EC2 Linux机器上安装的OpenJDK 8不支持ECDHE密码套件 [英] ECDHE cipher suites not supported on OpenJDK 8 installed on EC2 Linux machine
问题描述
启动 jetty-distribution-9.3.0.v20150612 ,在EC2亚马逊上运行 openjdk 1.8.0_51 Linux机器,是不支持所有配置的ECDHE套件的打印件。
When starting jetty-distribution-9.3.0.v20150612 with openjdk 1.8.0_51 running on an EC2 Amazon Linux machine, is prints that all configured ECDHE suites are not supported.
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA not supported
这些是在 jetty / etc / jetty-ssl-context.xml中启用的 -
<Set name="IncludeCipherSuites">
<Array type="java.lang.String">
<!-- TLS 1.2 AEAD only (all are SHA-2 as well) -->
<Item>TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256</Item>
<Item>TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256</Item>
<Item>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</Item>
<Item>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</Item>
<Item>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384</Item>
<Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item>
...
我读过Oracle Java 8 应该支持这些协议,但OpenJDK可能不支持这些协议?或者我应该以某种方式启用它?
I read Oracle Java 8 should support these protocols, but maybe that's not supported by OpenJDK? Or should I enable it somehow?
更新
Oracle的JCE加密提供程序是安装在 jre / lib / security / 下,但它没有帮助。
Oracle's JCE cryptographic provider is installed under jre/lib/security/, but it didn't help.
推荐答案
所以我正在运行类似的设置,其中一个AWS框运行openjdk-1.8.0.51。
为我解决的是将bouncycastle添加为提供者,如下所示:
So I'm running a similar setup, with an AWS box running openjdk-1.8.0.51. what solved it for me is to add bouncycastle as a provider like so:
-
添加
bcprov-< verion> .jar到/ usr / lib / jvm / jre / lib / ext
编辑 /usr/lib/jvm/jre/lib/security/java.security 将以下行添加到提供者列表中:
Edit /usr/lib/jvm/jre/lib/security/java.security adding the following line to the list of providers:
security.provider.6=org.bouncycastle.jce.provider.BouncyCastleProvider
(我将其添加为第6个条目,但如果您愿意,可以在订单中添加更高)
(I added it as the 6th entry but you can add higher in the order if you prefer)
重新启动我的应用程序并能够使用基于EC的密码套件,例如 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 。
Restarted my application and was able to use EC-based cipher suites such as TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.
这篇关于EC2 Linux机器上安装的OpenJDK 8不支持ECDHE密码套件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
