subject:"\[OT\] ECDHE cipher suites missing on Amazon Linux \/ OpenJDK 7 and 8 \?\?"

Re: [OT] ECDHE cipher suites missing on Amazon Linux / OpenJDK 7 and 8 ??

2016-10-06 Thread Rainer Jung


Am 06.10.2016 um 00:18 schrieb Christopher Schultz:

On 10/5/16 6:13 PM, Christopher Schultz wrote:

On 10/5/16 4:52 PM, Rainer Jung wrote:

Am 05.10.2016 um 21:11 schrieb Christopher Schultz:

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256

All,

Apologies for off-topic post, but lots of folks here have lots
of different experiences and maybe someone has come across
this.

I've got a few servers in Amazon EC2 running Amazon Linux. I'm
using the OpenJDK package, and I have versions 1.7.0 and 1.8.0
running side-by-side:

$ java -version java version "1.7.0_111" OpenJDK Runtime
Environment (amzn-2.6.7.2.68.amzn1-i386 u111-b01) OpenJDK
Client VM (build 24.111-b01, mixed mode, sharing)

$ java8 -version openjdk version "1.8.0_101" OpenJDK Runtime
Environment (build 1.8.0_101-b13) OpenJDK Server VM (build
25.101-b13, mixed mode)

For some reason, a whole slew of crypto support is flat-out
/missing/ from those packages (java-1.7.0-openjdk and
java-1.8.0-openjdk). Here's what I get when I run my SSLInfo
tool on the box:

...

If I run this on another box where Oracle's Java has been
installed, I get the full compliment:

...

The security policy has these algorithms disabled:

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize
< 768

I'm okay with all those.

I've installed the "Java Unlimited Strength Policy Files"
which may or may not have been necessary (in general) but that
doesn't enable the ECDH/ECDHE cipher suites, anyway.

The only promising suggestion I've read online is to install
the Bouncy Castle crypto provider, except that provider is 100%
Java and I'd prefer to get (what little) acceleration the
native implementation can provide.

Do I need to abandon OpenJDK in order to get a decent
selection of cipher suites? Or is there a package I have not
installed, or a setting I haven't tweaked somewhere to get this
working?



Coincidentally I an currently involved in a project which forced
 customers to download EC support for OpenJDK as a separate
package due to license limitations. EC support in Oracle JDK is
provided by the Sun EC provider which consists of a jar file
sunec.jar plus (and therein lies the real impl) a native library
(libsunec.so on Unix/Linux). These files seem to have been
removed from OpenJDK due to license restrictions or policies.


I'm in such luck that you are fighting this battle as well!

In my install of Java 8, I do in fact have sunec.jar: -rw-r--r-- 1
root root   30460 Jul 20 22:30 sunec.jar

The Java 7 package does not contain sunec.jar.

Of the 38 shared libs in Java 8 and the 41 libs for Java 7, none
of them have "sun" anywhere in their name. So it looks like the
native components are not available, at least not form the packages
I've installed thus far.


I found two texts related to this:



http://armoredbarista.blogspot.de/2013/10/how-to-use-ecc-with-openjdk

.





html



and



https://bugzilla.redhat.com/show_bug.cgi?id=1167153



I do not know, whether AWS really does not include the Sun EC
jar file and/or library (then your observation would be explained
by this) or whether the root cause on AWS is something else.


I had the thought to simply steal the libsunec.so from my Oracle
Java 8 on another system to see if it would work. But for reasons
that are beyond my explanation the server in question is a
32-bit OS with a 32-bit JVM on it, and I don't have another machine
with that library handy. I'll have to get crafty.


I have another AWS server that *is* 64-bit and I was able to
successfully steal the .so from another Linux x86-64 server which had
an Oracle JDK installed. It seems to work, but I'd prefer something
that wasn't so obviously hacky. I might even be violating some kind of
license agreement or something. Lawyers: I was just testing this for
entertainment purposes, and have definitely rolled-back to a compliant
configuration.


Looking around I found the official license. On the official Oracle Java 
download site


   http://www.oracle.com/technetwork/java/javase/downloads/index.html

there is a link "Third Party Licenses". It gets you to a page with one 
link per Major Java version. For 7 and 8 it contains the info, that 
libsunec.so is licensed under the LGPL license.


Regards,

Rainer

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [OT] ECDHE cipher suites missing on Amazon Linux / OpenJDK 7 and 8 ??

2016-10-05 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Rainer,

On 10/5/16 6:13 PM, Christopher Schultz wrote:
> Rainer,
> 
> On 10/5/16 4:52 PM, Rainer Jung wrote:
>> Am 05.10.2016 um 21:11 schrieb Christopher Schultz:
>>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
>>> 
>>> All,
>>> 
>>> Apologies for off-topic post, but lots of folks here have lots 
>>> of different experiences and maybe someone has come across
>>> this.
>>> 
>>> I've got a few servers in Amazon EC2 running Amazon Linux. I'm 
>>> using the OpenJDK package, and I have versions 1.7.0 and 1.8.0 
>>> running side-by-side:
>>> 
>>> $ java -version java version "1.7.0_111" OpenJDK Runtime 
>>> Environment (amzn-2.6.7.2.68.amzn1-i386 u111-b01) OpenJDK
>>> Client VM (build 24.111-b01, mixed mode, sharing)
>>> 
>>> $ java8 -version openjdk version "1.8.0_101" OpenJDK Runtime 
>>> Environment (build 1.8.0_101-b13) OpenJDK Server VM (build 
>>> 25.101-b13, mixed mode)
>>> 
>>> For some reason, a whole slew of crypto support is flat-out 
>>> /missing/ from those packages (java-1.7.0-openjdk and 
>>> java-1.8.0-openjdk). Here's what I get when I run my SSLInfo
>>> tool on the box:
>>> 
>>> $ java -showversion -classpath libs/chadis-tools-1.55.jar 
>>> com.chadis.tools.security.SSLInfo java version "1.7.0_111" 
>>> OpenJDK Runtime Environment (amzn-2.6.7.2.68.amzn1-i386 
>>> u111-b01) OpenJDK Client VM (build 24.111-b01, mixed mode, 
>>> sharing)
>>> 
>>> Supported SSL Protocols: TLSv1 (SunJSSE) TLSv1.1 (SunJSSE) 
>>> TLSv1.2 (SunJSSE) DefaultCipher Name 
>>> SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA * 
>>> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA
>>>  SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA * 
>>> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA
>>>  SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA 
>>> SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 
>>> SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA
>>>  SSL_DH_anon_WITH_RC4_128_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
>>>  SSL_RSA_EXPORT_WITH_RC4_40_MD5 * SSL_RSA_WITH_3DES_EDE_CBC_SHA
>>> SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_NULL_MD5
>>> SSL_RSA_WITH_NULL_SHA SSL_RSA_WITH_RC4_128_MD5
>>> SSL_RSA_WITH_RC4_128_SHA * TLS_DHE_DSS_WITH_AES_128_CBC_SHA * 
>>> TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 * 
>>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA * 
>>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 * 
>>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA * 
>>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 * 
>>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA * 
>>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 
>>> TLS_DH_anon_WITH_AES_128_CBC_SHA 
>>> TLS_DH_anon_WITH_AES_128_CBC_SHA256 
>>> TLS_DH_anon_WITH_AES_256_CBC_SHA 
>>> TLS_DH_anon_WITH_AES_256_CBC_SHA256 * 
>>> TLS_EMPTY_RENEGOTIATION_INFO_SCSV 
>>> TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 
>>> TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA 
>>> TLS_KRB5_EXPORT_WITH_RC4_40_MD5 TLS_KRB5_EXPORT_WITH_RC4_40_SHA
>>>  TLS_KRB5_WITH_3DES_EDE_CBC_MD5 TLS_KRB5_WITH_3DES_EDE_CBC_SHA
>>>  TLS_KRB5_WITH_DES_CBC_MD5 TLS_KRB5_WITH_DES_CBC_SHA 
>>> TLS_KRB5_WITH_RC4_128_MD5 TLS_KRB5_WITH_RC4_128_SHA * 
>>> TLS_RSA_WITH_AES_128_CBC_SHA * TLS_RSA_WITH_AES_128_CBC_SHA256
>>> * TLS_RSA_WITH_AES_256_CBC_SHA * 
>>> TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_NULL_SHA256
>>> 
>>> Note the complete lack of ECDH or ECDHE cipher suites. Now
>>> again with Java 8:
>>> 
>>> $ java8 -showversion -classpath libs/chadis-tools-1.55.jar 
>>> com.chadis.tools.security.SSLInfo openjdk version "1.8.0_101" 
>>> OpenJDK Runtime Environment (build 1.8.0_101-b13) OpenJDK
>>> Server VM (build 25.101-b13, mixed mode)
>>> 
>>> Supported SSL Protocols: TLS (SunJSSE) TLSv1 (SunJSSE) TLSv1.1 
>>> (SunJSSE) TLSv1.2 (SunJSSE) DefaultCipher Name 
>>> SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA * 
>>> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA
>>>  SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA * 
>>> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA
>>>  SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA 
>>> SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 
>>> SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA
>>>  SSL_DH_anon_WITH_RC4_128_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
>>>  SSL_RSA_EXPORT_WITH_RC4_40_MD5 * SSL_RSA_WITH_3DES_EDE_CBC_SHA
>>> SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_NULL_MD5
>>> SSL_RSA_WITH_NULL_SHA SSL_RSA_WITH_RC4_128_MD5
>>> SSL_RSA_WITH_RC4_128_SHA * TLS_DHE_DSS_WITH_AES_128_CBC_SHA * 
>>> TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 * 
>>> TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 * 
>>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA * 
>>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 * 
>>> TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 * 
>>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA * 
>>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 * 
>>> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 * 
>>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA * 
>>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 * 
>>> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 
>>> TLS_DH_anon_WITH_AES_128_CBC_SHA 
>>> TLS_DH_anon_WITH_AES_128_CBC_SHA256 
>>> TLS_DH_anon_WITH_AES_128_GCM_SHA256 
>>> TLS_DH_anon_WITH_AES_256_CBC_SHA 
>>>

Re: [OT] ECDHE cipher suites missing on Amazon Linux / OpenJDK 7 and 8 ??

2016-10-05 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Rainer,

On 10/5/16 4:52 PM, Rainer Jung wrote:
> Am 05.10.2016 um 21:11 schrieb Christopher Schultz:
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
>> 
>> All,
>> 
>> Apologies for off-topic post, but lots of folks here have lots
>> of different experiences and maybe someone has come across this.
>> 
>> I've got a few servers in Amazon EC2 running Amazon Linux. I'm
>> using the OpenJDK package, and I have versions 1.7.0 and 1.8.0
>> running side-by-side:
>> 
>> $ java -version java version "1.7.0_111" OpenJDK Runtime
>> Environment (amzn-2.6.7.2.68.amzn1-i386 u111-b01) OpenJDK Client
>> VM (build 24.111-b01, mixed mode, sharing)
>> 
>> $ java8 -version openjdk version "1.8.0_101" OpenJDK Runtime
>> Environment (build 1.8.0_101-b13) OpenJDK Server VM (build
>> 25.101-b13, mixed mode)
>> 
>> For some reason, a whole slew of crypto support is flat-out
>> /missing/ from those packages (java-1.7.0-openjdk and
>> java-1.8.0-openjdk). Here's what I get when I run my SSLInfo tool
>> on the box:
>> 
>> $ java -showversion -classpath libs/chadis-tools-1.55.jar 
>> com.chadis.tools.security.SSLInfo java version "1.7.0_111" 
>> OpenJDK Runtime Environment (amzn-2.6.7.2.68.amzn1-i386
>> u111-b01) OpenJDK Client VM (build 24.111-b01, mixed mode,
>> sharing)
>> 
>> Supported SSL Protocols: TLSv1 (SunJSSE) TLSv1.1 (SunJSSE) 
>> TLSv1.2 (SunJSSE) DefaultCipher Name 
>> SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA *
>> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA 
>> SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA *
>> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA 
>> SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA 
>> SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 
>> SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA 
>> SSL_DH_anon_WITH_RC4_128_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA 
>> SSL_RSA_EXPORT_WITH_RC4_40_MD5 *
>> SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA 
>> SSL_RSA_WITH_NULL_MD5 SSL_RSA_WITH_NULL_SHA 
>> SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA *
>> TLS_DHE_DSS_WITH_AES_128_CBC_SHA *
>> TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 *
>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA *
>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 *
>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA *
>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 *
>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA *
>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 
>> TLS_DH_anon_WITH_AES_128_CBC_SHA 
>> TLS_DH_anon_WITH_AES_128_CBC_SHA256 
>> TLS_DH_anon_WITH_AES_256_CBC_SHA 
>> TLS_DH_anon_WITH_AES_256_CBC_SHA256 *
>> TLS_EMPTY_RENEGOTIATION_INFO_SCSV 
>> TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 
>> TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA 
>> TLS_KRB5_EXPORT_WITH_RC4_40_MD5 TLS_KRB5_EXPORT_WITH_RC4_40_SHA 
>> TLS_KRB5_WITH_3DES_EDE_CBC_MD5 TLS_KRB5_WITH_3DES_EDE_CBC_SHA 
>> TLS_KRB5_WITH_DES_CBC_MD5 TLS_KRB5_WITH_DES_CBC_SHA 
>> TLS_KRB5_WITH_RC4_128_MD5 TLS_KRB5_WITH_RC4_128_SHA *
>> TLS_RSA_WITH_AES_128_CBC_SHA *
>> TLS_RSA_WITH_AES_128_CBC_SHA256 *
>> TLS_RSA_WITH_AES_256_CBC_SHA *
>> TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_NULL_SHA256
>> 
>> Note the complete lack of ECDH or ECDHE cipher suites. Now again
>> with Java 8:
>> 
>> $ java8 -showversion -classpath libs/chadis-tools-1.55.jar 
>> com.chadis.tools.security.SSLInfo openjdk version "1.8.0_101" 
>> OpenJDK Runtime Environment (build 1.8.0_101-b13) OpenJDK Server
>> VM (build 25.101-b13, mixed mode)
>> 
>> Supported SSL Protocols: TLS (SunJSSE) TLSv1 (SunJSSE) TLSv1.1
>> (SunJSSE) TLSv1.2 (SunJSSE) DefaultCipher Name 
>> SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA *
>> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA 
>> SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA *
>> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA 
>> SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA 
>> SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 
>> SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA 
>> SSL_DH_anon_WITH_RC4_128_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA 
>> SSL_RSA_EXPORT_WITH_RC4_40_MD5 *
>> SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA 
>> SSL_RSA_WITH_NULL_MD5 SSL_RSA_WITH_NULL_SHA 
>> SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA *
>> TLS_DHE_DSS_WITH_AES_128_CBC_SHA *
>> TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 *
>> TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 *
>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA *
>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 *
>> TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 *
>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA *
>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 *
>> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 *
>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA *
>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 *
>> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 
>> TLS_DH_anon_WITH_AES_128_CBC_SHA 
>> TLS_DH_anon_WITH_AES_128_CBC_SHA256 
>> TLS_DH_anon_WITH_AES_128_GCM_SHA256 
>> TLS_DH_anon_WITH_AES_256_CBC_SHA 
>> TLS_DH_anon_WITH_AES_256_CBC_SHA256 
>> TLS_DH_anon_WITH_AES_256_GCM_SHA384 *
>> TLS_EMPTY_RENEGOTIATION_INFO_SCSV 
>> TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 
>> TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA 
>>

Re: [OT] ECDHE cipher suites missing on Amazon Linux / OpenJDK 7 and 8 ??

2016-10-05 Thread Rainer Jung


Am 05.10.2016 um 21:11 schrieb Christopher Schultz:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

All,

Apologies for off-topic post, but lots of folks here have lots of
different experiences and maybe someone has come across this.

I've got a few servers in Amazon EC2 running Amazon Linux. I'm using
the OpenJDK package, and I have versions 1.7.0 and 1.8.0 running
side-by-side:

$ java -version
java version "1.7.0_111"
OpenJDK Runtime Environment (amzn-2.6.7.2.68.amzn1-i386 u111-b01)
OpenJDK Client VM (build 24.111-b01, mixed mode, sharing)

$ java8 -version
openjdk version "1.8.0_101"
OpenJDK Runtime Environment (build 1.8.0_101-b13)
OpenJDK Server VM (build 25.101-b13, mixed mode)

For some reason, a whole slew of crypto support is flat-out /missing/
from those packages (java-1.7.0-openjdk and java-1.8.0-openjdk).
Here's what I get when I run my SSLInfo tool on the box:

$ java -showversion -classpath libs/chadis-tools-1.55.jar
com.chadis.tools.security.SSLInfo
java version "1.7.0_111"
OpenJDK Runtime Environment (amzn-2.6.7.2.68.amzn1-i386 u111-b01)
OpenJDK Client VM (build 24.111-b01, mixed mode, sharing)

Supported SSL Protocols:
  TLSv1 (SunJSSE)
  TLSv1.1 (SunJSSE)
  TLSv1.2 (SunJSSE)
Default Cipher Name
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
*   SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
*   SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_RC4_128_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
*   SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
*   TLS_DHE_DSS_WITH_AES_128_CBC_SHA
*   TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
*   TLS_DHE_DSS_WITH_AES_256_CBC_SHA
*   TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
*   TLS_DHE_RSA_WITH_AES_128_CBC_SHA
*   TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
*   TLS_DHE_RSA_WITH_AES_256_CBC_SHA
*   TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DH_anon_WITH_AES_128_CBC_SHA
TLS_DH_anon_WITH_AES_128_CBC_SHA256
TLS_DH_anon_WITH_AES_256_CBC_SHA
TLS_DH_anon_WITH_AES_256_CBC_SHA256
*   TLS_EMPTY_RENEGOTIATION_INFO_SCSV
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
TLS_KRB5_EXPORT_WITH_RC4_40_MD5
TLS_KRB5_EXPORT_WITH_RC4_40_SHA
TLS_KRB5_WITH_3DES_EDE_CBC_MD5
TLS_KRB5_WITH_3DES_EDE_CBC_SHA
TLS_KRB5_WITH_DES_CBC_MD5
TLS_KRB5_WITH_DES_CBC_SHA
TLS_KRB5_WITH_RC4_128_MD5
TLS_KRB5_WITH_RC4_128_SHA
*   TLS_RSA_WITH_AES_128_CBC_SHA
*   TLS_RSA_WITH_AES_128_CBC_SHA256
*   TLS_RSA_WITH_AES_256_CBC_SHA
*   TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_NULL_SHA256

Note the complete lack of ECDH or ECDHE cipher suites. Now again with
Java 8:

$ java8 -showversion -classpath libs/chadis-tools-1.55.jar
com.chadis.tools.security.SSLInfo
openjdk version "1.8.0_101"
OpenJDK Runtime Environment (build 1.8.0_101-b13)
OpenJDK Server VM (build 25.101-b13, mixed mode)

Supported SSL Protocols:
  TLS (SunJSSE)
  TLSv1 (SunJSSE)
  TLSv1.1 (SunJSSE)
  TLSv1.2 (SunJSSE)
Default Cipher Name
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
*   SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
*   SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_RC4_128_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
*   SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
*   TLS_DHE_DSS_WITH_AES_128_CBC_SHA
*   TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
*   TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
*   TLS_DHE_DSS_WITH_AES_256_CBC_SHA
*   TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
*   TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
*   TLS_DHE_RSA_WITH_AES_128_CBC_SHA
*   TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
*   TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
*   TLS_DHE_RSA_WITH_AES_256_CBC_SHA
*   TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
*   TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DH_anon_WITH_AES_128_CBC_SHA
TLS_DH_anon_WITH_AES_128_CBC_SHA256
TLS_DH_anon_WITH_AES_128_GCM_SHA256
TLS_DH_anon_WITH_AES_256_CBC_SHA
TLS_DH_anon_WITH_AES_256_CBC_SHA256

[OT] ECDHE cipher suites missing on Amazon Linux / OpenJDK 7 and 8 ??

2016-10-05 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

All,

Apologies for off-topic post, but lots of folks here have lots of
different experiences and maybe someone has come across this.

I've got a few servers in Amazon EC2 running Amazon Linux. I'm using
the OpenJDK package, and I have versions 1.7.0 and 1.8.0 running
side-by-side:

$ java -version
java version "1.7.0_111"
OpenJDK Runtime Environment (amzn-2.6.7.2.68.amzn1-i386 u111-b01)
OpenJDK Client VM (build 24.111-b01, mixed mode, sharing)

$ java8 -version
openjdk version "1.8.0_101"
OpenJDK Runtime Environment (build 1.8.0_101-b13)
OpenJDK Server VM (build 25.101-b13, mixed mode)

For some reason, a whole slew of crypto support is flat-out /missing/
from those packages (java-1.7.0-openjdk and java-1.8.0-openjdk).
Here's what I get when I run my SSLInfo tool on the box:

$ java -showversion -classpath libs/chadis-tools-1.55.jar
com.chadis.tools.security.SSLInfo
java version "1.7.0_111"
OpenJDK Runtime Environment (amzn-2.6.7.2.68.amzn1-i386 u111-b01)
OpenJDK Client VM (build 24.111-b01, mixed mode, sharing)

Supported SSL Protocols:
  TLSv1 (SunJSSE)
  TLSv1.1 (SunJSSE)
  TLSv1.2 (SunJSSE)
Default Cipher Name
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
*   SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
*   SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_RC4_128_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
*   SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
*   TLS_DHE_DSS_WITH_AES_128_CBC_SHA
*   TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
*   TLS_DHE_DSS_WITH_AES_256_CBC_SHA
*   TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
*   TLS_DHE_RSA_WITH_AES_128_CBC_SHA
*   TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
*   TLS_DHE_RSA_WITH_AES_256_CBC_SHA
*   TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DH_anon_WITH_AES_128_CBC_SHA
TLS_DH_anon_WITH_AES_128_CBC_SHA256
TLS_DH_anon_WITH_AES_256_CBC_SHA
TLS_DH_anon_WITH_AES_256_CBC_SHA256
*   TLS_EMPTY_RENEGOTIATION_INFO_SCSV
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
TLS_KRB5_EXPORT_WITH_RC4_40_MD5
TLS_KRB5_EXPORT_WITH_RC4_40_SHA
TLS_KRB5_WITH_3DES_EDE_CBC_MD5
TLS_KRB5_WITH_3DES_EDE_CBC_SHA
TLS_KRB5_WITH_DES_CBC_MD5
TLS_KRB5_WITH_DES_CBC_SHA
TLS_KRB5_WITH_RC4_128_MD5
TLS_KRB5_WITH_RC4_128_SHA
*   TLS_RSA_WITH_AES_128_CBC_SHA
*   TLS_RSA_WITH_AES_128_CBC_SHA256
*   TLS_RSA_WITH_AES_256_CBC_SHA
*   TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_NULL_SHA256

Note the complete lack of ECDH or ECDHE cipher suites. Now again with
Java 8:

$ java8 -showversion -classpath libs/chadis-tools-1.55.jar
com.chadis.tools.security.SSLInfo
openjdk version "1.8.0_101"
OpenJDK Runtime Environment (build 1.8.0_101-b13)
OpenJDK Server VM (build 25.101-b13, mixed mode)

Supported SSL Protocols:
  TLS (SunJSSE)
  TLSv1 (SunJSSE)
  TLSv1.1 (SunJSSE)
  TLSv1.2 (SunJSSE)
Default Cipher Name
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
*   SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
*   SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
SSL_DH_anon_WITH_DES_CBC_SHA
SSL_DH_anon_WITH_RC4_128_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
*   SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_NULL_MD5
SSL_RSA_WITH_NULL_SHA
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
*   TLS_DHE_DSS_WITH_AES_128_CBC_SHA
*   TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
*   TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
*   TLS_DHE_DSS_WITH_AES_256_CBC_SHA
*   TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
*   TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
*   TLS_DHE_RSA_WITH_AES_128_CBC_SHA
*   TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
*   TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
*   TLS_DHE_RSA_WITH_AES_256_CBC_SHA
*   TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
*   TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DH_anon_WITH_AES_128_CBC_SHA
TLS_DH_anon_WITH_AES_128_CBC_SHA256
TLS_DH_anon_WITH_AES_128_GCM_SHA256
TLS_DH_anon_WITH_AES_256_CBC_SHA
TLS_DH_anon_WITH_AES_256_CBC_SHA256
TLS_DH_anon_WITH_AES_256_GCM_SHA384
*

Re: [OT] ECDHE cipher suites missing on Amazon Linux / OpenJDK 7 and 8 ??

Re: [OT] ECDHE cipher suites missing on Amazon Linux / OpenJDK 7 and 8 ??

Re: [OT] ECDHE cipher suites missing on Amazon Linux / OpenJDK 7 and 8 ??

Re: [OT] ECDHE cipher suites missing on Amazon Linux / OpenJDK 7 and 8 ??

[OT] ECDHE cipher suites missing on Amazon Linux / OpenJDK 7 and 8 ??

5 matches

Site Navigation

Mail list logo

Footer information