On 21/05/2014, at 10:21 pm, Sverre Moe sverre@gmail.com wrote:
snip
ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA265,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256
/
Documentation aside, none of these cipher-suites are supported in Oracle Java 7.
Oracle Java 7 has no GCM support (AIX does I think, but from memory the cipher
suite names are different), and some of the cipher-suites don’t exist (see
below).
GCM was originally targeted for JDK 7 (which is why the cipher suite names and
AEAD APIs in the JCE are there) but the implementation didn’t show up until JDK
8.
I have tried running Tomcat with Java 7 and Java 8. Both of these should
support CBC_SHA256 and CBC_SHA384, but only Java 8 supports GCM_SHA384.
I have downloaded the Java cryptographic extensions policy files for both
Java 7 and Java 8.
The only way I get a connection is when I add the following ciphers:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
According to the specification all these ciphers are correct names:
http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#ciphersuites
This is not true for TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA265 or
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256 in Java 7 or 8 (only SHA/ SHA384 or
AES_128 variants of these are listed in the docs and reported by the JRE).
i.e. for whatever reason, SHA384 and SHA are coupled with AES_256, and SHA256
and SHA are coupled with AES_128.
The email trail Christopher linked should help you discover what’s available on
the system you’re running on.
cheers
tim
For the record, these are the ECDHE cipher suites supported in Oracle Java 7,
excluding those that use SHA(1):
Cipher Kx Au EncMode Key
Str MacSize Unsafe
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ECDHEECDSAAESCBC 256
(256) SHA384 384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384ECDHERSA AESCBC 256
(256) SHA384 384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ECDHEECDSAAESCBC 128
(128) SHA256 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256ECDHERSA AESCBC 128
(128) SHA256 256
Oracle Java 8 adds the following ECDHE + GCM cipher suites (again not including
SHA(1)) to the list above:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDHEECDSAAESGCM 256
(256) SHA384 384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDHEECDSAAESGCM 128
(128) SHA256 256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384ECDHERSA AESGCM 256
(256) SHA384 384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256ECDHERSA AESGCM 128
(128) SHA256 256
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org