tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject [OT] ECDHE cipher suites missing on Amazon Linux / OpenJDK 7 and 8 ??
Date Wed, 05 Oct 2016 19:11:26 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

All,

Apologies for off-topic post, but lots of folks here have lots of
different experiences and maybe someone has come across this.

I've got a few servers in Amazon EC2 running Amazon Linux. I'm using
the OpenJDK package, and I have versions 1.7.0 and 1.8.0 running
side-by-side:

$ java -version
java version "1.7.0_111"
OpenJDK Runtime Environment (amzn-2.6.7.2.68.amzn1-i386 u111-b01)
OpenJDK Client VM (build 24.111-b01, mixed mode, sharing)

$ java8 -version
openjdk version "1.8.0_101"
OpenJDK Runtime Environment (build 1.8.0_101-b13)
OpenJDK Server VM (build 25.101-b13, mixed mode)

For some reason, a whole slew of crypto support is flat-out /missing/
from those packages (java-1.7.0-openjdk and java-1.8.0-openjdk).
Here's what I get when I run my SSLInfo tool on the box:

$ java -showversion -classpath libs/chadis-tools-1.55.jar
com.chadis.tools.security.SSLInfo
java version "1.7.0_111"
OpenJDK Runtime Environment (amzn-2.6.7.2.68.amzn1-i386 u111-b01)
OpenJDK Client VM (build 24.111-b01, mixed mode, sharing)

Supported SSL Protocols:
  TLSv1 (SunJSSE)
  TLSv1.1 (SunJSSE)
  TLSv1.2 (SunJSSE)
Default	Cipher Name
 	SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
*	SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
 	SSL_DHE_DSS_WITH_DES_CBC_SHA
 	SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
*	SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
 	SSL_DHE_RSA_WITH_DES_CBC_SHA
 	SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
 	SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
 	SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
 	SSL_DH_anon_WITH_DES_CBC_SHA
 	SSL_DH_anon_WITH_RC4_128_MD5
 	SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
 	SSL_RSA_EXPORT_WITH_RC4_40_MD5
*	SSL_RSA_WITH_3DES_EDE_CBC_SHA
 	SSL_RSA_WITH_DES_CBC_SHA
 	SSL_RSA_WITH_NULL_MD5
 	SSL_RSA_WITH_NULL_SHA
 	SSL_RSA_WITH_RC4_128_MD5
 	SSL_RSA_WITH_RC4_128_SHA
*	TLS_DHE_DSS_WITH_AES_128_CBC_SHA
*	TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
*	TLS_DHE_DSS_WITH_AES_256_CBC_SHA
*	TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
*	TLS_DHE_RSA_WITH_AES_128_CBC_SHA
*	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
*	TLS_DHE_RSA_WITH_AES_256_CBC_SHA
*	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
 	TLS_DH_anon_WITH_AES_128_CBC_SHA
 	TLS_DH_anon_WITH_AES_128_CBC_SHA256
 	TLS_DH_anon_WITH_AES_256_CBC_SHA
 	TLS_DH_anon_WITH_AES_256_CBC_SHA256
*	TLS_EMPTY_RENEGOTIATION_INFO_SCSV
 	TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
 	TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
 	TLS_KRB5_EXPORT_WITH_RC4_40_MD5
 	TLS_KRB5_EXPORT_WITH_RC4_40_SHA
 	TLS_KRB5_WITH_3DES_EDE_CBC_MD5
 	TLS_KRB5_WITH_3DES_EDE_CBC_SHA
 	TLS_KRB5_WITH_DES_CBC_MD5
 	TLS_KRB5_WITH_DES_CBC_SHA
 	TLS_KRB5_WITH_RC4_128_MD5
 	TLS_KRB5_WITH_RC4_128_SHA
*	TLS_RSA_WITH_AES_128_CBC_SHA
*	TLS_RSA_WITH_AES_128_CBC_SHA256
*	TLS_RSA_WITH_AES_256_CBC_SHA
*	TLS_RSA_WITH_AES_256_CBC_SHA256
 	TLS_RSA_WITH_NULL_SHA256

Note the complete lack of ECDH or ECDHE cipher suites. Now again with
Java 8:

$ java8 -showversion -classpath libs/chadis-tools-1.55.jar
com.chadis.tools.security.SSLInfo
openjdk version "1.8.0_101"
OpenJDK Runtime Environment (build 1.8.0_101-b13)
OpenJDK Server VM (build 25.101-b13, mixed mode)

Supported SSL Protocols:
  TLS (SunJSSE)
  TLSv1 (SunJSSE)
  TLSv1.1 (SunJSSE)
  TLSv1.2 (SunJSSE)
Default	Cipher Name
 	SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
*	SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
 	SSL_DHE_DSS_WITH_DES_CBC_SHA
 	SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
*	SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
 	SSL_DHE_RSA_WITH_DES_CBC_SHA
 	SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
 	SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
 	SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
 	SSL_DH_anon_WITH_DES_CBC_SHA
 	SSL_DH_anon_WITH_RC4_128_MD5
 	SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
 	SSL_RSA_EXPORT_WITH_RC4_40_MD5
*	SSL_RSA_WITH_3DES_EDE_CBC_SHA
 	SSL_RSA_WITH_DES_CBC_SHA
 	SSL_RSA_WITH_NULL_MD5
 	SSL_RSA_WITH_NULL_SHA
 	SSL_RSA_WITH_RC4_128_MD5
 	SSL_RSA_WITH_RC4_128_SHA
*	TLS_DHE_DSS_WITH_AES_128_CBC_SHA
*	TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
*	TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
*	TLS_DHE_DSS_WITH_AES_256_CBC_SHA
*	TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
*	TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
*	TLS_DHE_RSA_WITH_AES_128_CBC_SHA
*	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
*	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
*	TLS_DHE_RSA_WITH_AES_256_CBC_SHA
*	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
*	TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
 	TLS_DH_anon_WITH_AES_128_CBC_SHA
 	TLS_DH_anon_WITH_AES_128_CBC_SHA256
 	TLS_DH_anon_WITH_AES_128_GCM_SHA256
 	TLS_DH_anon_WITH_AES_256_CBC_SHA
 	TLS_DH_anon_WITH_AES_256_CBC_SHA256
 	TLS_DH_anon_WITH_AES_256_GCM_SHA384
*	TLS_EMPTY_RENEGOTIATION_INFO_SCSV
 	TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
 	TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
 	TLS_KRB5_EXPORT_WITH_RC4_40_MD5
 	TLS_KRB5_EXPORT_WITH_RC4_40_SHA
 	TLS_KRB5_WITH_3DES_EDE_CBC_MD5
 	TLS_KRB5_WITH_3DES_EDE_CBC_SHA
 	TLS_KRB5_WITH_DES_CBC_MD5
 	TLS_KRB5_WITH_DES_CBC_SHA
 	TLS_KRB5_WITH_RC4_128_MD5
 	TLS_KRB5_WITH_RC4_128_SHA
*	TLS_RSA_WITH_AES_128_CBC_SHA
*	TLS_RSA_WITH_AES_128_CBC_SHA256
*	TLS_RSA_WITH_AES_128_GCM_SHA256
*	TLS_RSA_WITH_AES_256_CBC_SHA
*	TLS_RSA_WITH_AES_256_CBC_SHA256
*	TLS_RSA_WITH_AES_256_GCM_SHA384
 	TLS_RSA_WITH_NULL_SHA256

If I run this on another box where Oracle's Java has been installed, I
get the full compliment:

$ /usr/local/java-8/bin/java -showversion -classpath build/classes/
com.chadis.tools.security.SSLInfo
java version "1.8.0_101"
Java(TM) SE Runtime Environment (build 1.8.0_101-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.101-b13, mixed mode)

Supported SSL Protocols:
  TLS (SunJSSE)
  TLSv1 (SunJSSE)
  TLSv1.1 (SunJSSE)
  TLSv1.2 (SunJSSE)
Default	Cipher Name
 	SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
*	SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
 	SSL_DHE_DSS_WITH_DES_CBC_SHA
 	SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
*	SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
 	SSL_DHE_RSA_WITH_DES_CBC_SHA
 	SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
 	SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
 	SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
 	SSL_DH_anon_WITH_DES_CBC_SHA
 	SSL_DH_anon_WITH_RC4_128_MD5
 	SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
 	SSL_RSA_EXPORT_WITH_RC4_40_MD5
*	SSL_RSA_WITH_3DES_EDE_CBC_SHA
 	SSL_RSA_WITH_DES_CBC_SHA
 	SSL_RSA_WITH_NULL_MD5
 	SSL_RSA_WITH_NULL_SHA
 	SSL_RSA_WITH_RC4_128_MD5
 	SSL_RSA_WITH_RC4_128_SHA
*	TLS_DHE_DSS_WITH_AES_128_CBC_SHA
*	TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
*	TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
*	TLS_DHE_DSS_WITH_AES_256_CBC_SHA
*	TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
*	TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
*	TLS_DHE_RSA_WITH_AES_128_CBC_SHA
*	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
*	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
*	TLS_DHE_RSA_WITH_AES_256_CBC_SHA
*	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
*	TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
 	TLS_DH_anon_WITH_AES_128_CBC_SHA
 	TLS_DH_anon_WITH_AES_128_CBC_SHA256
 	TLS_DH_anon_WITH_AES_128_GCM_SHA256
 	TLS_DH_anon_WITH_AES_256_CBC_SHA
 	TLS_DH_anon_WITH_AES_256_CBC_SHA256
 	TLS_DH_anon_WITH_AES_256_GCM_SHA384
*	TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
*	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
*	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
*	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
*	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
*	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
*	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
 	TLS_ECDHE_ECDSA_WITH_NULL_SHA
 	TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
*	TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
*	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
*	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
*	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
*	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
*	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
*	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 	TLS_ECDHE_RSA_WITH_NULL_SHA
 	TLS_ECDHE_RSA_WITH_RC4_128_SHA
*	TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
*	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
*	TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
*	TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
*	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
*	TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
*	TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
 	TLS_ECDH_ECDSA_WITH_NULL_SHA
 	TLS_ECDH_ECDSA_WITH_RC4_128_SHA
*	TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
*	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
*	TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
*	TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
*	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
*	TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
*	TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
 	TLS_ECDH_RSA_WITH_NULL_SHA
 	TLS_ECDH_RSA_WITH_RC4_128_SHA
 	TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
 	TLS_ECDH_anon_WITH_AES_128_CBC_SHA
 	TLS_ECDH_anon_WITH_AES_256_CBC_SHA
 	TLS_ECDH_anon_WITH_NULL_SHA
 	TLS_ECDH_anon_WITH_RC4_128_SHA
*	TLS_EMPTY_RENEGOTIATION_INFO_SCSV
 	TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
 	TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
 	TLS_KRB5_EXPORT_WITH_RC4_40_MD5
 	TLS_KRB5_EXPORT_WITH_RC4_40_SHA
 	TLS_KRB5_WITH_3DES_EDE_CBC_MD5
 	TLS_KRB5_WITH_3DES_EDE_CBC_SHA
 	TLS_KRB5_WITH_DES_CBC_MD5
 	TLS_KRB5_WITH_DES_CBC_SHA
 	TLS_KRB5_WITH_RC4_128_MD5
 	TLS_KRB5_WITH_RC4_128_SHA
*	TLS_RSA_WITH_AES_128_CBC_SHA
*	TLS_RSA_WITH_AES_128_CBC_SHA256
*	TLS_RSA_WITH_AES_128_GCM_SHA256
*	TLS_RSA_WITH_AES_256_CBC_SHA
*	TLS_RSA_WITH_AES_256_CBC_SHA256
*	TLS_RSA_WITH_AES_256_GCM_SHA384
 	TLS_RSA_WITH_NULL_SHA256

I've tried a few things. First, checking to see if any algorithms have
been artificially suppressed:

The security policy has these algorithms disabled:

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768

I'm okay with all those.

I've installed the "Java Unlimited Strength Policy Files" which may or
may not have been necessary (in general) but that doesn't enable the
ECDH/ECDHE cipher suites, anyway.

The only promising suggestion I've read online is to install the
Bouncy Castle crypto provider, except that provider is 100% Java and
I'd prefer to get (what little) acceleration the native implementation
can provide.

Do I need to abandon OpenJDK in order to get a decent selection of
cipher suites? Or is there a package I have not installed, or a
setting I haven't tweaked somewhere to get this working?

Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJX9VBeAAoJEBzwKT+lPKRYoM4QAMDOSLliFAC/+N6Bs15LcnYK
beLuRH+aAYynnIAIRUgXWmWXLNmrFBc4C800zTFUUjntMOpIyPal3QRJvEEeN8hH
ylLqp390NlghHNeBCs62oziVkOwpcQ+SgY/rlpKKeqMmBkL3ro9/gY1g4jCbZy17
gXIIOsgwhSvOS4gsRoIYQgDFjQEJ8L60i/KYDwwmWs3gzAYj0rFbbqM9uAvYC4BH
DhbOAN5udKNjQ++G6yxlu/6L7RvbsO80+axl/zF8OtKvpudxuKNTtAzRv0ZRRQa8
bBawNcVBFPVglS9vdDMQVbfsugExjZwjNO2E2scxnGhUGxdSpTp6xyuxKa89pX6r
stmDGCdJ/P1vIl0Ul4IRom2gWitX4gfe1YGS2dkSBYNQENZiZ/wwVqqE67QpAHhl
dA28YrSYLW9kjWUsi83C4LAviA44qx5amrQnG11AWHIQYmKGvwQedzEalNLAClrO
zJTwHESnpjt7SJnmUtkmb9bD2Bsm3luAbXzu0GWhoTb1oZpe6W+uEGasrn5JwIn0
c8r7Ptq6NbXXqUZkAGRQZ14gqSY3SbTGWWMmNVoqgDQiZAW60xSjcOZRPMuF1K0X
5KFGI12Ao3l7j21NWz+qZAnTO2UJBcRpKhtDymp/Be/D4MtU2FG/DKh5J5vpWq+G
wCZ6g0lAoMjHDrnJ0ghD
=8R3R
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message