英文:
[Unsupported ciphersuite][Java SSLSocket]
问题
我正试图通过使用TLSv1.2协议的SSLSocket连接服务器。该服务器仅支持以下密码套件。
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES128-SHA256
当我尝试设置启用的密码套件时,我遇到以下异常:
java.lang.IllegalArgumentException: 不支持的密码套件 ECDHE-ECDSA-AES128-GCM-SHA256
at sun.security.ssl.CipherSuite.valueOf(Unknown Source) ~[?:1.8.0_74]
at sun.security.ssl.CipherSuiteList.<init>(Unknown Source) ~[?:1.8.0_74]
at sun.security.ssl.SSLSocketImpl.setEnabledCipherSuites(Unknown Source) ~[?:1.8.0_74]
我曾尝试从以下网址将Java密码扩展(JCE)无限制强度权限文件8替换到 C:\Program Files\Java\jdk1.8.0_92\jre\lib\security,但仍无法连接服务器。
网址: https://www.oracle.com/java/technologies/javase-jce8-downloads.html
我正在使用以下代码创建SSLSocket:
protected void openSocket() throws IOException {
LGR.info("Opening SSL socket to " + addr + ":" + port);
String[] TLS_SUPPORTED_VERSIONS = new String[] { "TLSv1.2" };
String[] CIPHER_SUITES = new String[] {
"ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES128-GCM-SHA256",
"ECDHE-ECDSA-AES128-SHA256"
};
try {
SSLSocket socket = (SSLSocket) SSLSocketFactory.getDefault().createSocket(addr, port);
socket.setEnabledProtocols(TLS_SUPPORTED_VERSIONS);
socket.setEnabledCipherSuites(CIPHER_SUITES);
} catch (Exception ex) {
LGR.error("##Exception##", ex);
} catch (Throwable ex) {
LGR.error("##Throwable##", ex);
}
}
英文:
I'm trying to connect a server through SSLSocket using protocol TLSv1.2. The server only supports the following ciphers.
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES128-SHA256
When I try to set enabled cipher suites, I'm facing following Exception:
java.lang.IllegalArgumentException: Unsupported ciphersuite ECDHE-ECDSA-AES128-GCM-SHA256
at sun.security.ssl.CipherSuite.valueOf(Unknown Source) ~[?:1.8.0_74]
at sun.security.ssl.CipherSuiteList.<init>(Unknown Source) ~[?:1.8.0_74]
at sun.security.ssl.SSLSocketImpl.setEnabledCipherSuites(Unknown Source) ~[?:1.8.0_74]
I had tried to replace Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 from the following URL on C:\Program Files\Java\jdk1.8.0_92\jre\lib\security But still unable to connect server.
URL: https://www.oracle.com/java/technologies/javase-jce8-downloads.html
I'm using the following Code to create SSLSocket:
protected void openSocket() throws IOException {
LGR.info("Opening SSL socket to " + addr + ":" + port);
String[] TLS_SUPPORTED_VERSIONS = new String[] { "TLSv1.2" };
String[] CIPHER_SUITES = new String[] { "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES128-SHA256" };
try {
SSLSocket socket = (SSLSocket) SSLSocketFactory.getDefault().createSocket(addr, port);
socket.setEnabledProtocols(TLS_SUPPORTED_VERSIONS);
socket.setEnabledCipherSuites(CIPHER_SUITES);
} catch (Exception ex) {
LGR.error("##Exception##", ex);
} catch (Throwable ex) {
LGR.error("##Throwable##", ex);
}
}
答案1
得分: 1
您可以使用以下代码列出支持的密码套件:
SSLSocketFactory socketFactory = SSLContext.getDefault().getSocketFactory();
for (String cipherSuite : socketFactory.getSupportedCipherSuites()) {
System.out.println(cipherSuite);
}
以下条目匹配您请求的密码套件:`TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`。
您不再需要 JCE 无限制权限策略文件:
- 在 Java 8 u151/u152 中,策略文件已包含在标准 Java 发行版中,但需要显式启用:`Security.setProperty("crypto.policy", "unlimited");`
- 自从 Java 8 u161+(以及所有即将推出的 Java 版本)起,这些策略文件已经包括在内,并且无限制的加密策略已默认启用。
您可以通过以下方式进行验证:
当启用无限制强度时,`Cipher.getMaxAllowedKeyLength("AES")` 应返回 `Integer.MAX_VALUE`。
英文:
You can list the supported cipher suites using:
SSLSocketFactory socketFactory = SSLContext.getDefault().getSocketFactory();
for (String cipherSuite : socketFactory.getSupportedCipherSuites()) {
System.out.println(cipherSuite);
}
The following entry matches your requested suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.
You no longer need the JCE Unlimited Strength Jurisdiction Policy Files:
- in Java 8 u151/u152 the policy files were included in the standard Java distribution, but needed to be enabled explicitly:
Security.setProperty("crypto.policy", "unlimited"); - since Java 8 u161+ (and in all upcoming Java versions), these policy files are included, and unlimited crypto policy enabled by default.
You can verify it as follows:
Cipher.getMaxAllowedKeyLength("AES") should return Integer.MAX_VALUE when unlimited strengh is enabled.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论