Enabled ciphers on Ubuntu OpenJDK 7

问题:

I wrote the following Java program to dump the enabled ciphers in the JVM:

import java.security.KeyStore;  import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLSocket; import javax.net.ssl.TrustManagerFactory;  public class ListCiphers {     public static void main(String[] args)     throws Exception     {         SSLContext ctx = SSLContext.getInstance("TLSv1");         // Create an empty TrustManagerFactory to avoid loading default CA         KeyStore ks = KeyStore.getInstance("JKS");         TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");         tmf.init(ks);         ctx.init(null, tmf.getTrustManagers(), null);         SSLSocket socket = (SSLSocket) ctx.getSocketFactory().createSocket("mozilla.org", 443);         printSupportedCiphers(socket);         printEnabledCiphers(socket);     }      private static void printSupportedCiphers(SSLSocket socket)     {         printInfos("Supported cipher suites", socket.getSupportedCipherSuites());     }      private static void printEnabledCiphers(SSLSocket socket)     {         printInfos("Enabled cipher suites", socket.getEnabledCipherSuites());     }      private static void printInfos(String prefix, String[] values)     {         System.out.println(prefix + ":");         for (int i = 0; i < values.length; i++)             System.out.println("  " + values[i]);     } } 

When I run this program on Ubuntu 12.04.3 with openjdk-7-jre/amd64 7u25-2.3.10-1ubuntu0.12.04.2 (/usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java) with debugging enabled, I get the following output:

$ /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java -Djavax.net.debug=all ListCiphers trigger seeding of SecureRandom done seeding SecureRandom Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 Allow unsafe renegotiation: false Allow legacy hello messages: true Is initial handshake: true Is secure renegotiation: false Supported cipher suites:   TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384   TLS_RSA_WITH_AES_256_CBC_SHA256   TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384   TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384   TLS_DHE_RSA_WITH_AES_256_CBC_SHA256   TLS_DHE_DSS_WITH_AES_256_CBC_SHA256   TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   TLS_RSA_WITH_AES_256_CBC_SHA   TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA   TLS_ECDH_RSA_WITH_AES_256_CBC_SHA   TLS_DHE_RSA_WITH_AES_256_CBC_SHA   TLS_DHE_DSS_WITH_AES_256_CBC_SHA   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256   TLS_RSA_WITH_AES_128_CBC_SHA256   TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256   TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256   TLS_DHE_RSA_WITH_AES_128_CBC_SHA256   TLS_DHE_DSS_WITH_AES_128_CBC_SHA256   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   TLS_RSA_WITH_AES_128_CBC_SHA   TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA   TLS_ECDH_RSA_WITH_AES_128_CBC_SHA   TLS_DHE_RSA_WITH_AES_128_CBC_SHA   TLS_DHE_DSS_WITH_AES_128_CBC_SHA   TLS_ECDHE_ECDSA_WITH_RC4_128_SHA   TLS_ECDHE_RSA_WITH_RC4_128_SHA   SSL_RSA_WITH_RC4_128_SHA   TLS_ECDH_ECDSA_WITH_RC4_128_SHA   TLS_ECDH_RSA_WITH_RC4_128_SHA   TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA   TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA   SSL_RSA_WITH_3DES_EDE_CBC_SHA   TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA   TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA   SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA   SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA   SSL_RSA_WITH_RC4_128_MD5   TLS_EMPTY_RENEGOTIATION_INFO_SCSV   TLS_DH_anon_WITH_AES_256_CBC_SHA256   TLS_ECDH_anon_WITH_AES_256_CBC_SHA   TLS_DH_anon_WITH_AES_256_CBC_SHA   TLS_DH_anon_WITH_AES_128_CBC_SHA256   TLS_ECDH_anon_WITH_AES_128_CBC_SHA   TLS_DH_anon_WITH_AES_128_CBC_SHA   TLS_ECDH_anon_WITH_RC4_128_SHA   SSL_DH_anon_WITH_RC4_128_MD5   TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA   SSL_DH_anon_WITH_3DES_EDE_CBC_SHA   TLS_RSA_WITH_NULL_SHA256   TLS_ECDHE_ECDSA_WITH_NULL_SHA   TLS_ECDHE_RSA_WITH_NULL_SHA   SSL_RSA_WITH_NULL_SHA   TLS_ECDH_ECDSA_WITH_NULL_SHA   TLS_ECDH_RSA_WITH_NULL_SHA   TLS_ECDH_anon_WITH_NULL_SHA   SSL_RSA_WITH_NULL_MD5   SSL_RSA_WITH_DES_CBC_SHA   SSL_DHE_RSA_WITH_DES_CBC_SHA   SSL_DHE_DSS_WITH_DES_CBC_SHA   SSL_DH_anon_WITH_DES_CBC_SHA   SSL_RSA_EXPORT_WITH_RC4_40_MD5   SSL_DH_anon_EXPORT_WITH_RC4_40_MD5   SSL_RSA_EXPORT_WITH_DES40_CBC_SHA   SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA   SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA   SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA   TLS_KRB5_WITH_RC4_128_SHA   TLS_KRB5_WITH_RC4_128_MD5   TLS_KRB5_WITH_3DES_EDE_CBC_SHA   TLS_KRB5_WITH_3DES_EDE_CBC_MD5   TLS_KRB5_WITH_DES_CBC_SHA   TLS_KRB5_WITH_DES_CBC_MD5   TLS_KRB5_EXPORT_WITH_RC4_40_SHA   TLS_KRB5_EXPORT_WITH_RC4_40_MD5   TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA   TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 Enabled cipher suites:   TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA   TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   TLS_RSA_WITH_AES_256_CBC_SHA   TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA   TLS_ECDH_RSA_WITH_AES_256_CBC_SHA   TLS_DHE_RSA_WITH_AES_256_CBC_SHA   TLS_DHE_DSS_WITH_AES_256_CBC_SHA   TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA   TLS_RSA_WITH_AES_128_CBC_SHA   TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA   TLS_ECDH_RSA_WITH_AES_128_CBC_SHA   TLS_DHE_RSA_WITH_AES_128_CBC_SHA   TLS_DHE_DSS_WITH_AES_128_CBC_SHA   TLS_ECDHE_ECDSA_WITH_RC4_128_SHA   TLS_ECDHE_RSA_WITH_RC4_128_SHA   SSL_RSA_WITH_RC4_128_SHA   TLS_ECDH_ECDSA_WITH_RC4_128_SHA   TLS_ECDH_RSA_WITH_RC4_128_SHA   TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA   TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA   SSL_RSA_WITH_3DES_EDE_CBC_SHA   TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA   TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA   SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA   SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA   SSL_RSA_WITH_RC4_128_MD5   TLS_EMPTY_RENEGOTIATION_INFO_SCSV 

I'm finding strange that the debugging logs report that some ciphers are unsupported, but they are still reported in the supported list returned by getSupportedCiphersSuites().

Is there something wrong on my platform?

回答1:

I think you're right and the warning message is not helpful. If you look at the code in sun.security.ssl.SSLContextImpl where it's generated:

        for (CipherSuite suite : allowedCipherSuites) {            /* snip */              if (suite.isAvailable() &&                     suite.obsoleted > protocols.min.v &&                     suite.supported <= protocols.max.v) {               /* snip */             } else if (debug != null &&                     Debug.isOn("sslctx") && Debug.isOn("verbose")) {                 if (suite.obsoleted <= protocols.min.v) {                     System.out.println(                         "Ignoring obsoleted cipher suite: " + suite);                 } else if (suite.supported > protocols.max.v) {                     System.out.println(                         "Ignoring unsupported cipher suite: " + suite);                 } else {                     System.out.println(                         "Ignoring unavailable cipher suite: " + suite);                 }             }         } 

It's looping through the allowed cipher suites, not the supported ones.

文章来源: Enabled ciphers on Ubuntu OpenJDK 7