SSL / TLS中的AES-GCM支持Java 7? [英] Java 7 support of AES-GCM in SSL/TLS?
问题描述
根据Java 7文档以及第三方供应商,Java 7应该支持AES-GCM套件:
According to Java 7 documentation as well as third party vendors, it appears Java 7 should support AES-GCM suites:
- ibm java 7
- java 7 ssl doc
我遇到了一些客户端和服务器之间的协商错误,由于将其限制为仅仅AES-GCM密码,因此无法协商密码。经过调查,我发现似乎客户端和服务器(tomcat实例)都不支持密码套件。在客户端上运行一些示例代码以获取输出:
I was hitting some errors in negotiation between client and server unable to negotiate a cipher due to restricting it to only the AES-GCM ciphers. After investigation I found that it appears that the cipher suites are not supported on client nor server (tomcat instance). Ran some sample code on client to get the output:
// Create an SSLContext that uses our TrustManager
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, trustAllCerts, new SecureRandom());
SSLParameters params = context.getSupportedSSLParameters();
String[] suites = params.getCipherSuites();
System.out.println("Java version : " + System.getProperty("java.runtime.version"));
System.out.println("Connecting with " + suites.length + " cipher suites supported:");
for (int i = 0; i < suites.length; i++) {
System.out.println();
System.out.print(" ********* ");
System.out.print(suites[i]);
System.out.print(" ********* ");
}
Java version: 1.7.0_51-b13
Connecting with 63 cipher suites supported:
********* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 *********
********* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 *********
********* TLS_RSA_WITH_AES_128_CBC_SHA256 *********
********* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 *********
********* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 *********
********* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 *********
********* TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 *********
********* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA *********
********* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA *********
********* TLS_RSA_WITH_AES_128_CBC_SHA *********
********* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA *********
********* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA *********
********* TLS_DHE_RSA_WITH_AES_128_CBC_SHA *********
********* TLS_DHE_DSS_WITH_AES_128_CBC_SHA *********
********* TLS_ECDHE_ECDSA_WITH_RC4_128_SHA *********
********* TLS_ECDHE_RSA_WITH_RC4_128_SHA *********
********* SSL_RSA_WITH_RC4_128_SHA *********
********* TLS_ECDH_ECDSA_WITH_RC4_128_SHA *********
********* TLS_ECDH_RSA_WITH_RC4_128_SHA *********
********* TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA *********
********* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA *********
********* SSL_RSA_WITH_3DES_EDE_CBC_SHA *********
********* TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA *********
********* TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA *********
********* SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA *********
********* SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA *********
********* SSL_RSA_WITH_RC4_128_MD5 *********
********* TLS_EMPTY_RENEGOTIATION_INFO_SCSV *********
********* TLS_DH_anon_WITH_AES_128_CBC_SHA256 *********
********* TLS_ECDH_anon_WITH_AES_128_CBC_SHA *********
********* TLS_DH_anon_WITH_AES_128_CBC_SHA *********
********* TLS_ECDH_anon_WITH_RC4_128_SHA *********
********* SSL_DH_anon_WITH_RC4_128_MD5 *********
********* TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA *********
********* SSL_DH_anon_WITH_3DES_EDE_CBC_SHA *********
********* TLS_RSA_WITH_NULL_SHA256 *********
********* TLS_ECDHE_ECDSA_WITH_NULL_SHA *********
********* TLS_ECDHE_RSA_WITH_NULL_SHA *********
********* SSL_RSA_WITH_NULL_SHA *********
********* TLS_ECDH_ECDSA_WITH_NULL_SHA *********
********* TLS_ECDH_RSA_WITH_NULL_SHA *********
********* TLS_ECDH_anon_WITH_NULL_SHA *********
********* SSL_RSA_WITH_NULL_MD5 *********
********* SSL_RSA_WITH_DES_CBC_SHA *********
********* SSL_DHE_RSA_WITH_DES_CBC_SHA *********
********* SSL_DHE_DSS_WITH_DES_CBC_SHA *********
********* SSL_DH_anon_WITH_DES_CBC_SHA *********
********* SSL_RSA_EXPORT_WITH_RC4_40_MD5 *********
********* SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 *********
********* SSL_RSA_EXPORT_WITH_DES40_CBC_SHA *********
********* SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA *********
********* SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA *********
********* SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA *********
********* TLS_KRB5_WITH_RC4_128_SHA *********
********* TLS_KRB5_WITH_RC4_128_MD5 *********
********* TLS_KRB5_WITH_3DES_EDE_CBC_SHA *********
********* TLS_KRB5_WITH_3DES_EDE_CBC_MD5 *********
********* TLS_KRB5_WITH_DES_CBC_SHA *********
********* TLS_KRB5_WITH_DES_CBC_MD5 *********
********* TLS_KRB5_EXPORT_WITH_RC4_40_SHA *********
********* TLS_KRB5_EXPORT_WITH_RC4_40_MD5 *********
********* TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA *********
********* TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 ********* INFO - Received response from post device of :
不知道是否有其他人遇到过这样的问题。
Did not know if anyone else has come across such an issue.
Java 7是否支持在SSL / TLS中使用AES-GCM?
Does Java 7 support use of AES-GCM in SSL/TLS?
推荐答案
AES-GCM在TLS v1.2中可用。请参阅传输层安全性(TLS)协议版本1.2 ,第6.2.3.3节。 TLSv1.1没有添加任何密码套件,TLSv1.0从未使用AES-GCM或椭圆曲线齿轮。 (椭圆曲线的东西也出现在TLSv1.2中)。
AES-GCM is available in TLS v1.2. See The Transport Layer Security (TLS) Protocol Version 1.2, section 6.2.3.3. TLSv1.1 did not add any cipher suites, and TLSv1.0 never had AES-GCM or the elliptic curve gear. (The elliptic curve stuff showed up in TLSv1.2 also).
据我所知,Java 7不支持该协议。来自 Java安全套接字扩展(JSSE)参考指南(在JDK8 docs下):
As far as I know, Java 7 does not support the protocol. From Java Secure Socket Extension (JSSE) Reference Guide (under JDK8 docs):
JSSE API能够支持SSL版本2.0和3.0以及TLS
版本1.0。这些安全协议封装了普通的
双向流套接字,JSSE API为身份验证,加密和完整性保护添加了透明支持
。 JDK附带的JSSE
实现支持SSL 3.0和TLS 1.0。
没有实现SSL 2.0。
The JSSE API is capable of supporting SSL versions 2.0 and 3.0 and TLS version 1.0. These security protocols encapsulate a normal bidirectional stream socket, and the JSSE API adds transparent support for authentication, encryption, and integrity protection. The JSSE implementation shipped with the JDK supports SSL 3.0 and TLS 1.0. It does not implement SSL 2.0.
有趣的是 TLS_ECDHE_ECDSA _ * 密码套件出现在您的转储中,因为它们是TLSv1.2密码。
Its interesting that the TLS_ECDHE_ECDSA_* cipher suites are showing up in your dump since they are TLSv1.2 ciphers.
这篇关于SSL / TLS中的AES-GCM支持Java 7?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
