本文详细记录了在使用JDK1.4.2创建SSLServerSocket并尝试启用256位AES加密套件时遇到的问题及解决方案。文中提及,在默认配置下,TLS_DHE_RSA_WITH_AES_256_CBC_SHA加密套件不可用,通过安装无限制强度的Java Cryptography Extension (JCE)策略文件,成功启用了高级加密套件。
Please help me with this simple problem. I'm trying to create an SSLServerSocket that is enabled with the 2 AES 256-bit cipher suites that are supposed to be available in JDK1.4.2. As you can see in the following code, when the program attempts to enable the SSLServerSocket, ss, with CIPHER_SUITES, an exception occurs. The exception basically says that the TLS_DHE_RSA_WITH_AES_256_CBC_SHA cipher suite wasn't found. What's up?
__
String[] PROTOCOLS = {"SSLv3", "TLSv1"};
String[] CIPHER_SUITES = {"TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
"SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
"TLS_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"SSL_RSA_WITH_3DES_EDE_CBC_SHA"};
// create an SSLServerSocket ss
SSLContext context = SSLContext.getInstance("TLS", "SunJSSE");
context.init(myKeyManagers, myTrustManagers, SecureRandom.getInstance("SHA1PRNG", "SUN"));
SSLServerSocketFactory ssFactory = context.getServerSocketFactory();
SSLServerSocket ss = ssFactory.createServerSocket();
ss.setEnabledProtocols(PROTOCOLS);
ss.setEnabledCipherSuites(CIPHER_SUITES);// EXCEPTION OCCURS HERE (exception output is printed below)
// output a bunch of useful debugging information
System.out.println(System.getProperty("java.version") + "\n");
Provider[] providers = Security.getProviders();
for(int i=0; i < providers.length; ++i)
System.out.println(providers[i] + "\n" + providers[i].getInfo() + "\n********************");
String[] enabledProtocols = ss.getEnabledProtocols();
for(int i=0; i < enabledProtocols.length; ++i)
System.out.println(enabledProtocols[i]);
String[] enabledCipherSuites = ss.getEnabledCipherSuites();
for(int i=0; i < enabledCipherSuites.length; ++i)
System.out.println(enabledCipherSuites[i]);
_
OUTPUT
java.lang.IllegalArgumentException: Cannot support TLS_DHE_RSA_WITH_AES_256_CBC_SHA with currently installed providers
at com.sun.net.ssl.internal.ssl.CipherSuiteList.<init>(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.setEnabledCipherSuites(DashoA6275)
at test.util.ConcreteSSLServerSocketFactory.initSocket(ConcreteSSLServerSocketFactory.java:111)
at test.util.ConcreteSSLServerSocketFactory.createServerSocket(ConcreteSSLServerSocketFactory.java:100)
at test.Test.init(Test.java:151)
at test.Test.main(Test.java:111)
JRE Version
1.4.2
Security Providers
SUN version 1.42
SUN (DSA key/parameter generation; DSA signing; SHA-1, MD5 digests; SecureRandom; X.509 certificates; JKS keystore; PKIX CertPathValidator; PKIX CertPathBuilder; LDAP, Collection CertStores)
********************
SunJSSE version 1.42
Sun JSSE provider(implements RSA Signatures, PKCS12, SunX509 key/trust factories, SSLv3, TLSv1)
********************
SunRsaSign version 1.42
SUN's provider for RSA signatures
********************
SunJCE version 1.42
SunJCE Provider (implements DES, Triple DES, AES, Blowfish, PBE, Diffie-Hellman, HMAC-MD5, HMAC-SHA1)
********************
SunJGSS version 1.0
Sun (Kerberos v5)
********************
Enabled Protocols
SSLv3
TLSv1
Enabled Cipher Suites
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
Hey, self. Why don't you try using the Unlimited Strength Cryptography Files
The jre you are using does not have the advanced ciphers enabled.
Unlimited strength Java Cryptography Extenstion(JCE) Policy Files
Due to import control restrictions, the version of JCE policy files that are bundled in the JDK(TM) 6 environment allow "strong" but limited cryptography to be used. For our usage, we need to download a bundle that provide "unlimited strength" policy fies which contain no restrictions on cryptographic strengths.
Here are the installation instruction:
- Download the latest unlimited strength JCE policy files from Sun here
- Uncompress and extract the downloaded file. This will create a subdirectory called jce. This directory contains the following files:
- README.txt
- COPYRIGHT.html
- local_policy.jar- Unlimited strength local policy file
- US_export_policy.jar- Unlimited strength US export policy file
- Install the unlimited strength policy JAR files.
To utilize the encryption/decryption functionalities of the JCE framework without any limitation, first make a copy of the original JCE policy files (US_export_policy.jar and local_policy.jar in the standard place for JCE jurisdiction policy JAR files) in case you later decide to revert to these "strong" versions. Then replace the strong policy files with the unlimited strength versions extracted in the previous step.
The standard place for JCE jurisdiction policy JAR files is:- /lib/security [Unix]
- \lib\security [Win32]
- For detailed informatation on downloading JCE files goto C:\Program Files\Common Files\WatchGuard\java\j2re1.6.0_05\lib\security and refer the readme.txt file [Assuming wsm is installed under c:\Program Files\Watchguard ].
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
