当前位置:theitroad>Java 7 支持 SSL/TLS 中的 AES-GCM?

Java 7 支持 SSL/TLS 中的 AES-GCM?

声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow 原文地址: http://stackoverflow.com/questions/21289293/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me): StackOverFlow

提示:将鼠标放在中文语句上可以显示对应的英文。显示中英文
时间:2020-08-13 07:55:07  来源:igfitidea点击:

Java 7 support of AES-GCM in SSL/TLS?

javasecuritysslaes

提问by user2403018

According to Java 7 documentation as well as third party vendors, it appears Java 7 should support AES-GCM suites:

根据 Java 7 文档以及第三方供应商,Java 7 似乎应该支持 AES-GCM 套件:

  1. ibm java 7
  2. java 7 ssl doc
  1. ibm java 7
  2. java 7 ssl 文档

I was hitting some errors in negotiation between client and server unable to negotiate a cipher due to restricting it to only the AES-GCM ciphers. After investigation I found that it appears that the cipher suites are not supported on client nor server (tomcat instance). Ran some sample code on client to get the output:

由于将密码限制为仅使用 AES-GCM 密码,我在客户端和服务器之间的协商中遇到了一些错误,无法协商密码。经过调查,我发现客户端和服务器(tomcat 实例)似乎都不支持密码套件。在客户端运行一些示例代码以获取输出:

// Create an SSLContext that uses our TrustManager
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, trustAllCerts, new SecureRandom());

SSLParameters params = context.getSupportedSSLParameters();
String[] suites = params.getCipherSuites();
System.out.println("Java version : " + System.getProperty("java.runtime.version"));
System.out.println("Connecting with " + suites.length + " cipher suites supported:");

for (int i = 0; i < suites.length; i++) {
    System.out.println();
    System.out.print(" ********* ");
    System.out.print(suites[i]);
    System.out.print(" ********* ");
}

Java version: 1.7.0_51-b13
Connecting with 63 cipher suites supported:

 ********* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ********* 
 ********* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ********* 
 ********* TLS_RSA_WITH_AES_128_CBC_SHA256 ********* 
 ********* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 ********* 
 ********* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 ********* 
 ********* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 ********* 
 ********* TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 ********* 
 ********* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ********* 
 ********* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ********* 
 ********* TLS_RSA_WITH_AES_128_CBC_SHA ********* 
 ********* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA ********* 
 ********* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA ********* 
 ********* TLS_DHE_RSA_WITH_AES_128_CBC_SHA ********* 
 ********* TLS_DHE_DSS_WITH_AES_128_CBC_SHA ********* 
 ********* TLS_ECDHE_ECDSA_WITH_RC4_128_SHA ********* 
 ********* TLS_ECDHE_RSA_WITH_RC4_128_SHA ********* 
 ********* SSL_RSA_WITH_RC4_128_SHA ********* 
 ********* TLS_ECDH_ECDSA_WITH_RC4_128_SHA ********* 
 ********* TLS_ECDH_RSA_WITH_RC4_128_SHA ********* 
 ********* TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA ********* 
 ********* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ********* 
 ********* SSL_RSA_WITH_3DES_EDE_CBC_SHA ********* 
 ********* TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA ********* 
 ********* TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA ********* 
 ********* SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA ********* 
 ********* SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA ********* 
 ********* SSL_RSA_WITH_RC4_128_MD5 ********* 
 ********* TLS_EMPTY_RENEGOTIATION_INFO_SCSV ********* 
 ********* TLS_DH_anon_WITH_AES_128_CBC_SHA256 ********* 
 ********* TLS_ECDH_anon_WITH_AES_128_CBC_SHA ********* 
 ********* TLS_DH_anon_WITH_AES_128_CBC_SHA ********* 
 ********* TLS_ECDH_anon_WITH_RC4_128_SHA ********* 
 ********* SSL_DH_anon_WITH_RC4_128_MD5 ********* 
 ********* TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA ********* 
 ********* SSL_DH_anon_WITH_3DES_EDE_CBC_SHA ********* 
 ********* TLS_RSA_WITH_NULL_SHA256 ********* 
 ********* TLS_ECDHE_ECDSA_WITH_NULL_SHA ********* 
 ********* TLS_ECDHE_RSA_WITH_NULL_SHA ********* 
 ********* SSL_RSA_WITH_NULL_SHA ********* 
 ********* TLS_ECDH_ECDSA_WITH_NULL_SHA ********* 
 ********* TLS_ECDH_RSA_WITH_NULL_SHA ********* 
 ********* TLS_ECDH_anon_WITH_NULL_SHA ********* 
 ********* SSL_RSA_WITH_NULL_MD5 ********* 
 ********* SSL_RSA_WITH_DES_CBC_SHA ********* 
 ********* SSL_DHE_RSA_WITH_DES_CBC_SHA ********* 
 ********* SSL_DHE_DSS_WITH_DES_CBC_SHA ********* 
 ********* SSL_DH_anon_WITH_DES_CBC_SHA ********* 
 ********* SSL_RSA_EXPORT_WITH_RC4_40_MD5 ********* 
 ********* SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 ********* 
 ********* SSL_RSA_EXPORT_WITH_DES40_CBC_SHA ********* 
 ********* SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA ********* 
 ********* SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA ********* 
 ********* SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA ********* 
 ********* TLS_KRB5_WITH_RC4_128_SHA ********* 
 ********* TLS_KRB5_WITH_RC4_128_MD5 ********* 
 ********* TLS_KRB5_WITH_3DES_EDE_CBC_SHA ********* 
 ********* TLS_KRB5_WITH_3DES_EDE_CBC_MD5 ********* 
 ********* TLS_KRB5_WITH_DES_CBC_SHA ********* 
 ********* TLS_KRB5_WITH_DES_CBC_MD5 ********* 
 ********* TLS_KRB5_EXPORT_WITH_RC4_40_SHA ********* 
 ********* TLS_KRB5_EXPORT_WITH_RC4_40_MD5 ********* 
 ********* TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA ********* 
 ********* TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 ********* INFO - Received response from post device of :

Did not know if anyone else has come across such an issue.

不知道有没有其他人遇到过这样的问题。

Does Java 7 support use of AES-GCM in SSL/TLS?

Java 7 是否支持在 SSL/TLS 中使用 AES-GCM?

采纳答案by jww

AES-GCM is available in TLS v1.2. See [The Transport Layer Security (TLS) Protocol Version 1.2][1], section 6.2.3.3. TLSv1.1 did not add any cipher suites, and TLSv1.0 never had AES-GCM or the elliptic curve gear. (The elliptic curve stuff showed up in TLSv1.2 also).

AES-GCM 在 TLS v1.2 中可用。请参阅 [传输层安全 (TLS) 协议版本 1.2][1],第 6.2.3.3 节。TLSv1.1 没有添加任何密码套件,TLSv1.0 从来没有 AES-GCM 或椭圆曲线齿轮。(椭圆曲线的东西也出现在 TLSv1.2 中)。

The latest public build 80 of Java 7

Java 7 的最新公共构建 80

  • does support TLSv1.2 after changing code to use SSLContext.getInstance("TLSv1.2")in case of socket programming or just declaring the -Dhttps.protocols=TLSv1.2in case of HTTP programming.

  • does not support the AES-GCM cipher suite even under TLSv1.2, according to a request implemented only in a commercial build 191 of Java 7,

    https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8180834

  • 在更改代码以SSLContext.getInstance("TLSv1.2")在套接字编程的情况下使用或仅-Dhttps.protocols=TLSv1.2在 HTTP 编程的情况下声明后,确实支持 TLSv1.2 。

  • 根据仅在 Java 7 的商业版本 191 中实现的请求,即使在 TLSv1.2 下也不支持 AES-GCM 密码套件,

    https://bugs.java.com/bugdatabase/view_bug.do?bug_id=8180834

Its interesting that the TLS_ECDHE_ECDSA_*cipher suites are showing up in your dump since they are TLSv1.2 ciphers.

有趣的是,TLS_ECDHE_ECDSA_*密码套件显示在您的转储中,因为它们是 TLSv1.2 密码。

回答by Bruno

There are no GCM cipher suites in the SunJSSE Provider of Java 7(assuming an Oracle JRE), although it supports TLS 1.2.

Java 7SunJSSE 提供程序(假设是 Oracle JRE)中没有 GCM 密码套件,尽管它支持 TLS 1.2。

These have been introduced in Java 8(see cipher suite table in the "The SunJSSE Provider" section).

这些已在 Java 8 中引入(请参阅“ The SunJSSE Provider”部分中的密码套件表)。

1.8.0-ea-b124    
Connecting with 71 cipher suites supported:

 ********* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ********* 
 ********* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ********* 
 ********* TLS_RSA_WITH_AES_128_CBC_SHA256 ********* 
 ********* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 ********* 
 ********* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 ********* 
 ********* TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 ********* 
 ********* TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 ********* 
 ********* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ********* 
 ********* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ********* 
 ********* TLS_RSA_WITH_AES_128_CBC_SHA ********* 
 ********* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA ********* 
 ********* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA ********* 
 ********* TLS_DHE_RSA_WITH_AES_128_CBC_SHA ********* 
 ********* TLS_DHE_DSS_WITH_AES_128_CBC_SHA ********* 
 ********* TLS_ECDHE_ECDSA_WITH_RC4_128_SHA ********* 
 ********* TLS_ECDHE_RSA_WITH_RC4_128_SHA ********* 
 ********* SSL_RSA_WITH_RC4_128_SHA ********* 
 ********* TLS_ECDH_ECDSA_WITH_RC4_128_SHA ********* 
 ********* TLS_ECDH_RSA_WITH_RC4_128_SHA ********* 
 ********* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ********* 
 ********* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ********* 
 ********* TLS_RSA_WITH_AES_128_GCM_SHA256 ********* 
 ********* TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 ********* 
 ********* TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 ********* 
 ********* TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 ********* 
 ********* TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 ********* 
 ********* TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA ********* 
 ********* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ********* 
 ********* SSL_RSA_WITH_3DES_EDE_CBC_SHA ********* 
 ********* TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA ********* 
 ********* TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA ********* 
 ********* SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA ********* 
 ********* SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA ********* 
 ********* SSL_RSA_WITH_RC4_128_MD5 ********* 
 ********* TLS_EMPTY_RENEGOTIATION_INFO_SCSV ********* 
 ********* TLS_DH_anon_WITH_AES_128_GCM_SHA256 ********* 
 ********* TLS_DH_anon_WITH_AES_128_CBC_SHA256 ********* 
 ********* TLS_ECDH_anon_WITH_AES_128_CBC_SHA ********* 
 ********* TLS_DH_anon_WITH_AES_128_CBC_SHA ********* 
 ********* TLS_ECDH_anon_WITH_RC4_128_SHA ********* 
 ********* SSL_DH_anon_WITH_RC4_128_MD5 ********* 
 ********* TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA ********* 
 ********* SSL_DH_anon_WITH_3DES_EDE_CBC_SHA ********* 
 ********* TLS_RSA_WITH_NULL_SHA256 ********* 
 ********* TLS_ECDHE_ECDSA_WITH_NULL_SHA ********* 
 ********* TLS_ECDHE_RSA_WITH_NULL_SHA ********* 
 ********* SSL_RSA_WITH_NULL_SHA ********* 
 ********* TLS_ECDH_ECDSA_WITH_NULL_SHA ********* 
 ********* TLS_ECDH_RSA_WITH_NULL_SHA ********* 
 ********* TLS_ECDH_anon_WITH_NULL_SHA ********* 
 ********* SSL_RSA_WITH_NULL_MD5 ********* 
 ********* SSL_RSA_WITH_DES_CBC_SHA ********* 
 ********* SSL_DHE_RSA_WITH_DES_CBC_SHA ********* 
 ********* SSL_DHE_DSS_WITH_DES_CBC_SHA ********* 
 ********* SSL_DH_anon_WITH_DES_CBC_SHA ********* 
 ********* SSL_RSA_EXPORT_WITH_RC4_40_MD5 ********* 
 ********* SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 ********* 
 ********* SSL_RSA_EXPORT_WITH_DES40_CBC_SHA ********* 
 ********* SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA ********* 
 ********* SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA ********* 
 ********* SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA ********* 
 ********* TLS_KRB5_WITH_RC4_128_SHA ********* 
 ********* TLS_KRB5_WITH_RC4_128_MD5 ********* 
 ********* TLS_KRB5_WITH_3DES_EDE_CBC_SHA ********* 
 ********* TLS_KRB5_WITH_3DES_EDE_CBC_MD5 ********* 
 ********* TLS_KRB5_WITH_DES_CBC_SHA ********* 
 ********* TLS_KRB5_WITH_DES_CBC_MD5 ********* 
 ********* TLS_KRB5_EXPORT_WITH_RC4_40_SHA ********* 
 ********* TLS_KRB5_EXPORT_WITH_RC4_40_MD5 ********* 
 ********* TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA ********* 
 ********* TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 *********

回答by andrewktmeikle

I've recently been messing around with Java and this cipher suite nonsense quite a bit recently.

我最近一直在忙于 Java 和这个密码套件最近的胡说八道。

From my experience, you need the unlimited policy files to get some extra suites. I can't remember off the top my head if using those would get you the GCM ciphers, but from my recollection with IBM java it at least got me the AES256 bit ciphers.

根据我的经验,您需要无限的策略文件才能获得一些额外的套件。我不记得是否使用这些可以让您获得 GCM 密码,但根据我对 IBM java 的回忆,它至少让我获得了 AES256 位密码。

This linkshows that you can at least initialise an SSLContext with TLSv1.2 (so you should be able atleast support all of the TLSv1.2 cipher suites that do not require the unlimited jurisditcion policy files)

链接显示您至少可以使用 TLSv1.2 初始化 SSLContext(因此您至少应该能够支持所有不需要无限制权限策略文件的 TLSv1.2 密码套件)

Having a glance at some of the links I've looked at before I can't see any GCM ciphers on oracle's cipher suite list! orace-enabled/supported-cipher-suites.

在我在 oracle 的密码套件列表上看不到任何 GCM 密码之前,先浏览一下我看过的一些链接!orace-enabled/supported-cipher-suites

Hopefully some of those links help you out!

希望其中一些链接可以帮助您!

(I'm typing this while running out of work so forgive me if I missed any gcm ciphers :) )

(我在没工作的时候打字,所以如果我错过了任何 gcm 密码,请原谅我 :))

回答by William Bao

Both Oracle JDK and OpenJDK start to support GCM ciphers in java 8.

Oracle JDK 和 OpenJDK 都开始支持 Java 8 中的 GCM 密码。

回答by dandfra

As others said Java 1.7 does not support that cipher but, if you have the possibility to tweak your java installation you can add the security providers. Here the steps:

正如其他人所说,Java 1.7 不支持该密码,但是,如果您可以调整 Java 安装,则可以添加安全提供程序。这里的步骤:

  1. download from bouncycastle.org bcprov-ext-jdk15on-159.jar and bctls-jdk15on-159.jar and put then into the lib/ext directory of your jre/jdk (159 is the latest version now)
  2. edit the file lib/security/java.security of your jre/jdk and put the following lines:
    • security.provider.1=org.bouncycastle.jce.provider.BouncyCastleProvider -security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
  3. renumerate all the following security providers by adding 1 (so security.provider.1=sun.security.provider.Sun becomes security.provider.3=sun.security.provider.Sun)
  1. 从 bouncycastle.org 下载 bcprov-ext-jdk15on-159.jar 和 bctls-jdk15on-159.jar 然后放到你的 jre/jdk 的 lib/ext 目录中(现在 159 是最新版本)
  2. 编辑 jre/jdk 的文件 lib/security/java.security 并输入以下几行:
    • security.provider.1=org.bouncycastle.jce.provider.BouncyCastleProvider -security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
  3. 通过加 1 重新枚举以下所有安全提供者(因此 security.provider.1=sun.security.provider.Sun 变为 security.provider.3=sun.security.provider.Sun)

That's all, it should work now

就是这样,它现在应该可以工作了

相关推荐

Java 没有box2d的Libgdx灯

Java 没有box2d的Libgdx灯

Java 调试 JBoss 100% CPU 使用率

Java 调试 JBoss 100% CPU 使用率

Java 如何在android应用程序中读取xlsx文件?

Java 如何在android应用程序中读取xlsx文件?

Java中终结的目的是什么?

Java中终结的目的是什么?

相关推荐
最近更新
标签