Reputation: 183
Enable ECDHE ciphers With IBM JDK 6
Using IBM Rational® Software Architect for WebSphere Software Version: 9.0.0.1 with JDK 6
Trying to add ECDHE ciphers to the run time environment. at at https://www.ibm.com/support/knowledgecenter/SSYKE2_6.0.0/com.ibm.java.security.component.60.doc/security-component/jsse2Docs/ciphersuites.html, IBM says "The second list shows the (ECDHE) cipher suites that are supported by the IBMJSSE provider, but disabled by default".
I can change ClientHello to TLSv1.0, TLSv1.1, or TLSv1.3 but the same Cipher Suites are always returned. None of them are ECDHE.
Greatly appreciate if anyone knows how to enable ECDHE ciphers.
Here is the console output.
SSLContextImpl: Using X509ExtendedKeyManager com.ibm.jsse2.hd
SSLContextImpl: Using X509TrustManager com.ibm.jsse2.pc
JsseJCE: Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.2
trigger seeding of SecureRandom
done seeding SecureRandom
instantiated an instance of class com.ibm.jsse2.SSLSocketFactoryImpl
IBMJSSE2 will not enable CBC protection
IBMJSSE2 to send SCSV Cipher Suite on initial ClientHello
JsseJCE: Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.2
JsseJCE: Using cipher AES/CBC/NoPadding from provider TBD via init
CipherBox: Using cipher AES/CBC/NoPadding from provider from init IBMJCE version 1.2
IBMJSSE2 will allow RFC 5746 renegotiation per com.ibm.jsse2.renegotiate set to none or default
IBMJSSE2 will not require renegotiation indicator during initial handshake per com.ibm.jsse2.renegotiation.indicator set to OPTIONAL or default taken
IBMJSSE2 will not perform identity checking against the peer cert check during renegotiation per com.ibm.jsse2.renegotiation.peer.cert.check set to OFF or default
Is initial handshake: true
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1503070341 bytes = { 152, 50, 18, 78, 108, 96, 63, 98, 44, 14, 255, 58, 89, 161, 90, 194, 150, 17, 22, 60, 58, 30, 156, 194, 83, 148, 201, 11 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_RC4_128_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_RENEGO_PROTECTION_REQUEST]
Compression Methods: { 0 }
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA256withDSA, SHA1withDSA, MD5withRSA
***
main, WRITE: TLSv1.2 Handshake, length = 121
main, READ: TLSv1.2 Alert, length = 2
main, RECV TLSv1 ALERT: fatal, handshake_failure
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Exception in thread "main" javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at com.ibm.jsse2.o.a(o.java:8)
at com.ibm.jsse2.o.a(o.java:4)
at com.ibm.jsse2.SSLSocketImpl.b(SSLSocketImpl.java:40)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:554)
at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:223)
at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:724)
at com.ibm.jsse2.SSLSocketImpl.startHandshake(SSLSocketImpl.java:81)
at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:8)
at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:20)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1207)
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:390)
at com.ibm.net.ssl.www2.protocol.https.b.getResponseCode(b.java:36)
at Java6withHostHeader.main(Java6withHostHeader.java:94)
Upvotes: 2
Views: 3028
Answers (1)
Reputation: 183
With the help of everyone who responded, I was able to figure this out. First I used this code to list out all the available ciphers which confirmed the required ECDHE ciphers were installed but not enabled, and it gave the correct spelling of each cipher - https://confluence.atlassian.com/stashkb/files/679609085/679772359/1/1414093373406/Ciphers.java Then in the IDE, I set the below values under Run Configurations / VM Arguments and it worked. -Dhttps.protocols="TLSv1.1" -Dhttps.cipherSuites="SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, etc."
Thank you all for your help
Upvotes: 1
Related Questions
- JDK7 SSL conenction Issue Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- Java 6 ECDHE Cipher Suite Support
- Java SSLHandshakeException "no cipher suites in common"
- SSLHandshakeException: no cipher suites in common
- ECDHE cipher suites not supported on OpenJDK 8 installed on EC2 Linux machine
- Java SSLHandshakeException: no cipher suites in common
- javax.net.ssl.SSLHandshakeException: no cipher suites in common no cipher suites in common
- unsupported SSL ciphersuite
- None of the ciphers specified are supported by the SSL engine : TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- Enabled ciphers on Ubuntu OpenJDK 7