Problems connecting via HTTPS/SSL through own Java client
I\'m trying to establish a connection to trackobot.com to receive some JSON data. The server only allows connections through HTTPS/SSL. Here is the code:
jav
-
According to https://www.ssllabs.com, the server supports cipher suites
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHAThey are listed as "unavailable cipher suite" as you can see in the debug messages.
In the JRE/lib/security/local_policy.jar, we see
// Some countries have import limits on crypto strength. This policy file // is worldwide importable. grant { permission javax.crypto.CryptoPermission "DES", 64; permission javax.crypto.CryptoPermission "DESede", *; permission javax.crypto.CryptoPermission "RC2", 128, "javax.crypto.spec.RC2ParameterSpec", 128; permission javax.crypto.CryptoPermission "RC4", 128; permission javax.crypto.CryptoPermission "RC5", 128, "javax.crypto.spec.RC5ParameterSpec", *, 12, *; permission javax.crypto.CryptoPermission "RSA", *; permission javax.crypto.CryptoPermission *, 128; };Download and install "(JCE) Unlimited Strength Jurisdiction Policy Files" - http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html - and I can confirm that the problem is solved. The read me file says
Due to import control restrictions of some countries, the version of the JCE policy files that are bundled in the Java Runtime Environment, or JRE(TM), 8 environment allow "strong" but limited cryptography to be used. This download bundle (the one including this README file) provides "unlimited strength" policy files which contain no restrictions on cryptographic strengths.
讨论(0) -
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, ...
There are no AES256 cipher suites offered by you Java client.
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA
Because they are not available in your application. I'm not an Java expert but either these are not available in your Java or they need to be explicitly enabled. They are needed because the server only supports AES256 ciphers:
$ perl analyze-ssl.pl -v3 --all-ciphers trackobot.com ... * supported ciphers with SSLv23 handshake * TLSv1_2 ECDHE-RSA-AES256-GCM-SHA384 * TLSv1_2 ECDHE-RSA-AES256-SHA384 * TLSv1_2 ECDHE-RSA-AES256-SHA * TLSv1_2 DHE-RSA-AES256-GCM-SHA384 * TLSv1_2 DHE-RSA-AES256-SHA256 * TLSv1_2 DHE-RSA-AES256-SHAIt might be that the version of Java you use has no support for AES256 because of export regulations, see https://knowledge.safe.com/articles/Error_Unexpected_Behavior/Enabling-AES256-in-the-Java-Runtime-Environment-for-Single-Sign-On
讨论(0) -
You probably need upgrade your JDK, we had similar problem on our linux server. We tried different approaches. Nothing seemed to work including installing new JCE.
There is one bug in the JDK about SSL Connection HostnameVerifier that disables SNI extension causing a handshake failure: http://www.oracle.com/technetwork/java/javase/2col/8u141-bugfixes-3720387.html.
We upgraded to the latest jdk 8u162, everything looks good now.
讨论(0) -
Thanks to Steffen Ullrich's tipp I checked the ciphers java had available. Apparently, in Java 8 you don't have unlimited strength for your ciphers. For example, in my case my program couldn't use a AES 256bit cipher which the server required.
To solve this, oracle provides a bundle of policy files that allow for unlimited strength encryption. You can find it here.
The README states:
Due to import control restrictions of some countries, the version of the JCE policy files that are bundled in the Java Runtime Environment, or JRE(TM), 8 environment allow "strong" but limited cryptography to be used.
Just download the bundle and replace appropriate files as stated in the install instructions. After I did that, the handshake worked like a charm.
讨论(0)
加载中...
- 热议问题