-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Rainer,
On 10/5/16 6:13 PM, Christopher Schultz wrote: > Rainer, > > On 10/5/16 4:52 PM, Rainer Jung wrote: >> Am 05.10.2016 um 21:11 schrieb Christopher Schultz: >>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >>> >>> All, >>> >>> Apologies for off-topic post, but lots of folks here have lots >>> of different experiences and maybe someone has come across >>> this. >>> >>> I've got a few servers in Amazon EC2 running Amazon Linux. I'm >>> using the OpenJDK package, and I have versions 1.7.0 and 1.8.0 >>> running side-by-side: >>> >>> $ java -version java version "1.7.0_111" OpenJDK Runtime >>> Environment (amzn-2.6.7.2.68.amzn1-i386 u111-b01) OpenJDK >>> Client VM (build 24.111-b01, mixed mode, sharing) >>> >>> $ java8 -version openjdk version "1.8.0_101" OpenJDK Runtime >>> Environment (build 1.8.0_101-b13) OpenJDK Server VM (build >>> 25.101-b13, mixed mode) >>> >>> For some reason, a whole slew of crypto support is flat-out >>> /missing/ from those packages (java-1.7.0-openjdk and >>> java-1.8.0-openjdk). Here's what I get when I run my SSLInfo >>> tool on the box: >>> >>> $ java -showversion -classpath libs/chadis-tools-1.55.jar >>> com.chadis.tools.security.SSLInfo java version "1.7.0_111" >>> OpenJDK Runtime Environment (amzn-2.6.7.2.68.amzn1-i386 >>> u111-b01) OpenJDK Client VM (build 24.111-b01, mixed mode, >>> sharing) >>> >>> Supported SSL Protocols: TLSv1 (SunJSSE) TLSv1.1 (SunJSSE) >>> TLSv1.2 (SunJSSE) Default Cipher Name >>> SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA * >>> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA >>> SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA * >>> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA >>> SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA >>> SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 >>> SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA >>> SSL_DH_anon_WITH_RC4_128_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA >>> SSL_RSA_EXPORT_WITH_RC4_40_MD5 * SSL_RSA_WITH_3DES_EDE_CBC_SHA >>> SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_NULL_MD5 >>> SSL_RSA_WITH_NULL_SHA SSL_RSA_WITH_RC4_128_MD5 >>> SSL_RSA_WITH_RC4_128_SHA * TLS_DHE_DSS_WITH_AES_128_CBC_SHA * >>> TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 * >>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA * >>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 * >>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA * >>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 * >>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA * >>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 >>> TLS_DH_anon_WITH_AES_128_CBC_SHA >>> TLS_DH_anon_WITH_AES_128_CBC_SHA256 >>> TLS_DH_anon_WITH_AES_256_CBC_SHA >>> TLS_DH_anon_WITH_AES_256_CBC_SHA256 * >>> TLS_EMPTY_RENEGOTIATION_INFO_SCSV >>> TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 >>> TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA >>> TLS_KRB5_EXPORT_WITH_RC4_40_MD5 TLS_KRB5_EXPORT_WITH_RC4_40_SHA >>> TLS_KRB5_WITH_3DES_EDE_CBC_MD5 TLS_KRB5_WITH_3DES_EDE_CBC_SHA >>> TLS_KRB5_WITH_DES_CBC_MD5 TLS_KRB5_WITH_DES_CBC_SHA >>> TLS_KRB5_WITH_RC4_128_MD5 TLS_KRB5_WITH_RC4_128_SHA * >>> TLS_RSA_WITH_AES_128_CBC_SHA * TLS_RSA_WITH_AES_128_CBC_SHA256 >>> * TLS_RSA_WITH_AES_256_CBC_SHA * >>> TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_NULL_SHA256 >>> >>> Note the complete lack of ECDH or ECDHE cipher suites. Now >>> again with Java 8: >>> >>> $ java8 -showversion -classpath libs/chadis-tools-1.55.jar >>> com.chadis.tools.security.SSLInfo openjdk version "1.8.0_101" >>> OpenJDK Runtime Environment (build 1.8.0_101-b13) OpenJDK >>> Server VM (build 25.101-b13, mixed mode) >>> >>> Supported SSL Protocols: TLS (SunJSSE) TLSv1 (SunJSSE) TLSv1.1 >>> (SunJSSE) TLSv1.2 (SunJSSE) Default Cipher Name >>> SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA * >>> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA >>> SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA * >>> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA >>> SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA >>> SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 >>> SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA >>> SSL_DH_anon_WITH_RC4_128_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA >>> SSL_RSA_EXPORT_WITH_RC4_40_MD5 * SSL_RSA_WITH_3DES_EDE_CBC_SHA >>> SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_NULL_MD5 >>> SSL_RSA_WITH_NULL_SHA SSL_RSA_WITH_RC4_128_MD5 >>> SSL_RSA_WITH_RC4_128_SHA * TLS_DHE_DSS_WITH_AES_128_CBC_SHA * >>> TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 * >>> TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 * >>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA * >>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 * >>> TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 * >>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA * >>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 * >>> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 * >>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA * >>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 * >>> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 >>> TLS_DH_anon_WITH_AES_128_CBC_SHA >>> TLS_DH_anon_WITH_AES_128_CBC_SHA256 >>> TLS_DH_anon_WITH_AES_128_GCM_SHA256 >>> TLS_DH_anon_WITH_AES_256_CBC_SHA >>> TLS_DH_anon_WITH_AES_256_CBC_SHA256 >>> TLS_DH_anon_WITH_AES_256_GCM_SHA384 * >>> TLS_EMPTY_RENEGOTIATION_INFO_SCSV >>> TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 >>> TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA >>> TLS_KRB5_EXPORT_WITH_RC4_40_MD5 TLS_KRB5_EXPORT_WITH_RC4_40_SHA >>> TLS_KRB5_WITH_3DES_EDE_CBC_MD5 TLS_KRB5_WITH_3DES_EDE_CBC_SHA >>> TLS_KRB5_WITH_DES_CBC_MD5 TLS_KRB5_WITH_DES_CBC_SHA >>> TLS_KRB5_WITH_RC4_128_MD5 TLS_KRB5_WITH_RC4_128_SHA * >>> TLS_RSA_WITH_AES_128_CBC_SHA * TLS_RSA_WITH_AES_128_CBC_SHA256 >>> * TLS_RSA_WITH_AES_128_GCM_SHA256 * >>> TLS_RSA_WITH_AES_256_CBC_SHA * TLS_RSA_WITH_AES_256_CBC_SHA256 >>> * TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_NULL_SHA256 >>> >>> If I run this on another box where Oracle's Java has been >>> installed, I get the full compliment: >>> >>> $ /usr/local/java-8/bin/java -showversion -classpath >>> build/classes/ com.chadis.tools.security.SSLInfo java version >>> "1.8.0_101" Java(TM) SE Runtime Environment (build >>> 1.8.0_101-b13) Java HotSpot(TM) 64-Bit Server VM (build >>> 25.101-b13, mixed mode) >>> >>> Supported SSL Protocols: TLS (SunJSSE) TLSv1 (SunJSSE) TLSv1.1 >>> (SunJSSE) TLSv1.2 (SunJSSE) Default Cipher Name >>> SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA * >>> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA >>> SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA * >>> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA >>> SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA >>> SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 >>> SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA >>> SSL_DH_anon_WITH_RC4_128_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA >>> SSL_RSA_EXPORT_WITH_RC4_40_MD5 * SSL_RSA_WITH_3DES_EDE_CBC_SHA >>> SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_NULL_MD5 >>> SSL_RSA_WITH_NULL_SHA SSL_RSA_WITH_RC4_128_MD5 >>> SSL_RSA_WITH_RC4_128_SHA * TLS_DHE_DSS_WITH_AES_128_CBC_SHA * >>> TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 * >>> TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 * >>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA * >>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 * >>> TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 * >>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA * >>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 * >>> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 * >>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA * >>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 * >>> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 >>> TLS_DH_anon_WITH_AES_128_CBC_SHA >>> TLS_DH_anon_WITH_AES_128_CBC_SHA256 >>> TLS_DH_anon_WITH_AES_128_GCM_SHA256 >>> TLS_DH_anon_WITH_AES_256_CBC_SHA >>> TLS_DH_anon_WITH_AES_256_CBC_SHA256 >>> TLS_DH_anon_WITH_AES_256_GCM_SHA384 * >>> TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA * >>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA * >>> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 * >>> TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 * >>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA * >>> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 * >>> TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 >>> TLS_ECDHE_ECDSA_WITH_NULL_SHA TLS_ECDHE_ECDSA_WITH_RC4_128_SHA >>> * TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA * >>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA * >>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 * >>> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * >>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA * >>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 * >>> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 >>> TLS_ECDHE_RSA_WITH_NULL_SHA TLS_ECDHE_RSA_WITH_RC4_128_SHA * >>> TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA * >>> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA * >>> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 * >>> TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 * >>> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA * >>> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 * >>> TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 >>> TLS_ECDH_ECDSA_WITH_NULL_SHA TLS_ECDH_ECDSA_WITH_RC4_128_SHA * >>> TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA * >>> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA * >>> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 * >>> TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 * >>> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA * >>> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 * >>> TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDH_RSA_WITH_NULL_SHA >>> TLS_ECDH_RSA_WITH_RC4_128_SHA >>> TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA >>> TLS_ECDH_anon_WITH_AES_128_CBC_SHA >>> TLS_ECDH_anon_WITH_AES_256_CBC_SHA TLS_ECDH_anon_WITH_NULL_SHA >>> TLS_ECDH_anon_WITH_RC4_128_SHA * >>> TLS_EMPTY_RENEGOTIATION_INFO_SCSV >>> TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 >>> TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA >>> TLS_KRB5_EXPORT_WITH_RC4_40_MD5 TLS_KRB5_EXPORT_WITH_RC4_40_SHA >>> TLS_KRB5_WITH_3DES_EDE_CBC_MD5 TLS_KRB5_WITH_3DES_EDE_CBC_SHA >>> TLS_KRB5_WITH_DES_CBC_MD5 TLS_KRB5_WITH_DES_CBC_SHA >>> TLS_KRB5_WITH_RC4_128_MD5 TLS_KRB5_WITH_RC4_128_SHA * >>> TLS_RSA_WITH_AES_128_CBC_SHA * TLS_RSA_WITH_AES_128_CBC_SHA256 >>> * TLS_RSA_WITH_AES_128_GCM_SHA256 * >>> TLS_RSA_WITH_AES_256_CBC_SHA * TLS_RSA_WITH_AES_256_CBC_SHA256 >>> * TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_NULL_SHA256 >>> >>> I've tried a few things. First, checking to see if any >>> algorithms have been artificially suppressed: >>> >>> The security policy has these algorithms disabled: >>> >>> jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize >>> < 768 >>> >>> I'm okay with all those. >>> >>> I've installed the "Java Unlimited Strength Policy Files" >>> which may or may not have been necessary (in general) but that >>> doesn't enable the ECDH/ECDHE cipher suites, anyway. >>> >>> The only promising suggestion I've read online is to install >>> the Bouncy Castle crypto provider, except that provider is 100% >>> Java and I'd prefer to get (what little) acceleration the >>> native implementation can provide. >>> >>> Do I need to abandon OpenJDK in order to get a decent >>> selection of cipher suites? Or is there a package I have not >>> installed, or a setting I haven't tweaked somewhere to get this >>> working? > >> Coincidentally I an currently involved in a project which forced >> customers to download EC support for OpenJDK as a separate >> package due to license limitations. EC support in Oracle JDK is >> provided by the Sun EC provider which consists of a jar file >> sunec.jar plus (and therein lies the real impl) a native library >> (libsunec.so on Unix/Linux). These files seem to have been >> removed from OpenJDK due to license restrictions or policies. > > I'm in such luck that you are fighting this battle as well! > > In my install of Java 8, I do in fact have sunec.jar: -rw-r--r-- 1 > root root 30460 Jul 20 22:30 sunec.jar > > The Java 7 package does not contain sunec.jar. > > Of the 38 shared libs in Java 8 and the 41 libs for Java 7, none > of them have "sun" anywhere in their name. So it looks like the > native components are not available, at least not form the packages > I've installed thus far. > >> I found two texts related to this: > >> http://armoredbarista.blogspot.de/2013/10/how-to-use-ecc-with-openjdk . > >> html > >> and > >> https://bugzilla.redhat.com/show_bug.cgi?id=1167153 > >> I do not know, whether AWS really does not include the Sun EC >> jar file and/or library (then your observation would be explained >> by this) or whether the root cause on AWS is something else. > > I had the thought to simply steal the libsunec.so from my Oracle > Java 8 on another system to see if it would work. But for reasons > that are beyond my explanation.... the server in question is a > 32-bit OS with a 32-bit JVM on it, and I don't have another machine > with that library handy. I'll have to get crafty. I have another AWS server that *is* 64-bit and I was able to successfully steal the .so from another Linux x86-64 server which had an Oracle JDK installed. It seems to work, but I'd prefer something that wasn't so obviously hacky. I might even be violating some kind of license agreement or something. Lawyers: I was just testing this for entertainment purposes, and have definitely rolled-back to a compliant configuration. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJX9XxCAAoJEBzwKT+lPKRY2l4QAIr4vw7o/SNP0m8yOozCmF17 VcVyivs7GVhBgKW8fRtcVj85IfFREIw6V2BRg3GErp6XaA/XipA3AY8OLZHe6VqD XLRqwYiiD7Fs3H6iBRmPx0Cmh0xkkLPSpi67fkJwD3uXC2TepXDrCmYyQWe9s81H bCHwvyC38+9deJd/wY3Cxp6YXn2Gz4ZRf0FT6SulqbZEG86en3bJtQQmvX0f7vJs Age+PJIHjp/vtE0Opk7l6CKJl4lOziYoXpFIjsTPOJR1gi4toiwhWsZvQzV6nIm2 vu9EvhJqJH4KhaSGto0TBJ+azJvRQWCWly9rNmgDqhZdwgNFGU1na/uDqYjOPpsi 7JYZ8NdtvtJcFWFRhmpyS7L4BzMeun0ddt/W17SrjAk2OPZWteh2X2fW4KnAwmj0 w1KeAwbpmwyaN1yfCx2MGSiazC7UzPQ4kYOCNCXDVgNvIiIGw4x2R73djp8tzjc8 oJZOtbpBMv+8eAjaniLQsot9MPy1XMSQF2SLnTW6sZbA2xw4fDYYQYEFL+JsbLuW n5L3XNuxWxvAff4ba/BeeIINghZ1ib3ov/PlXLTi1c3TBNVFRgQPVAlpkcKqdYat UtP8o8gym0/Dd1tduZy5I0J7i3liEyuQATUYad6nY+CZPVAL6dwjP6BKqjZu4NzH aU5soYVHqzZkBVOmVPCV =S6k1 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
