ECDHE cipher suites not supported on OpenJDK 8 installed on EC2 Linux machine

Kof picture Kof · Aug 12, 2015 · Viewed 21k times · Source

When starting jetty-distribution-9.3.0.v20150612 with openjdk 1.8.0_51 running on an EC2 Amazon Linux machine, is prints that all configured ECDHE suites are not supported.

2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA not supported
2015-08-12 16:51:20 main SslContextFactory [INFO] Cipher TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA not supported

These are enabled in jetty/etc/jetty-ssl-context.xml -

<Set name="IncludeCipherSuites">
<Array type="java.lang.String">
 <!-- TLS 1.2 AEAD only (all are SHA-2 as well) -->
  <Item>TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256</Item>
  <Item>TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256</Item>
  <Item>TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384</Item>
  <Item>TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256</Item>
  <Item>TLS_DHE_RSA_WITH_AES_256_GCM_SHA384</Item>
  <Item>TLS_DHE_RSA_WITH_AES_128_GCM_SHA256</Item>
...

I read Oracle Java 8 should support these protocols, but maybe that's not supported by OpenJDK? Or should I enable it somehow?

Update

Oracle's JCE cryptographic provider is installed under jre/lib/security/, but it didn't help.

Answer

taleb picture taleb · Nov 4, 2015

So I'm running a similar setup, with an AWS box running openjdk-1.8.0.51. what solved it for me is to add bouncycastle as a provider like so:

  • Add the bcprov-<verion>.jar to /usr/lib/jvm/jre/lib/ext

  • Edit /usr/lib/jvm/jre/lib/security/java.security adding the following line to the list of providers:

    security.provider.6=org.bouncycastle.jce.provider.BouncyCastleProvider
    

(I added it as the 6th entry but you can add higher in the order if you prefer)

Restarted my application and was able to use EC-based cipher suites such as TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.