unsupported SSL ciphersuite
Question
I am trying to use some custom SSL cipher suites. Specifically my list is
<util:list id="ciphers" value-type="java.lang.String">
<value>DHE-RSA-AES256-SHA</value>
<value>DHE-DSS-AES256-SHA</value>
<value>DHE-RSA-CAMELLIA256-SHA</value>
<value>DHE-DSS-CAMELLIA256-SHA</value>
<value>AES256-SHA</value>
<value>CAMELLIA256-SHA</value>
<value>SSL_RSA_WITH_RC4_128_MD5</value> <---this is the only one working
<value>PSK-AES256-CBC-SHA</value>
<value>EDH-RSA-DES-CBC3-SHA</value>
<value>EDH-DSS-DES-CBC3-SHA</value>
<value>DES-CBC3-SHA</value>
<value>PSK-3DES-EDE-CBC-SHA</value>
<value>DHE-RSA-AES128-SHA</value>
<value>DHE-DSS-AES128-SHA</value>
<value>DHE-RSA-CAMELLIA128-SHA</value>
<value>DHE-DSS-CAMELLIA128-SHA</value>
<value>AES128-SHA</value>
<value>CAMELLIA128-SHA</value>
<value>PSK-AES128-CBC-SHA</value>
</util:list>
,initialized by Spring and passed to method
tlsClientParameters.setCipherSuites()
Unfortunately my client fails to connect to a stub server that I have created. The exception I am getting is:
Caused by: java.lang.IllegalArgumentException: Unsupported ciphersuite DHE-RSA-AES256-SHA
at com.sun.net.ssl.internal.ssl.CipherSuite.valueOf(CipherSuite.java:171)
at com.sun.net.ssl.internal.ssl.CipherSuiteList.<init>(CipherSuiteList.java:62)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.setEnabledCipherSuites(SSLSocketImpl.java:1977)
at org.apache.cxf.transport.https.SSLSocketFactoryWrapper.enableCipherSuites(SSLSocketFactoryWrapper.java:101)
at org.apache.cxf.transport.https.SSLSocketFactoryWrapper.createSocket(SSLSocketFactoryWrapper.java:71)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:372)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:883)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1394)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1336)
at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:42)
at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1414)
... 41 more
When I tried removing the ciphers suites one by one, the same exception kept appearing with a different cipher every time, until there was only SSL_RSA_WITH_RC4_128_MD5 left. This is the only one that seems to be working.
I had a look at How to control the SSL ciphers available to Tomcat that seems an identical issue, but I don't have an whitespaces.
Edit: as a sidenote, my system is running on Java 1.5 could it be that these ciphers are just not supported at this java version? If not, is there a way around this ?
Update: We migrated to Java 7 and I am still getting the same issue. I think that it's related to one of the answers below saying that these are not the standard names for the ciphers, and are thus not recognized by java. If that is the case, how can I find the standard names for these ciphers ?
4 answers
solution1
5 2013-11-07 19:58:08
Could it be that these ciphers are just not supported at this java version?
Certainly. The available cipher suites are documented. See the Standard Names document .
If not, is there a way around this?
Not unless you can find another implementation that supports them.
solution2
2 2013-11-21 07:50:11
Check out:
Also,
By default the local_policy.jar and US_export_policy.jar under jre_home /lib/security/ might not " enable " the cipher suites you want.
To enable them, replace those two files with the ones found here Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7 Download .
You should not be able to use the cipher suites supported under Sun Providers.
Make sure that the cipher suite descriptions match the ones under the Sun Providers.
solution3
1 ACCPTED 2013-11-19 10:08:34
For future reference, the list of ciphers I was using was from openssl and they were generated by
openssl ciphers -v 'ALL:!ADH:!EXPORT:!SSLv2:+HIGH:-MEDIUM:-LOW:-KRB5'.
I never found how to translate the openssl list of ciphers to the java 7 supported ones (or confirm whether they are the same ciphers, just under different names). I just changed my ciphers list to be the list provided here by Java
http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html
and everything worked okay.
solution4
1 2014-05-15 19:25:55
// Get the SSLServerSocket
SSLServerSocketFactory ssl;
SSLServerSocket sslServerSocket;
ssl = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
sslServerSocket = (SSLServerSocket) ssl.createServerSocket();
// Get the list of all supported cipher suites.
String[] cipherSuites = sslServerSocket.getSupportedCipherSuites();
for (String suite : cipherSuites)
System.out.println(suite);
// Get the list of all supported protocols.
String[] protocols = sslServerSocket.getSupportedProtocols();
for (String protocol : protocols)
System.out.println(protocol);
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.