堆栈内存溢出
  简体   繁体   English

不受支持的SSL密码套件

[英]unsupported SSL ciphersuite

 原文  2013-11-07 13:43:43       java/ ssl/ encryption

问题描述

I am trying to use some custom SSL cipher suites. 我正在尝试使用一些自定义SSL密码套件。 Specifically my list is 特别是我的清单是 

<util:list id="ciphers" value-type="java.lang.String">
    <value>DHE-RSA-AES256-SHA</value>
    <value>DHE-DSS-AES256-SHA</value>
    <value>DHE-RSA-CAMELLIA256-SHA</value>
    <value>DHE-DSS-CAMELLIA256-SHA</value>
    <value>AES256-SHA</value>
    <value>CAMELLIA256-SHA</value>
    <value>SSL_RSA_WITH_RC4_128_MD5</value>    <---this is the only one working
    <value>PSK-AES256-CBC-SHA</value>
    <value>EDH-RSA-DES-CBC3-SHA</value>
    <value>EDH-DSS-DES-CBC3-SHA</value>
    <value>DES-CBC3-SHA</value>
    <value>PSK-3DES-EDE-CBC-SHA</value>
    <value>DHE-RSA-AES128-SHA</value>
    <value>DHE-DSS-AES128-SHA</value>
    <value>DHE-RSA-CAMELLIA128-SHA</value>
    <value>DHE-DSS-CAMELLIA128-SHA</value>
    <value>AES128-SHA</value>
    <value>CAMELLIA128-SHA</value>
    <value>PSK-AES128-CBC-SHA</value>
</util:list>

,initialized by Spring and passed to method ,由Spring初始化并传递给方法 

tlsClientParameters.setCipherSuites()

Unfortunately my client fails to connect to a stub server that I have created. 不幸的是我的客户端无法连接到我创建的存根服务器。 The exception I am getting is: 我得到的例外是: 

Caused by: java.lang.IllegalArgumentException: Unsupported ciphersuite DHE-RSA-AES256-SHA
at com.sun.net.ssl.internal.ssl.CipherSuite.valueOf(CipherSuite.java:171)
at com.sun.net.ssl.internal.ssl.CipherSuiteList.<init>(CipherSuiteList.java:62)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.setEnabledCipherSuites(SSLSocketImpl.java:1977)
at org.apache.cxf.transport.https.SSLSocketFactoryWrapper.enableCipherSuites(SSLSocketFactoryWrapper.java:101)
at org.apache.cxf.transport.https.SSLSocketFactoryWrapper.createSocket(SSLSocketFactoryWrapper.java:71)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:372)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:883)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1394)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1336)
at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:42)
at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1414)
... 41 more

When I tried removing the ciphers suites one by one, the same exception kept appearing with a different cipher every time, until there was only SSL_RSA_WITH_RC4_128_MD5 left. 当我尝试逐个删除密码套件时,每次都会使用不同的密码出现相同的异常,直到只剩下SSL_RSA_WITH_RC4_128_MD5。 This is the only one that seems to be working. 这是唯一似乎有效的方法。

I had a look at How to control the SSL ciphers available to Tomcat that seems an identical issue, but I don't have an whitespaces. 我看看如何控制Tomcat可用的SSL密码似乎是一个相同的问题,但我没有空格。

Edit: as a sidenote, my system is running on Java 1.5 could it be that these ciphers are just not supported at this java version? 编辑:作为旁注,我的系统在Java 1.5上运行可能是这个java版本不支持这些密码吗? If not, is there a way around this ? 如果没有,有没有办法绕过这个?

Update: We migrated to Java 7 and I am still getting the same issue. 更新:我们迁移到Java 7,我仍然遇到同样的问题。 I think that it's related to one of the answers below saying that these are not the standard names for the ciphers, and are thus not recognized by java. 我认为它与下面的一个答案有关,它们说这些不是密码的标准名称,因此不被java识别。 If that is the case, how can I find the standard names for these ciphers ? 如果是这种情况,我如何找到这些密码的标准名称?

4 个解决方案

解决方案1
 5  2013-11-07 19:58:08

Could it be that these ciphers are just not supported at this java version? 难道这个java版本不支持这些密码吗?

Certainly. 当然。 The available cipher suites are documented. 可用的密码套件已记录在案。 See the Standard Names document . 请参阅标准名称文档

If not, is there a way around this? 如果没有,有没有办法绕过这个?

Not unless you can find another implementation that supports them. 除非您能找到支持它们的其他实现,否则不会。

解决方案2
 2  2013-11-21 07:50:11

Check out: 查看:

Sun Providers . 太阳供应商

Also, 也,

By default the local_policy.jar and US_export_policy.jar under jre_home /lib/security/ might not " enable " the cipher suites you want. 默认情况下, jre_home / lib / security /下的local_policy.jarUS_export_policy.jar可能无法“ 启用 ”所需的密码套件。

To enable them, replace those two files with the ones found here Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7 Download . 要启用它们,请将这两个文件替换为Java Cryptography Extension(JCE)Unlimited Strength Jurisdiction Policy Files 7 Download中的文件

You should not be able to use the cipher suites supported under Sun Providers. 您不应该使用Sun Providers支持的密码套件。

Make sure that the cipher suite descriptions match the ones under the Sun Providers. 确保密码套件描述与Sun Providers下的密码套件描述相匹配。

解决方案3
 1 已采纳  2013-11-19 10:08:34

For future reference, the list of ciphers I was using was from openssl and they were generated by 为了将来参考,我使用的密码列表来自openssl ,它们是由 

openssl ciphers -v 'ALL:!ADH:!EXPORT:!SSLv2:+HIGH:-MEDIUM:-LOW:-KRB5'.

I never found how to translate the openssl list of ciphers to the java 7 supported ones (or confirm whether they are the same ciphers, just under different names). 我从未发现如何将openssl密码列表转换为java 7支持的密码(或确认它们是否是相同的密码,只是在不同的名称下)。 I just changed my ciphers list to be the list provided here by Java 我刚刚将我的密码列表更改为Java提供的列表

http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html

and everything worked okay. 一切都运转正常。

解决方案4
 1  2014-05-15 19:25:55

// Get the SSLServerSocket
SSLServerSocketFactory ssl;
SSLServerSocket sslServerSocket;
ssl = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
sslServerSocket = (SSLServerSocket) ssl.createServerSocket();

// Get the list of all supported cipher suites.
String[] cipherSuites = sslServerSocket.getSupportedCipherSuites();
for (String suite : cipherSuites)
  System.out.println(suite);

// Get the list of all supported protocols.
String[] protocols = sslServerSocket.getSupportedProtocols();
for (String protocol : protocols)
  System.out.println(protocol);

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 IllegalArgumentException:不支持的密码套件 - IllegalArgumentException: Unsupported ciphersuite [不支持的密码套件][Java SSLSocket] - [Unsupported ciphersuite][Java SSLSocket] openjdk11:不支持的CipherSuite异常 - openjdk11 : Unsupported CipherSuite Exception 如何指定要在SSL会话中使用的密码套件 - How to specify the ciphersuite to be used in SSL session 发出HTTPS请求时在SoapUI 5.2.1中获取不受支持的密码套件 - Getting Unsupported ciphersuite in SoapUI 5.2.1 when making HTTPS request 不支持的密码套件TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - Unsupported ciphersuite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 SSL 消息不受支持或无法识别 - Unsupported or unrecognized SSL message SSLSocket使用的密码套件 - SSLSocket used ciphersuite 为tls握手指定密码套件 - specify ciphersuite for tls handshake javax.net.ssl.SSLException:不支持或无法识别的 SSL 消息 - javax.net.ssl.SSLException: Unsupported or unrecognized SSL message
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM