EC2 Linux 机器上安装的 OpenJDK 8 不支持 ECDHE 密码套件
ECDHE cipher suites not supported on OpenJDK 8 installed on EC2 Linux machine
在 EC2 Amazon Linux 机器上使用 openjdk 1.8.0_51 运行 启动 jetty-distribution-9.3.0.v20150612 时,显示不支持所有配置的 ECDHE 套件。
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA not supported
这些已在 jetty/etc/jetty-ssl-context.xml -
中启用
<Set name="IncludeCipherSuites">
<Array type="java.lang.String">
<!-- TLS 1.2 AEAD only (all are SHA-2 as well) -->
<Item>TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256</Item>
<Item>TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256</Item>
<Item>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</Item>
<Item>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</Item>
<Item>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384</Item>
<Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item>
...
我阅读了 Oracle Java 8 should support these protocols,但也许 OpenJDK 不支持它?或者我应该以某种方式启用它?
更新
Oracle 的 JCE 加密提供程序安装在 jre/lib/security/ 下,但没有帮助。
尝试安装 JCE Unlimited Strength Jurisdiction Policy Files(这些应该有助于您的更高位密码)
另请注意,在 the link you provided about java 8 cipher protocol support 中说
Cipher suites that use Elliptic Curve Cryptography (ECDSA, ECDH, ECDHE, ECDH_anon) require a JCE cryptographic provider ...
您是否在 Java 8 VM 上安装了此类提供程序?
所以我是 运行 类似的设置,带有 AWS box 运行 openjdk-1.8.0.51。
为我解决的是像这样添加 bouncycastle 作为提供者:
将bcprov-<verion>.jar添加到/usr/lib/jvm/jre/lib/ext
编辑 /usr/lib/jvm/jre/lib/security/java.security 将以下行添加到提供商列表中:
security.provider.6=org.bouncycastle.jce.provider.BouncyCastleProvider
(我将其添加为第 6 个条目,但如果您愿意,可以按更高的顺序添加)
重新启动我的应用程序并能够使用基于 EC 的密码套件,例如 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256。
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA not supported
这些-e 在 jetty/etc/jetty-ssl-context.xm
中启用
根本原因是 CentOS/RHEL/Amazon Linux 上的 OpenJDK 和 OpenJDK 上的 OpenJDK 根本没有附带支持 EC 所需的本机库。 Unlimited Policy Files 是一个转移注意力的问题,任何 un 禁用各种算法的尝试也是如此。如果库不存在,你不能使用这些功能。
"install Bouncy Castle" 的公认答案有效,因为 BC 提供了所有所需算法的纯 Java 实现。理想情况下,JDK 将提供本机实现,从而产生更高的性能。
亚马逊 Linux 上的 OpenJDK 似乎只需要等待。 :(
参考:http://armoredbarista.blogspot.de/2013/10/how-to-use-ecc-with-openjdk.html
更新 2016-11-09
Oracle 的椭圆曲线本机库 (libsunec.so) 似乎是在 GPL 下获得许可的。您可以通过转至 Oracle's download page, clicking on Third Party Licenses 并检查您的 Java.
版本的自述文件来确认这一点
这意味着,如果您可以为目标平台和体系结构获取 Oracle JRE/JDK 的副本,则可以从中获取 libsunec.so 库并将其合法安装到 OpenJDK 安装.
对我来说,这意味着从 Oracle Java 8 JRE 中获取文件 $JAVA_HOME/jre/lib/amd64/libsunec.so 并将其放入例如/usr/lib/jvm/jre-1.8.0/lib/amd64/。这就是启用椭圆曲线算法所需的全部内容。
更新 2018-03-08
Oracle Java 9 将包括 "unlimited strength cryptography" 库 enabled by default, so that's nice. It looks like OpenJDK will still require you to set a system property to enable "unlimited strength cryptography".
在 EC2 Amazon Linux 机器上使用 openjdk 1.8.0_51 运行 启动 jetty-distribution-9.3.0.v20150612 时,显示不支持所有配置的 ECDHE 套件。
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA not supported
这些已在 jetty/etc/jetty-ssl-context.xml -
<Set name="IncludeCipherSuites">
<Array type="java.lang.String">
<!-- TLS 1.2 AEAD only (all are SHA-2 as well) -->
<Item>TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256</Item>
<Item>TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256</Item>
<Item>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</Item>
<Item>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</Item>
<Item>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384</Item>
<Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item>
...
我阅读了 Oracle Java 8 should support these protocols,但也许 OpenJDK 不支持它?或者我应该以某种方式启用它?
更新
Oracle 的 JCE 加密提供程序安装在 jre/lib/security/ 下,但没有帮助。
尝试安装 JCE Unlimited Strength Jurisdiction Policy Files(这些应该有助于您的更高位密码)
另请注意,在 the link you provided about java 8 cipher protocol support 中说
Cipher suites that use Elliptic Curve Cryptography (ECDSA, ECDH, ECDHE, ECDH_anon) require a JCE cryptographic provider ...
您是否在 Java 8 VM 上安装了此类提供程序?
所以我是 运行 类似的设置,带有 AWS box 运行 openjdk-1.8.0.51。 为我解决的是像这样添加 bouncycastle 作为提供者:
将
bcprov-<verion>.jar添加到/usr/lib/jvm/jre/lib/ext编辑
/usr/lib/jvm/jre/lib/security/java.security将以下行添加到提供商列表中:security.provider.6=org.bouncycastle.jce.provider.BouncyCastleProvider
(我将其添加为第 6 个条目,但如果您愿意,可以按更高的顺序添加)
重新启动我的应用程序并能够使用基于 EC 的密码套件,例如 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256。
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA not supported
这些-e 在 jetty/etc/jetty-ssl-context.xm
中启用根本原因是 CentOS/RHEL/Amazon Linux 上的 OpenJDK 和 OpenJDK 上的 OpenJDK 根本没有附带支持 EC 所需的本机库。 Unlimited Policy Files 是一个转移注意力的问题,任何 un 禁用各种算法的尝试也是如此。如果库不存在,你不能使用这些功能。
"install Bouncy Castle" 的公认答案有效,因为 BC 提供了所有所需算法的纯 Java 实现。理想情况下,JDK 将提供本机实现,从而产生更高的性能。
亚马逊 Linux 上的 OpenJDK 似乎只需要等待。 :(
参考:http://armoredbarista.blogspot.de/2013/10/how-to-use-ecc-with-openjdk.html
更新 2016-11-09
Oracle 的椭圆曲线本机库 (libsunec.so) 似乎是在 GPL 下获得许可的。您可以通过转至 Oracle's download page, clicking on Third Party Licenses 并检查您的 Java.
这意味着,如果您可以为目标平台和体系结构获取 Oracle JRE/JDK 的副本,则可以从中获取 libsunec.so 库并将其合法安装到 OpenJDK 安装.
对我来说,这意味着从 Oracle Java 8 JRE 中获取文件 $JAVA_HOME/jre/lib/amd64/libsunec.so 并将其放入例如/usr/lib/jvm/jre-1.8.0/lib/amd64/。这就是启用椭圆曲线算法所需的全部内容。
更新 2018-03-08
Oracle Java 9 将包括 "unlimited strength cryptography" 库 enabled by default, so that's nice. It looks like OpenJDK will still require you to set a system property to enable "unlimited strength cryptography".