问题
In previous version of Java RC4 was enabled at that time my app worked fine but after Java 8 U 77 update it doesn't any more use the following ciphers which are need to work with one of my legacy servers.
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_RC4_128_SHA
TLS_ECDH_ECDSA_WITH_RC4_128_SHA
TLS_ECDH_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_RC4_128_MD5
I modified the java.security and the disabled algorithm section look like below,
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
Still I can't get the above suites working. Any idea of enabling them, I also tried adding them when running the application,
java -Djavax.net.debug=all -Djavax.net.debug=ssl:handshake:verbose -Dhttps.cipherSuites="TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_RC4_128_MD5" <myApp>
Still no luck, Thanks in advance.
回答1:
The release notes of Oracle JRE 8u51 mention a new security property called jdk.tls.legacyAlgorithms
to which RC4 has been added:
RC4 is now considered as a weak cipher. Servers should not select RC4 unless there is no other stronger candidate in the client requested cipher suites. A new security property, jdk.tls.legacyAlgorithms, is added to define the legacy algorithms in Oracle JSSE implementation. RC4 related algorithms are added to the legacy algorithms list.
I assume that you have to remove RC4_40
from that property list in the java.security file to make it usable again.
回答2:
For fixing this issue what we have to do is to re enable RC4, and MD5 (both are now treated as compromised algorithms). That has to be done by modifying the “java.security” configuration ( by removing RC4 and MD5 from jdk.tls.disabledAlgorithms, jdk.certpath.disabledAlgorithms ) file and re adding the above mentioned “Absences cipher suites” using the “SSLSocket/SSLEngine.setEnabledCipherSuites()”. For more information on re adding RC4 related ciphers please refer the Java 8 Update 60 (8u60) section of the java 8 release highlight (https://java.com/en/download/faq/release_changes.xml) and the following reference (http://bugs.java.com/view_bug.do?bug_id=8076221)
来源:https://stackoverflow.com/questions/36690997/rc4-related-issue-after-java-8-update