RC4 related issue after Java 8 update

好久不见. 提交于 2020-01-06 03:16:25

问题


In previous version of Java RC4 was enabled at that time my app worked fine but after Java 8 U 77 update it doesn't any more use the following ciphers which are need to work with one of my legacy servers.

TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_RC4_128_SHA
TLS_ECDH_ECDSA_WITH_RC4_128_SHA
TLS_ECDH_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_RC4_128_MD5

I modified the java.security and the disabled algorithm section look like below,

jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

Still I can't get the above suites working. Any idea of enabling them, I also tried adding them when running the application,

java -Djavax.net.debug=all -Djavax.net.debug=ssl:handshake:verbose -Dhttps.cipherSuites="TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_RC4_128_MD5" <myApp>

Still no luck, Thanks in advance.


回答1:


The release notes of Oracle JRE 8u51 mention a new security property called jdk.tls.legacyAlgorithms to which RC4 has been added:

RC4 is now considered as a weak cipher. Servers should not select RC4 unless there is no other stronger candidate in the client requested cipher suites. A new security property, jdk.tls.legacyAlgorithms, is added to define the legacy algorithms in Oracle JSSE implementation. RC4 related algorithms are added to the legacy algorithms list.

I assume that you have to remove RC4_40 from that property list in the java.security file to make it usable again.




回答2:


For fixing this issue what we have to do is to re enable RC4, and MD5 (both are now treated as compromised algorithms). That has to be done by modifying the “java.security” configuration ( by removing RC4 and MD5 from jdk.tls.disabledAlgorithms, jdk.certpath.disabledAlgorithms ) file and re adding the above mentioned “Absences cipher suites” using the “SSLSocket/SSLEngine.setEnabledCipherSuites()”. For more information on re adding RC4 related ciphers please refer the Java 8 Update 60 (8u60) section of the java 8 release highlight (https://java.com/en/download/faq/release_changes.xml) and the following reference (http://bugs.java.com/view_bug.do?bug_id=8076221)



来源:https://stackoverflow.com/questions/36690997/rc4-related-issue-after-java-8-update

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!