Reputation: 2089
unsupported SSL ciphersuite
I am trying to use some custom SSL cipher suites. Specifically my list is
<util:list id="ciphers" value-type="java.lang.String">
<value>DHE-RSA-AES256-SHA</value>
<value>DHE-DSS-AES256-SHA</value>
<value>DHE-RSA-CAMELLIA256-SHA</value>
<value>DHE-DSS-CAMELLIA256-SHA</value>
<value>AES256-SHA</value>
<value>CAMELLIA256-SHA</value>
<value>SSL_RSA_WITH_RC4_128_MD5</value> <---this is the only one working
<value>PSK-AES256-CBC-SHA</value>
<value>EDH-RSA-DES-CBC3-SHA</value>
<value>EDH-DSS-DES-CBC3-SHA</value>
<value>DES-CBC3-SHA</value>
<value>PSK-3DES-EDE-CBC-SHA</value>
<value>DHE-RSA-AES128-SHA</value>
<value>DHE-DSS-AES128-SHA</value>
<value>DHE-RSA-CAMELLIA128-SHA</value>
<value>DHE-DSS-CAMELLIA128-SHA</value>
<value>AES128-SHA</value>
<value>CAMELLIA128-SHA</value>
<value>PSK-AES128-CBC-SHA</value>
</util:list>
,initialized by Spring and passed to method
tlsClientParameters.setCipherSuites()
Unfortunately my client fails to connect to a stub server that I have created. The exception I am getting is:
Caused by: java.lang.IllegalArgumentException: Unsupported ciphersuite DHE-RSA-AES256-SHA
at com.sun.net.ssl.internal.ssl.CipherSuite.valueOf(CipherSuite.java:171)
at com.sun.net.ssl.internal.ssl.CipherSuiteList.<init>(CipherSuiteList.java:62)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.setEnabledCipherSuites(SSLSocketImpl.java:1977)
at org.apache.cxf.transport.https.SSLSocketFactoryWrapper.enableCipherSuites(SSLSocketFactoryWrapper.java:101)
at org.apache.cxf.transport.https.SSLSocketFactoryWrapper.createSocket(SSLSocketFactoryWrapper.java:71)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:372)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:883)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1394)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1336)
at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:42)
at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1414)
... 41 more
When I tried removing the ciphers suites one by one, the same exception kept appearing with a different cipher every time, until there was only SSL_RSA_WITH_RC4_128_MD5 left. This is the only one that seems to be working.
I had a look at How to control the SSL ciphers available to Tomcat that seems an identical issue, but I don't have an whitespaces.
Edit: as a sidenote, my system is running on Java 1.5 could it be that these ciphers are just not supported at this java version? If not, is there a way around this ?
Update: We migrated to Java 7 and I am still getting the same issue. I think that it's related to one of the answers below saying that these are not the standard names for the ciphers, and are thus not recognized by java. If that is the case, how can I find the standard names for these ciphers ?
Upvotes: 7
Views: 37315
Answers (4)
Reputation: 413
// Get the SSLServerSocket
SSLServerSocketFactory ssl;
SSLServerSocket sslServerSocket;
ssl = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
sslServerSocket = (SSLServerSocket) ssl.createServerSocket();
// Get the list of all supported cipher suites.
String[] cipherSuites = sslServerSocket.getSupportedCipherSuites();
for (String suite : cipherSuites)
System.out.println(suite);
// Get the list of all supported protocols.
String[] protocols = sslServerSocket.getSupportedProtocols();
for (String protocol : protocols)
System.out.println(protocol);
Upvotes: 3
Reputation: 5963
Check out:
Also,
By default the local_policy.jar and US_export_policy.jar under jre_home/lib/security/ might not "enable" the cipher suites you want.
To enable them, replace those two files with the ones found here Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7 Download.
You should not be able to use the cipher suites supported under Sun Providers.
Make sure that the cipher suite descriptions match the ones under the Sun Providers.
Upvotes: 2
Reputation: 2089
For future reference, the list of ciphers I was using was from openssl and they were generated by
openssl ciphers -v 'ALL:!ADH:!EXPORT:!SSLv2:+HIGH:-MEDIUM:-LOW:-KRB5'.
I never found how to translate the openssl list of ciphers to the java 7 supported ones (or confirm whether they are the same ciphers, just under different names). I just changed my ciphers list to be the list provided here by Java
http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html
and everything worked okay.
Upvotes: 1
Reputation: 310957
Could it be that these ciphers are just not supported at this java version?
Certainly. The available cipher suites are documented. See the Standard Names document.
If not, is there a way around this?
Not unless you can find another implementation that supports them.
Upvotes: 5
Related Questions
- [Unsupported ciphersuite][Java SSLSocket]
- Java SSLHandshakeException "no cipher suites in common"
- SSLHandshakeException: no cipher suites in common
- Java SSLHandshakeException: no cipher suites in common
- javax.net.ssl.SSLHandshakeException: no cipher suites in common no cipher suites in common
- Getting this error: "javax.net.ssl.SSLHandshakeException: no cipher suites in common"
- IllegalArgumentException: Unsupported ciphersuite
- How to configure SSL Cipher Suites for https in Java
- Cannot find provider error for the supported cipher suite
- Java "no cipher suites in common" issue when trying to securely connect to server