[不支持的密码套件][Java SSLSocket]

huangapple go评论73阅读模式
英文:

[Unsupported ciphersuite][Java SSLSocket]

问题

我正试图通过使用TLSv1.2协议的SSLSocket连接服务器。该服务器仅支持以下密码套件。

  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES128-SHA256

当我尝试设置启用的密码套件时,我遇到以下异常:

java.lang.IllegalArgumentException: 不支持的密码套件 ECDHE-ECDSA-AES128-GCM-SHA256
at sun.security.ssl.CipherSuite.valueOf(Unknown Source) ~[?:1.8.0_74]
at sun.security.ssl.CipherSuiteList.<init>(Unknown Source) ~[?:1.8.0_74]
at sun.security.ssl.SSLSocketImpl.setEnabledCipherSuites(Unknown Source) ~[?:1.8.0_74]

我曾尝试从以下网址将Java密码扩展(JCE)无限制强度权限文件8替换到 C:\Program Files\Java\jdk1.8.0_92\jre\lib\security,但仍无法连接服务器。

网址: https://www.oracle.com/java/technologies/javase-jce8-downloads.html

我正在使用以下代码创建SSLSocket:

protected void openSocket() throws IOException {
    LGR.info("Opening SSL socket to " + addr + ":" + port);
    String[] TLS_SUPPORTED_VERSIONS = new String[] { "TLSv1.2" };
    String[] CIPHER_SUITES = new String[] {
        "ECDHE-ECDSA-AES128-GCM-SHA256",
        "ECDHE-RSA-AES128-GCM-SHA256",
        "ECDHE-ECDSA-AES128-SHA256"
    };
    try {
        SSLSocket socket = (SSLSocket) SSLSocketFactory.getDefault().createSocket(addr, port);
        socket.setEnabledProtocols(TLS_SUPPORTED_VERSIONS);
        socket.setEnabledCipherSuites(CIPHER_SUITES);
    } catch (Exception ex) {
        LGR.error("##Exception##", ex);
    } catch (Throwable ex) {
        LGR.error("##Throwable##", ex);
    }
}
英文:

I'm trying to connect a server through SSLSocket using protocol TLSv1.2. The server only supports the following ciphers.

  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES128-SHA256

When I try to set enabled cipher suites, I'm facing following Exception:

java.lang.IllegalArgumentException: Unsupported ciphersuite ECDHE-ECDSA-AES128-GCM-SHA256
at sun.security.ssl.CipherSuite.valueOf(Unknown Source) ~[?:1.8.0_74]
at sun.security.ssl.CipherSuiteList.&lt;init&gt;(Unknown Source) ~[?:1.8.0_74]
at sun.security.ssl.SSLSocketImpl.setEnabledCipherSuites(Unknown Source) ~[?:1.8.0_74]

I had tried to replace Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 from the following URL on C:\Program Files\Java\jdk1.8.0_92\jre\lib\security But still unable to connect server.

URL: https://www.oracle.com/java/technologies/javase-jce8-downloads.html

I'm using the following Code to create SSLSocket:

protected void openSocket() throws IOException {
	LGR.info(&quot;Opening SSL socket to &quot; + addr + &quot;:&quot; + port);
	String[] TLS_SUPPORTED_VERSIONS = new String[] { &quot;TLSv1.2&quot; };
	String[] CIPHER_SUITES = new String[] { &quot;ECDHE-ECDSA-AES128-GCM-SHA256&quot;, &quot;ECDHE-RSA-AES128-GCM-SHA256&quot;, &quot;ECDHE-ECDSA-AES128-SHA256&quot; };
	try {
		SSLSocket socket = (SSLSocket) SSLSocketFactory.getDefault().createSocket(addr, port);
		socket.setEnabledProtocols(TLS_SUPPORTED_VERSIONS);
		socket.setEnabledCipherSuites(CIPHER_SUITES);
		
	} catch (Exception ex) {
		LGR.error(&quot;##Exception##&quot;, ex);
	} catch (Throwable ex) {
		LGR.error(&quot;##Throwable##&quot;, ex);
	}
}

答案1

得分: 1

您可以使用以下代码列出支持的密码套件:

    SSLSocketFactory socketFactory = SSLContext.getDefault().getSocketFactory();
    for (String cipherSuite : socketFactory.getSupportedCipherSuites()) {
        System.out.println(cipherSuite);
    }

以下条目匹配您请求的密码套件:`TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`。

您不再需要 JCE 无限制权限策略文件:
- 在 Java 8 u151/u152 中,策略文件已包含在标准 Java 发行版中,但需要显式启用:`Security.setProperty("crypto.policy", "unlimited");`
- 自从 Java 8 u161+(以及所有即将推出的 Java 版本)起,这些策略文件已经包括在内,并且无限制的加密策略已默认启用。

您可以通过以下方式进行验证:
当启用无限制强度时,`Cipher.getMaxAllowedKeyLength("AES")` 应返回 `Integer.MAX_VALUE`。
英文:

You can list the supported cipher suites using:

SSLSocketFactory socketFactory = SSLContext.getDefault().getSocketFactory();
for (String cipherSuite : socketFactory.getSupportedCipherSuites()) {
    System.out.println(cipherSuite);
}

The following entry matches your requested suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.

You no longer need the JCE Unlimited Strength Jurisdiction Policy Files:

  • in Java 8 u151/u152 the policy files were included in the standard Java distribution, but needed to be enabled explicitly: Security.setProperty(&quot;crypto.policy&quot;, &quot;unlimited&quot;);
  • since Java 8 u161+ (and in all upcoming Java versions), these policy files are included, and unlimited crypto policy enabled by default.

You can verify it as follows:
Cipher.getMaxAllowedKeyLength(&quot;AES&quot;) should return Integer.MAX_VALUE when unlimited strengh is enabled.

huangapple
  • 本文由 发表于 2020年8月27日 17:02:05
  • 转载请务必保留本文链接:https://go.coder-hub.com/63612662.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定