度加密&#34;图书馆enabled by default,这样很好。看起来OpenJDK仍然需要你set a system property to enable "unlimited strength cryptography"

答案 2 :(得分:1)

尝试安装JCE Unlimited Strength Jurisdiction Policy Files(这些应该有助于您的更高位密码)

另请注意,在the link you provided about java 8 cipher protocol support中说

  

使用椭圆曲线密码术(ECDSA,ECDH,ECDHE,ECDH_anon)的密码套件需要JCE加密提供程序......

您是否在Java 8 VM上安装了这样的提供程序?

答案 3 :(得分:-1)

2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA not supported

thes -e在jetty / etc / jetty-ssl-context.xm

中启用
相关问题
最新问题