-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Tim,
On 5/26/14, 5:43 PM, Tim Whittington wrote: > > On 27/05/2014, at 6:09 am, Christopher Schultz > <ch...@christopherschultz.net> wrote: > > <snip> > >> >> If you run the code I referenced elsewhere in this thread, you'll >> see that some of the components are available, just not in the >> combinations you have above: >> >> $ java -showversion -classpath build/ SSLInfo | grep >> '\(256\|384\)' java version "1.7.0_55" Java(TM) SE Runtime >> Environment (build 1.7.0_55-b13) Java HotSpot(TM) 64-Bit Server >> VM (build 24.55-b03, mixed mode) >> >> Supported SSL Protocols: TLSv1 (SunJSSE) TLSv1.1 (SunJSSE) >> TLSv1.2 (SunJSSE) Default Cipher Name * >> TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 * >> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 >> TLS_DH_anon_WITH_AES_128_CBC_SHA256 * >> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 * >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 * >> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 * >> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 * >> TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_NULL_SHA256 >> >> So, you can get ECDHE_(ECDSA|RSA)_AES, but not with a 256-bit >> cipher. You can get a 128-bit cipher and a 256-bit hash, but not >> higher-bit hash functions. >> >>> Oracle Java 7 has no GCM support (AIX does I think, but from >>> memory the cipher suite names are different), and some of the >>> cipher-suites don’t exist (see below). GCM was originally >>> targeted for JDK 7 (which is why the cipher suite names and >>> AEAD APIs in the JCE are there) but the implementation didn’t >>> show up until JDK 8. >> >> I find no ciphers with 384-bit hashes in Oracle Java 8, but there >> are 256-bit ones -- at least in the Mac OS X build: > > Do you have the unrestricted crypto policy files installed? I have never hacked my own Java installation, so likely no. > Without those, > 128 bit security ciphers (== 256 bit hashes) are > suppressed. Hmm. I'll look into that. Yep, installing the updated policy files unlocks a bunch of additional ciphers. Thanks! > Cipher suites with SHA384 are definitely available on both JDK 7 > and JDK 8 on OS X. Yeah, I saw those listed on Sun's site, but figured that they were just lies or something :) That's why I always Trust But Verify. If the code won't do it, the documentation's assertion that it /will/ do it is kind of irrelevant. > I’m using the interactive mode of https://github.com/timw/groktls > to dump these. Cool. I was just using the SSLInfo class and grep, obviously :) I've been thinking that the way Tomcat does JSSE cipher suites is a bit ... verbose. It would be nice to roll something like what groktls/OpenSSL can do into Tomcat. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJThLGCAAoJEBzwKT+lPKRYEnEQAJUV4pgN8ozx6Sivbm0c+TEh fodo5X7NDQMoNDfdPQoPugibcEbnxDEtfcgj1LPTwEviOUFg47BoVbl8W0i4uvGS JBUW/9strJNZ9nqZ3goLjWwgxMn5NY5tJMziooRFRoLCXxFVp3+3E0uO0l7getzI TUAsBbaAyrYwMTFlHMaP8HcGTOJeixRqQpXwHqMp88UukylT9uu5/cb4khMgmea4 lFlQx2ZII2FAUR3fHgVLSl9C9PddhYC2Y5QvNi9YLBlXNlrXXk88yZzVXkmDdEF0 7MNrLKHaE3hZrhdJK/HXkZc6EnQ7VXezQ4ARSBidOvBZZnYcnZ6Z+7mSkyHQCpPo KmwaF6Szm6nxT2h0PNrlziFhKJ9JHdD7Gbhi/tabeM7ffn91GkU1Atsqq0NGE4JF bcqHHSa3+xW2B/dSCcYQc+Ec7ZRoJumkM//U3xd+iXTPis2L/vPVRveDDGtMavVu 1pU41Q3GlJhwu9pwJ1RnLWm9kMLEbLUFuzUBPK9rkzTt45fudLVXFGpdGH+izPgb X8E7v2X1z+kVaaR9HWMCgiHyZjEoVCXLnJaBfBYmMSNc3bJoEPCrMpXSyzPCH7cJ RclVEw4sOh5ZyK+UsdkPeYW1Ft01UJ3nvczpYM7OxgwDJhdpo/E3glv0BihAC7ax kbk5g4EG77rZ7c9s1CEf =xJ/g -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
