可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效,请关闭广告屏蔽插件后再试):
问题:
When starting jetty-distribution-9.3.0.v20150612 with openjdk 1.8.0_51 running on an EC2 Amazon Linux machine, is prints that all configured ECDHE suites are not supported.
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 not supported 2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 not supported 2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 not supported 2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 not supported 2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 not supported 2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 not supported 2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 not supported 2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 not supported 2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 not supported 2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA not supported 2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA not supported 2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA not supported 2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA not supported
These are enabled in jetty/etc/jetty-ssl-context.xml -
<Set name="IncludeCipherSuites"> <Array type="java.lang.String"> <!-- TLS 1.2 AEAD only (all are SHA-2 as well) --> <Item>TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256</Item> <Item>TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256</Item> <Item>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</Item> <Item>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</Item> <Item>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384</Item> <Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item> ...
I read Oracle Java 8 should support these protocols, but maybe that's not supported by OpenJDK? Or should I enable it somehow?
Update
Oracle's JCE cryptographic provider is installed under jre/lib/security/, but it didn't help.
回答1:
So I'm running a similar setup, with an AWS box running openjdk-1.8.0.51. what solved it for me is to add bouncycastle as a provider like so:
Add the bcprov-<verion>.jar to /usr/lib/jvm/jre/lib/ext
Edit /usr/lib/jvm/jre/lib/security/java.security adding the following line to the list of providers:
security.provider.6=org.bouncycastle.jce.provider.BouncyCastleProvider
(I added it as the 6th entry but you can add higher in the order if you prefer)
Restarted my application and was able to use EC-based cipher suites such as TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.
回答2:
The root cause is that OpenJDK on CentOS/RHEL/Amazon Linux with OpenJDK on them simply do not ship with the required native libraries to support EC. The Unlimited Policy Files are a red herring, as are any attempts to un-disable various algorithms, etc. If the libraries aren't there, you can't use the features.
The accepted answer of "install Bouncy Castle" works because BC provides a pure-Java implementation of all the desired algorithms. Ideally, the JDK would provide native implementations which would yield higher performance.
It looks like OpenJDK on Amazon Linux will just have to wait. :(
Ref: http://armoredbarista.blogspot.de/2013/10/how-to-use-ecc-with-openjdk.html
Also: https://security.stackexchange.com/questions/117975/how-to-enable-ecdhe-in-openjdk-1-8-0-in-centos-6-7
UPDATE 2016-11-09
It seems that Oracle's Elliptic curve native library (libsunec.so) is licensed under the GPL. You can confirm this by going to Oracle's download page, clicking on Third Party Licenses, and checking the README for your version of Java.
This means that, if you can grab a copy of Oracle's JRE/JDK for the target platform and architecture, you can take the libsunec.so library from it and install it legally into the OpenJDK installation.
For me, that meant grabbing the file $JAVA_HOME/jre/lib/amd64/libsunec.so from an Oracle Java 8 JRE and dropping it into e.g. /usr/lib/jvm/jre-1.8.0/lib/amd64/. That is all that is required in order to enable Elliptic-Curve algorithms.
UPDATE 2018-03-08
Oracle Java 9 will include the "unlimited strength cryptography" libraries enabled by default, so that's nice. It looks like OpenJDK will still require you to set a system property to enable "unlimited strength cryptography".
回答3:
Try installing the JCE Unlimited Strength Jurisdiction Policy Files (these should help with your higher bit ciphers)
Also note, in the link you provided about java 8 cipher protocol support says
Cipher suites that use Elliptic Curve Cryptography (ECDSA, ECDH, ECDHE, ECDH_anon) require a JCE cryptographic provider ...
Did you install such a provider on your Java 8 VM?
回答4:
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 not supported 2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 not supported 2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 not supported 2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 not supported 2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 not supported 2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 not supported 2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 not supported 2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 not supported 2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 not supported 2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA not supported 2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA not supported 2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA not supported 2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA not supported
Thes-e are enabled in jetty/etc/jetty-ssl-context.xm
