启动时jetty-distribution-9.3.0.v20150612
with openjdk 1.8.0_51
在 EC2 Amazon Linux 计算机上运行时,打印出所有配置的 ECDHE 套件均不受支持。
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA not supported
这些是在以下位置启用的jetty/etc/jetty-ssl-context.xml
-
<Set name="IncludeCipherSuites">
<Array type="java.lang.String">
<!-- TLS 1.2 AEAD only (all are SHA-2 as well) -->
<Item>TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256</Item>
<Item>TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256</Item>
<Item>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</Item>
<Item>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</Item>
<Item>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384</Item>
<Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item>
...
我读过 Oracle Java 8应该支持这些协议,但也许 OpenJDK 不支持?或者我应该以某种方式启用它?
Update
Oracle 的 JCE 加密提供程序安装在jre/lib/security/
,但这没有帮助。
因此,我正在运行类似的设置,其中 AWS 机器运行 openjdk-1.8.0.51。
对我来说解决这个问题的方法是将 bouncycastle 添加为提供者,如下所示:
Add the bcprov-<verion>.jar
to /usr/lib/jvm/jre/lib/ext
-
Edit /usr/lib/jvm/jre/lib/security/java.security
将以下行添加到提供者列表中:
security.provider.6=org.bouncycastle.jce.provider.BouncyCastleProvider
(我将其添加为第 6 个条目,但如果您愿意,您可以在顺序中添加更高的条目)
重新启动我的应用程序并能够使用基于 EC 的密码套件,例如TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
.
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系:hwhale#tublm.com(使用前将#替换为@)