Re: [OT] ECDHE cipher suites missing on Amazon Linux / OpenJDK 7 and 8 ??
Am 06.10.2016 um 00:18 schrieb Christopher Schultz: On 10/5/16 6:13 PM, Christopher Schultz wrote: On 10/5/16 4:52 PM, Rainer Jung wrote: Am 05.10.2016 um 21:11 schrieb Christopher Schultz: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, Apologies for off-topic post, but lots of folks here have lots of different experiences and maybe someone has come across this. I've got a few servers in Amazon EC2 running Amazon Linux. I'm using the OpenJDK package, and I have versions 1.7.0 and 1.8.0 running side-by-side: $ java -version java version "1.7.0_111" OpenJDK Runtime Environment (amzn-2.6.7.2.68.amzn1-i386 u111-b01) OpenJDK Client VM (build 24.111-b01, mixed mode, sharing) $ java8 -version openjdk version "1.8.0_101" OpenJDK Runtime Environment (build 1.8.0_101-b13) OpenJDK Server VM (build 25.101-b13, mixed mode) For some reason, a whole slew of crypto support is flat-out /missing/ from those packages (java-1.7.0-openjdk and java-1.8.0-openjdk). Here's what I get when I run my SSLInfo tool on the box: ... If I run this on another box where Oracle's Java has been installed, I get the full compliment: ... The security policy has these algorithms disabled: jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768 I'm okay with all those. I've installed the "Java Unlimited Strength Policy Files" which may or may not have been necessary (in general) but that doesn't enable the ECDH/ECDHE cipher suites, anyway. The only promising suggestion I've read online is to install the Bouncy Castle crypto provider, except that provider is 100% Java and I'd prefer to get (what little) acceleration the native implementation can provide. Do I need to abandon OpenJDK in order to get a decent selection of cipher suites? Or is there a package I have not installed, or a setting I haven't tweaked somewhere to get this working? Coincidentally I an currently involved in a project which forced customers to download EC support for OpenJDK as a separate package due to license limitations. EC support in Oracle JDK is provided by the Sun EC provider which consists of a jar file sunec.jar plus (and therein lies the real impl) a native library (libsunec.so on Unix/Linux). These files seem to have been removed from OpenJDK due to license restrictions or policies. I'm in such luck that you are fighting this battle as well! In my install of Java 8, I do in fact have sunec.jar: -rw-r--r-- 1 root root 30460 Jul 20 22:30 sunec.jar The Java 7 package does not contain sunec.jar. Of the 38 shared libs in Java 8 and the 41 libs for Java 7, none of them have "sun" anywhere in their name. So it looks like the native components are not available, at least not form the packages I've installed thus far. I found two texts related to this: http://armoredbarista.blogspot.de/2013/10/how-to-use-ecc-with-openjdk . html and https://bugzilla.redhat.com/show_bug.cgi?id=1167153 I do not know, whether AWS really does not include the Sun EC jar file and/or library (then your observation would be explained by this) or whether the root cause on AWS is something else. I had the thought to simply steal the libsunec.so from my Oracle Java 8 on another system to see if it would work. But for reasons that are beyond my explanation the server in question is a 32-bit OS with a 32-bit JVM on it, and I don't have another machine with that library handy. I'll have to get crafty. I have another AWS server that *is* 64-bit and I was able to successfully steal the .so from another Linux x86-64 server which had an Oracle JDK installed. It seems to work, but I'd prefer something that wasn't so obviously hacky. I might even be violating some kind of license agreement or something. Lawyers: I was just testing this for entertainment purposes, and have definitely rolled-back to a compliant configuration. Looking around I found the official license. On the official Oracle Java download site http://www.oracle.com/technetwork/java/javase/downloads/index.html there is a link "Third Party Licenses". It gets you to a page with one link per Major Java version. For 7 and 8 it contains the info, that libsunec.so is licensed under the LGPL license. Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] ECDHE cipher suites missing on Amazon Linux / OpenJDK 7 and 8 ??
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rainer, On 10/5/16 6:13 PM, Christopher Schultz wrote: > Rainer, > > On 10/5/16 4:52 PM, Rainer Jung wrote: >> Am 05.10.2016 um 21:11 schrieb Christopher Schultz: >>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 >>> >>> All, >>> >>> Apologies for off-topic post, but lots of folks here have lots >>> of different experiences and maybe someone has come across >>> this. >>> >>> I've got a few servers in Amazon EC2 running Amazon Linux. I'm >>> using the OpenJDK package, and I have versions 1.7.0 and 1.8.0 >>> running side-by-side: >>> >>> $ java -version java version "1.7.0_111" OpenJDK Runtime >>> Environment (amzn-2.6.7.2.68.amzn1-i386 u111-b01) OpenJDK >>> Client VM (build 24.111-b01, mixed mode, sharing) >>> >>> $ java8 -version openjdk version "1.8.0_101" OpenJDK Runtime >>> Environment (build 1.8.0_101-b13) OpenJDK Server VM (build >>> 25.101-b13, mixed mode) >>> >>> For some reason, a whole slew of crypto support is flat-out >>> /missing/ from those packages (java-1.7.0-openjdk and >>> java-1.8.0-openjdk). Here's what I get when I run my SSLInfo >>> tool on the box: >>> >>> $ java -showversion -classpath libs/chadis-tools-1.55.jar >>> com.chadis.tools.security.SSLInfo java version "1.7.0_111" >>> OpenJDK Runtime Environment (amzn-2.6.7.2.68.amzn1-i386 >>> u111-b01) OpenJDK Client VM (build 24.111-b01, mixed mode, >>> sharing) >>> >>> Supported SSL Protocols: TLSv1 (SunJSSE) TLSv1.1 (SunJSSE) >>> TLSv1.2 (SunJSSE) DefaultCipher Name >>> SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA * >>> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA >>> SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA * >>> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA >>> SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA >>> SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 >>> SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA >>> SSL_DH_anon_WITH_RC4_128_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA >>> SSL_RSA_EXPORT_WITH_RC4_40_MD5 * SSL_RSA_WITH_3DES_EDE_CBC_SHA >>> SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_NULL_MD5 >>> SSL_RSA_WITH_NULL_SHA SSL_RSA_WITH_RC4_128_MD5 >>> SSL_RSA_WITH_RC4_128_SHA * TLS_DHE_DSS_WITH_AES_128_CBC_SHA * >>> TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 * >>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA * >>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 * >>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA * >>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 * >>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA * >>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 >>> TLS_DH_anon_WITH_AES_128_CBC_SHA >>> TLS_DH_anon_WITH_AES_128_CBC_SHA256 >>> TLS_DH_anon_WITH_AES_256_CBC_SHA >>> TLS_DH_anon_WITH_AES_256_CBC_SHA256 * >>> TLS_EMPTY_RENEGOTIATION_INFO_SCSV >>> TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 >>> TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA >>> TLS_KRB5_EXPORT_WITH_RC4_40_MD5 TLS_KRB5_EXPORT_WITH_RC4_40_SHA >>> TLS_KRB5_WITH_3DES_EDE_CBC_MD5 TLS_KRB5_WITH_3DES_EDE_CBC_SHA >>> TLS_KRB5_WITH_DES_CBC_MD5 TLS_KRB5_WITH_DES_CBC_SHA >>> TLS_KRB5_WITH_RC4_128_MD5 TLS_KRB5_WITH_RC4_128_SHA * >>> TLS_RSA_WITH_AES_128_CBC_SHA * TLS_RSA_WITH_AES_128_CBC_SHA256 >>> * TLS_RSA_WITH_AES_256_CBC_SHA * >>> TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_NULL_SHA256 >>> >>> Note the complete lack of ECDH or ECDHE cipher suites. Now >>> again with Java 8: >>> >>> $ java8 -showversion -classpath libs/chadis-tools-1.55.jar >>> com.chadis.tools.security.SSLInfo openjdk version "1.8.0_101" >>> OpenJDK Runtime Environment (build 1.8.0_101-b13) OpenJDK >>> Server VM (build 25.101-b13, mixed mode) >>> >>> Supported SSL Protocols: TLS (SunJSSE) TLSv1 (SunJSSE) TLSv1.1 >>> (SunJSSE) TLSv1.2 (SunJSSE) DefaultCipher Name >>> SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA * >>> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA >>> SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA * >>> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA >>> SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA >>> SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 >>> SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA >>> SSL_DH_anon_WITH_RC4_128_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA >>> SSL_RSA_EXPORT_WITH_RC4_40_MD5 * SSL_RSA_WITH_3DES_EDE_CBC_SHA >>> SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_NULL_MD5 >>> SSL_RSA_WITH_NULL_SHA SSL_RSA_WITH_RC4_128_MD5 >>> SSL_RSA_WITH_RC4_128_SHA * TLS_DHE_DSS_WITH_AES_128_CBC_SHA * >>> TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 * >>> TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 * >>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA * >>> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 * >>> TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 * >>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA * >>> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 * >>> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 * >>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA * >>> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 * >>> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 >>> TLS_DH_anon_WITH_AES_128_CBC_SHA >>> TLS_DH_anon_WITH_AES_128_CBC_SHA256 >>> TLS_DH_anon_WITH_AES_128_GCM_SHA256 >>> TLS_DH_anon_WITH_AES_256_CBC_SHA >>>
Re: [OT] ECDHE cipher suites missing on Amazon Linux / OpenJDK 7 and 8 ??
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Rainer, On 10/5/16 4:52 PM, Rainer Jung wrote: > Am 05.10.2016 um 21:11 schrieb Christopher Schultz: >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 >> >> All, >> >> Apologies for off-topic post, but lots of folks here have lots >> of different experiences and maybe someone has come across this. >> >> I've got a few servers in Amazon EC2 running Amazon Linux. I'm >> using the OpenJDK package, and I have versions 1.7.0 and 1.8.0 >> running side-by-side: >> >> $ java -version java version "1.7.0_111" OpenJDK Runtime >> Environment (amzn-2.6.7.2.68.amzn1-i386 u111-b01) OpenJDK Client >> VM (build 24.111-b01, mixed mode, sharing) >> >> $ java8 -version openjdk version "1.8.0_101" OpenJDK Runtime >> Environment (build 1.8.0_101-b13) OpenJDK Server VM (build >> 25.101-b13, mixed mode) >> >> For some reason, a whole slew of crypto support is flat-out >> /missing/ from those packages (java-1.7.0-openjdk and >> java-1.8.0-openjdk). Here's what I get when I run my SSLInfo tool >> on the box: >> >> $ java -showversion -classpath libs/chadis-tools-1.55.jar >> com.chadis.tools.security.SSLInfo java version "1.7.0_111" >> OpenJDK Runtime Environment (amzn-2.6.7.2.68.amzn1-i386 >> u111-b01) OpenJDK Client VM (build 24.111-b01, mixed mode, >> sharing) >> >> Supported SSL Protocols: TLSv1 (SunJSSE) TLSv1.1 (SunJSSE) >> TLSv1.2 (SunJSSE) DefaultCipher Name >> SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA * >> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA >> SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA * >> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA >> SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA >> SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 >> SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA >> SSL_DH_anon_WITH_RC4_128_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA >> SSL_RSA_EXPORT_WITH_RC4_40_MD5 * >> SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA >> SSL_RSA_WITH_NULL_MD5 SSL_RSA_WITH_NULL_SHA >> SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA * >> TLS_DHE_DSS_WITH_AES_128_CBC_SHA * >> TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 * >> TLS_DHE_DSS_WITH_AES_256_CBC_SHA * >> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 * >> TLS_DHE_RSA_WITH_AES_128_CBC_SHA * >> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 * >> TLS_DHE_RSA_WITH_AES_256_CBC_SHA * >> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 >> TLS_DH_anon_WITH_AES_128_CBC_SHA >> TLS_DH_anon_WITH_AES_128_CBC_SHA256 >> TLS_DH_anon_WITH_AES_256_CBC_SHA >> TLS_DH_anon_WITH_AES_256_CBC_SHA256 * >> TLS_EMPTY_RENEGOTIATION_INFO_SCSV >> TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 >> TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA >> TLS_KRB5_EXPORT_WITH_RC4_40_MD5 TLS_KRB5_EXPORT_WITH_RC4_40_SHA >> TLS_KRB5_WITH_3DES_EDE_CBC_MD5 TLS_KRB5_WITH_3DES_EDE_CBC_SHA >> TLS_KRB5_WITH_DES_CBC_MD5 TLS_KRB5_WITH_DES_CBC_SHA >> TLS_KRB5_WITH_RC4_128_MD5 TLS_KRB5_WITH_RC4_128_SHA * >> TLS_RSA_WITH_AES_128_CBC_SHA * >> TLS_RSA_WITH_AES_128_CBC_SHA256 * >> TLS_RSA_WITH_AES_256_CBC_SHA * >> TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_NULL_SHA256 >> >> Note the complete lack of ECDH or ECDHE cipher suites. Now again >> with Java 8: >> >> $ java8 -showversion -classpath libs/chadis-tools-1.55.jar >> com.chadis.tools.security.SSLInfo openjdk version "1.8.0_101" >> OpenJDK Runtime Environment (build 1.8.0_101-b13) OpenJDK Server >> VM (build 25.101-b13, mixed mode) >> >> Supported SSL Protocols: TLS (SunJSSE) TLSv1 (SunJSSE) TLSv1.1 >> (SunJSSE) TLSv1.2 (SunJSSE) DefaultCipher Name >> SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA * >> SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA >> SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA * >> SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA >> SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA >> SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 >> SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA >> SSL_DH_anon_WITH_RC4_128_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA >> SSL_RSA_EXPORT_WITH_RC4_40_MD5 * >> SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA >> SSL_RSA_WITH_NULL_MD5 SSL_RSA_WITH_NULL_SHA >> SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA * >> TLS_DHE_DSS_WITH_AES_128_CBC_SHA * >> TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 * >> TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 * >> TLS_DHE_DSS_WITH_AES_256_CBC_SHA * >> TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 * >> TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 * >> TLS_DHE_RSA_WITH_AES_128_CBC_SHA * >> TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 * >> TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 * >> TLS_DHE_RSA_WITH_AES_256_CBC_SHA * >> TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 * >> TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 >> TLS_DH_anon_WITH_AES_128_CBC_SHA >> TLS_DH_anon_WITH_AES_128_CBC_SHA256 >> TLS_DH_anon_WITH_AES_128_GCM_SHA256 >> TLS_DH_anon_WITH_AES_256_CBC_SHA >> TLS_DH_anon_WITH_AES_256_CBC_SHA256 >> TLS_DH_anon_WITH_AES_256_GCM_SHA384 * >> TLS_EMPTY_RENEGOTIATION_INFO_SCSV >> TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 >> TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA >>
Re: [OT] ECDHE cipher suites missing on Amazon Linux / OpenJDK 7 and 8 ??
Am 05.10.2016 um 21:11 schrieb Christopher Schultz: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, Apologies for off-topic post, but lots of folks here have lots of different experiences and maybe someone has come across this. I've got a few servers in Amazon EC2 running Amazon Linux. I'm using the OpenJDK package, and I have versions 1.7.0 and 1.8.0 running side-by-side: $ java -version java version "1.7.0_111" OpenJDK Runtime Environment (amzn-2.6.7.2.68.amzn1-i386 u111-b01) OpenJDK Client VM (build 24.111-b01, mixed mode, sharing) $ java8 -version openjdk version "1.8.0_101" OpenJDK Runtime Environment (build 1.8.0_101-b13) OpenJDK Server VM (build 25.101-b13, mixed mode) For some reason, a whole slew of crypto support is flat-out /missing/ from those packages (java-1.7.0-openjdk and java-1.8.0-openjdk). Here's what I get when I run my SSLInfo tool on the box: $ java -showversion -classpath libs/chadis-tools-1.55.jar com.chadis.tools.security.SSLInfo java version "1.7.0_111" OpenJDK Runtime Environment (amzn-2.6.7.2.68.amzn1-i386 u111-b01) OpenJDK Client VM (build 24.111-b01, mixed mode, sharing) Supported SSL Protocols: TLSv1 (SunJSSE) TLSv1.1 (SunJSSE) TLSv1.2 (SunJSSE) Default Cipher Name SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA * SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA * SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA SSL_DH_anon_WITH_RC4_128_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5 * SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_NULL_MD5 SSL_RSA_WITH_NULL_SHA SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA * TLS_DHE_DSS_WITH_AES_128_CBC_SHA * TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 * TLS_DHE_DSS_WITH_AES_256_CBC_SHA * TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 * TLS_DHE_RSA_WITH_AES_128_CBC_SHA * TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 * TLS_DHE_RSA_WITH_AES_256_CBC_SHA * TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DH_anon_WITH_AES_128_CBC_SHA TLS_DH_anon_WITH_AES_128_CBC_SHA256 TLS_DH_anon_WITH_AES_256_CBC_SHA TLS_DH_anon_WITH_AES_256_CBC_SHA256 * TLS_EMPTY_RENEGOTIATION_INFO_SCSV TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA TLS_KRB5_EXPORT_WITH_RC4_40_MD5 TLS_KRB5_EXPORT_WITH_RC4_40_SHA TLS_KRB5_WITH_3DES_EDE_CBC_MD5 TLS_KRB5_WITH_3DES_EDE_CBC_SHA TLS_KRB5_WITH_DES_CBC_MD5 TLS_KRB5_WITH_DES_CBC_SHA TLS_KRB5_WITH_RC4_128_MD5 TLS_KRB5_WITH_RC4_128_SHA * TLS_RSA_WITH_AES_128_CBC_SHA * TLS_RSA_WITH_AES_128_CBC_SHA256 * TLS_RSA_WITH_AES_256_CBC_SHA * TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_NULL_SHA256 Note the complete lack of ECDH or ECDHE cipher suites. Now again with Java 8: $ java8 -showversion -classpath libs/chadis-tools-1.55.jar com.chadis.tools.security.SSLInfo openjdk version "1.8.0_101" OpenJDK Runtime Environment (build 1.8.0_101-b13) OpenJDK Server VM (build 25.101-b13, mixed mode) Supported SSL Protocols: TLS (SunJSSE) TLSv1 (SunJSSE) TLSv1.1 (SunJSSE) TLSv1.2 (SunJSSE) Default Cipher Name SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA * SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA * SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA SSL_DH_anon_WITH_RC4_128_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5 * SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_NULL_MD5 SSL_RSA_WITH_NULL_SHA SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA * TLS_DHE_DSS_WITH_AES_128_CBC_SHA * TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 * TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 * TLS_DHE_DSS_WITH_AES_256_CBC_SHA * TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 * TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 * TLS_DHE_RSA_WITH_AES_128_CBC_SHA * TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 * TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 * TLS_DHE_RSA_WITH_AES_256_CBC_SHA * TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 * TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DH_anon_WITH_AES_128_CBC_SHA TLS_DH_anon_WITH_AES_128_CBC_SHA256 TLS_DH_anon_WITH_AES_128_GCM_SHA256 TLS_DH_anon_WITH_AES_256_CBC_SHA TLS_DH_anon_WITH_AES_256_CBC_SHA256
[OT] ECDHE cipher suites missing on Amazon Linux / OpenJDK 7 and 8 ??
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, Apologies for off-topic post, but lots of folks here have lots of different experiences and maybe someone has come across this. I've got a few servers in Amazon EC2 running Amazon Linux. I'm using the OpenJDK package, and I have versions 1.7.0 and 1.8.0 running side-by-side: $ java -version java version "1.7.0_111" OpenJDK Runtime Environment (amzn-2.6.7.2.68.amzn1-i386 u111-b01) OpenJDK Client VM (build 24.111-b01, mixed mode, sharing) $ java8 -version openjdk version "1.8.0_101" OpenJDK Runtime Environment (build 1.8.0_101-b13) OpenJDK Server VM (build 25.101-b13, mixed mode) For some reason, a whole slew of crypto support is flat-out /missing/ from those packages (java-1.7.0-openjdk and java-1.8.0-openjdk). Here's what I get when I run my SSLInfo tool on the box: $ java -showversion -classpath libs/chadis-tools-1.55.jar com.chadis.tools.security.SSLInfo java version "1.7.0_111" OpenJDK Runtime Environment (amzn-2.6.7.2.68.amzn1-i386 u111-b01) OpenJDK Client VM (build 24.111-b01, mixed mode, sharing) Supported SSL Protocols: TLSv1 (SunJSSE) TLSv1.1 (SunJSSE) TLSv1.2 (SunJSSE) Default Cipher Name SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA * SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA * SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA SSL_DH_anon_WITH_RC4_128_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5 * SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_NULL_MD5 SSL_RSA_WITH_NULL_SHA SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA * TLS_DHE_DSS_WITH_AES_128_CBC_SHA * TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 * TLS_DHE_DSS_WITH_AES_256_CBC_SHA * TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 * TLS_DHE_RSA_WITH_AES_128_CBC_SHA * TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 * TLS_DHE_RSA_WITH_AES_256_CBC_SHA * TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DH_anon_WITH_AES_128_CBC_SHA TLS_DH_anon_WITH_AES_128_CBC_SHA256 TLS_DH_anon_WITH_AES_256_CBC_SHA TLS_DH_anon_WITH_AES_256_CBC_SHA256 * TLS_EMPTY_RENEGOTIATION_INFO_SCSV TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA TLS_KRB5_EXPORT_WITH_RC4_40_MD5 TLS_KRB5_EXPORT_WITH_RC4_40_SHA TLS_KRB5_WITH_3DES_EDE_CBC_MD5 TLS_KRB5_WITH_3DES_EDE_CBC_SHA TLS_KRB5_WITH_DES_CBC_MD5 TLS_KRB5_WITH_DES_CBC_SHA TLS_KRB5_WITH_RC4_128_MD5 TLS_KRB5_WITH_RC4_128_SHA * TLS_RSA_WITH_AES_128_CBC_SHA * TLS_RSA_WITH_AES_128_CBC_SHA256 * TLS_RSA_WITH_AES_256_CBC_SHA * TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_NULL_SHA256 Note the complete lack of ECDH or ECDHE cipher suites. Now again with Java 8: $ java8 -showversion -classpath libs/chadis-tools-1.55.jar com.chadis.tools.security.SSLInfo openjdk version "1.8.0_101" OpenJDK Runtime Environment (build 1.8.0_101-b13) OpenJDK Server VM (build 25.101-b13, mixed mode) Supported SSL Protocols: TLS (SunJSSE) TLSv1 (SunJSSE) TLSv1.1 (SunJSSE) TLSv1.2 (SunJSSE) Default Cipher Name SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA * SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA * SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA SSL_DH_anon_WITH_RC4_128_MD5 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5 * SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_NULL_MD5 SSL_RSA_WITH_NULL_SHA SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA * TLS_DHE_DSS_WITH_AES_128_CBC_SHA * TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 * TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 * TLS_DHE_DSS_WITH_AES_256_CBC_SHA * TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 * TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 * TLS_DHE_RSA_WITH_AES_128_CBC_SHA * TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 * TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 * TLS_DHE_RSA_WITH_AES_256_CBC_SHA * TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 * TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DH_anon_WITH_AES_128_CBC_SHA TLS_DH_anon_WITH_AES_128_CBC_SHA256 TLS_DH_anon_WITH_AES_128_GCM_SHA256 TLS_DH_anon_WITH_AES_256_CBC_SHA TLS_DH_anon_WITH_AES_256_CBC_SHA256 TLS_DH_anon_WITH_AES_256_GCM_SHA384 *