Am 06.10.2016 um 00:18 schrieb Christopher Schultz:
On 10/5/16 6:13 PM, Christopher Schultz wrote:
On 10/5/16 4:52 PM, Rainer Jung wrote:
Am 05.10.2016 um 21:11 schrieb Christopher Schultz:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
All,
Apologies for off-topic post, but lots of folks here have lots
of different experiences and maybe someone has come across
this.
I've got a few servers in Amazon EC2 running Amazon Linux. I'm
using the OpenJDK package, and I have versions 1.7.0 and 1.8.0
running side-by-side:
$ java -version java version "1.7.0_111" OpenJDK Runtime
Environment (amzn-2.6.7.2.68.amzn1-i386 u111-b01) OpenJDK
Client VM (build 24.111-b01, mixed mode, sharing)
$ java8 -version openjdk version "1.8.0_101" OpenJDK Runtime
Environment (build 1.8.0_101-b13) OpenJDK Server VM (build
25.101-b13, mixed mode)
For some reason, a whole slew of crypto support is flat-out
/missing/ from those packages (java-1.7.0-openjdk and
java-1.8.0-openjdk). Here's what I get when I run my SSLInfo
tool on the box:
...
If I run this on another box where Oracle's Java has been
installed, I get the full compliment:
...
The security policy has these algorithms disabled:
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize
< 768
I'm okay with all those.
I've installed the "Java Unlimited Strength Policy Files"
which may or may not have been necessary (in general) but that
doesn't enable the ECDH/ECDHE cipher suites, anyway.
The only promising suggestion I've read online is to install
the Bouncy Castle crypto provider, except that provider is 100%
Java and I'd prefer to get (what little) acceleration the
native implementation can provide.
Do I need to abandon OpenJDK in order to get a decent
selection of cipher suites? Or is there a package I have not
installed, or a setting I haven't tweaked somewhere to get this
working?
Coincidentally I an currently involved in a project which forced
customers to download EC support for OpenJDK as a separate
package due to license limitations. EC support in Oracle JDK is
provided by the Sun EC provider which consists of a jar file
sunec.jar plus (and therein lies the real impl) a native library
(libsunec.so on Unix/Linux). These files seem to have been
removed from OpenJDK due to license restrictions or policies.
I'm in such luck that you are fighting this battle as well!
In my install of Java 8, I do in fact have sunec.jar: -rw-r--r-- 1
root root 30460 Jul 20 22:30 sunec.jar
The Java 7 package does not contain sunec.jar.
Of the 38 shared libs in Java 8 and the 41 libs for Java 7, none
of them have "sun" anywhere in their name. So it looks like the
native components are not available, at least not form the packages
I've installed thus far.
I found two texts related to this:
http://armoredbarista.blogspot.de/2013/10/how-to-use-ecc-with-openjdk
.
html
and
https://bugzilla.redhat.com/show_bug.cgi?id=1167153
I do not know, whether AWS really does not include the Sun EC
jar file and/or library (then your observation would be explained
by this) or whether the root cause on AWS is something else.
I had the thought to simply steal the libsunec.so from my Oracle
Java 8 on another system to see if it would work. But for reasons
that are beyond my explanation.... the server in question is a
32-bit OS with a 32-bit JVM on it, and I don't have another machine
with that library handy. I'll have to get crafty.
I have another AWS server that *is* 64-bit and I was able to
successfully steal the .so from another Linux x86-64 server which had
an Oracle JDK installed. It seems to work, but I'd prefer something
that wasn't so obviously hacky. I might even be violating some kind of
license agreement or something. Lawyers: I was just testing this for
entertainment purposes, and have definitely rolled-back to a compliant
configuration.
Looking around I found the official license. On the official Oracle Java
download site
http://www.oracle.com/technetwork/java/javase/downloads/index.html
there is a link "Third Party Licenses". It gets you to a page with one
link per Major Java version. For 7 and 8 it contains the info, that
libsunec.so is licensed under the LGPL license.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
