AES GCM mode is not in Java 7, that is right. These higher cipher suites
are supported and implemented in Java 8. There is just that none of the
major browsers support them.
*http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SupportedCipherSuites
<http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SupportedCipherSuites>*
Made my own Java code for listing out the default ciphers. It uses the same
piece of code as SSLInfo does. As you can see the 256bit ciphers are there.
Java 7 does support the AES 256-bit ciphers, but in CBC mode and not GCM
mode.
SSLServerSocketFactory ssf = (SSLServerSocketFactory)
SSLServerSocketFactory.getDefault();
String[] defaultCiphers = ssf.getDefaultCipherSuites();
for (String cipher : defaultCiphers) {
if ((cipher.startsWith("TLS_DHE") ||
cipher.startsWith("TLS_ECDHE"))
&& !cipher.contains("DSS") && !cipher.contains("RC4")
&& !cipher.contains("DES")) {
System.out.println(cipher);
}
}
*TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384*
*TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384*
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
*TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384*
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
*TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384*
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
2014-05-26 20:09 GMT+02:00 Christopher Schultz <ch...@christopherschultz.net
>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Tim,
>
> On 5/25/14, 9:34 PM, Tim Whittington wrote:
> >
> > On 21/05/2014, at 10:21 pm, Sverre Moe <sverre....@gmail.com>
> > wrote:
> >
> > <snip>
> >
> >> ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
> > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA265,
> > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
> > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256"
> >> />
> >
> > Documentation aside, none of these cipher-suites are supported in
> > Oracle Java 7.
>
> If you run the code I referenced elsewhere in this thread, you'll see
> that some of the components are available, just not in the
> combinations you have above:
>
> $ java -showversion -classpath build/ SSLInfo | grep '\(256\|384\)'
> java version "1.7.0_55"
> Java(TM) SE Runtime Environment (build 1.7.0_55-b13)
> Java HotSpot(TM) 64-Bit Server VM (build 24.55-b03, mixed mode)
>
> Supported SSL Protocols:
> TLSv1 (SunJSSE)
> TLSv1.1 (SunJSSE)
> TLSv1.2 (SunJSSE)
> Default Cipher Name
> * TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
> * TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
> TLS_DH_anon_WITH_AES_128_CBC_SHA256
> * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
> * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
> * TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
> * TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
> * TLS_RSA_WITH_AES_128_CBC_SHA256
> TLS_RSA_WITH_NULL_SHA256
>
> So, you can get ECDHE_(ECDSA|RSA)_AES, but not with a 256-bit cipher.
> You can get a 128-bit cipher and a 256-bit hash, but not higher-bit
> hash functions.
>
> > Oracle Java 7 has no GCM support (AIX does I think, but from
> > memory the cipher suite names are different), and some of the
> > cipher-suites don’t exist (see below). GCM was originally targeted
> > for JDK 7 (which is why the cipher suite names and AEAD APIs in the
> > JCE are there) but the implementation didn’t show up until JDK 8.
>
> I find no ciphers with 384-bit hashes in Oracle Java 8, but there are
> 256-bit ones -- at least in the Mac OS X build:
>
> $
>
> /Library/Java/JavaVirtualMachines/disabled/jdk1.8.0.jdk/Contents/Home/bin/java
> - -showversion -classpath build/ SSLInfo | grep '\(256\|384\)'
> java version "1.8.0-ea"
> Java(TM) SE Runtime Environment (build 1.8.0-ea-b99)
> Java HotSpot(TM) 64-Bit Server VM (build 25.0-b41, mixed mode)
>
> * TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
> * TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
> * TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
> * TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
> TLS_DH_anon_WITH_AES_128_CBC_SHA256
> TLS_DH_anon_WITH_AES_128_GCM_SHA256
> * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
> * TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
> * TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> * TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
> * TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
> * TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
> * TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
> * TLS_RSA_WITH_AES_128_CBC_SHA256
> * TLS_RSA_WITH_AES_128_GCM_SHA256
> TLS_RSA_WITH_NULL_SHA256
>
> So as Tim says, Oracle Java 7 doesn't support this stuff. And neither
> does Java 8.
>
> If you want higher-grade encryption (and you want it to run faster),
> consider switching to the OpenSSL-based APR connector: performance is
> one of the major reasons for using the APR connector, and its a bit
> more efficient than the NIO connector and certainly better than the
> BIO connector.
>
> - -chris
>
> >> I have tried running Tomcat with Java 7 and Java 8. Both of these
> >> should support CBC_SHA256 and CBC_SHA384, but only Java 8
> >> supports GCM_SHA384. I have downloaded the Java cryptographic
> >> extensions policy files for both Java 7 and Java 8.
> >>
> >> The only way I get a connection is when I add the following
> >> ciphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
> >> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
> >>
> >> According to the specification all these ciphers are correct
> >> names:
> >>
> http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#ciphersuites
> >>
> >
> >>
> > This is not true for TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA265 or
> > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256 in Java 7 or 8 (only SHA/
> > SHA384 or AES_128 variants of these are listed in the docs and
> > reported by the JRE).
> >
> > i.e. for whatever reason, SHA384 and SHA are coupled with AES_256,
> > and SHA256 and SHA are coupled with AES_128.
> >
> > The email trail Christopher linked should help you discover what’s
> > available on the system you’re running on.
> >
> > cheers tim
> >
> > For the record, these are the ECDHE cipher suites supported in
> > Oracle Java 7, excluding those that use SHA(1):
> >
> > Cipher Kx Au Enc
> > Mode Key Str Mac Size Unsafe
> > TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ECDHE ECDSA AES
> > CBC 256 (256) SHA384 384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> > ECDHE RSA AES CBC 256 (256) SHA384 384
> > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ECDHE ECDSA AES
> > CBC 128 (128) SHA256 256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
> > ECDHE RSA AES CBC 128 (128) SHA256 256
> >
> > Oracle Java 8 adds the following ECDHE + GCM cipher suites (again
> > not including SHA(1)) to the list above:
> >
> > TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDHE ECDSA AES
> > GCM 256 (256) SHA384 384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> > ECDHE ECDSA AES GCM 128 (128) SHA256 256
> > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDHE RSA AES
> > GCM 256 (256) SHA384 384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> > ECDHE RSA AES GCM 128 (128) SHA256 256
> >
> > ---------------------------------------------------------------------
> >
> >
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJTg4NoAAoJEBzwKT+lPKRYBPAQAK8J7vkGIen28+B2OCWIV+pa
> KLU4qevtVUN+J5GDtaofXMiURwo9JfeGC8MrCSyK/sD4tOQOV8NgbmUuA8LlTbum
> 4/Zfrd2eb7tH4ZQgo14ijk/zRD+pK+/0G5MqcY+kWqJ9XZoljlIzHMksZOP9hBkv
> n9k7C7vSEE3s1gKIb5rHcUYnGE4zkTZX+DFnFjFeuriU/4WSOUNMCG2rsiNwfnIv
> srrYfKhwM8dPO+JIIWbCsIlvQen8RDAdJglvkZti6kLl03o0wfQHgA2HcQMxwDlj
> YEa7YuWRJB5+bzYM5E5frHbGjIN4Q80NpOpYH+6LBUZdc3kyBu4mwf8Of9MH7U4+
> 2AkSxDZ9VELP1G5oZpLr7tEcapaaBVMHdjAo4/VgfGNGUuhFRQxvLKKI1S6QsE21
> jmGj6tvARpGpMPbwl5iD0JsWKETY1C+h2tRXcoqvAwQeD1x7llyGQ7KD0ibBK8Rq
> F4yxQgd0TlIVHmIZlTb+U+ZVPrJ+pQqL+xGhAQ5PN9B5McA7dxv6881ggQC9djop
> nuNnSl+vYI/2PH+VK7YEqgHo3SQRhJbs9lrFESks5M+EDf8U1BbD+6YQLZPAG6Js
> uvdFeH7dXvEsmZ/4xb9flqphwNrol5SjrIQE/cHx2IF+YpJOXT0AiZFUHy2gbDrJ
> Oh9wQlcF0k1BynQ55nWo
> =/cVw
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
