1. casa
  2. Domanda e risposta
  3. cifrari abilitato su Ubuntu OpenJDK 7

cifrari abilitato su Ubuntu OpenJDK 7

2013-11-15 9 views
7

ho scritto il seguente programma Java per scaricare le cifre abilitati nella JVM:cifrari abilitato su Ubuntu OpenJDK 7

import java.security.KeyStore; 

import javax.net.ssl.KeyManagerFactory; 
import javax.net.ssl.SSLContext; 
import javax.net.ssl.SSLSocket; 
import javax.net.ssl.TrustManagerFactory; 

public class ListCiphers 
{ 
    public static void main(String[] args) 
    throws Exception 
    { 
     SSLContext ctx = SSLContext.getInstance("TLSv1"); 
     // Create an empty TrustManagerFactory to avoid loading default CA 
     KeyStore ks = KeyStore.getInstance("JKS"); 
     TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); 
     tmf.init(ks); 
     ctx.init(null, tmf.getTrustManagers(), null); 
     SSLSocket socket = (SSLSocket) ctx.getSocketFactory().createSocket("mozilla.org", 443); 
     printSupportedCiphers(socket); 
     printEnabledCiphers(socket); 
    } 

    private static void printSupportedCiphers(SSLSocket socket) 
    { 
     printInfos("Supported cipher suites", socket.getSupportedCipherSuites()); 
    } 

    private static void printEnabledCiphers(SSLSocket socket) 
    { 
     printInfos("Enabled cipher suites", socket.getEnabledCipherSuites()); 
    } 

    private static void printInfos(String prefix, String[] values) 
    { 
     System.out.println(prefix + ":"); 
     for (int i = 0; i < values.length; i++) 
      System.out.println(" " + values[i]); 
    } 
}

Quando ho eseguito questo programma su Ubuntu 12.04.3 con openjdk-7-jre/amd64 7u25 -2.3.10-1ubuntu0.12.04.2 (/ usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java) con il debug abilitato, ottengo il seguente output:

$ /usr/lib/jvm/java-7-openjdk-amd64/jre/bin/java -Djavax.net.debug=all ListCiphers 
trigger seeding of SecureRandom 
done seeding SecureRandom 
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 
Allow unsafe renegotiation: false 
Allow legacy hello messages: true 
Is initial handshake: true 
Is secure renegotiation: false 
Supported cipher suites: 
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 
    TLS_RSA_WITH_AES_256_CBC_SHA256 
    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 
    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 
    TLS_RSA_WITH_AES_256_CBC_SHA 
    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 
    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA 
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA 
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 
    TLS_RSA_WITH_AES_128_CBC_SHA256 
    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 
    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 
    TLS_RSA_WITH_AES_128_CBC_SHA 
    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 
    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA 
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA 
    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 
    TLS_ECDHE_RSA_WITH_RC4_128_SHA 
    SSL_RSA_WITH_RC4_128_SHA 
    TLS_ECDH_ECDSA_WITH_RC4_128_SHA 
    TLS_ECDH_RSA_WITH_RC4_128_SHA 
    TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 
    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 
    SSL_RSA_WITH_3DES_EDE_CBC_SHA 
    TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 
    TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 
    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA 
    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA 
    SSL_RSA_WITH_RC4_128_MD5 
    TLS_EMPTY_RENEGOTIATION_INFO_SCSV 
    TLS_DH_anon_WITH_AES_256_CBC_SHA256 
    TLS_ECDH_anon_WITH_AES_256_CBC_SHA 
    TLS_DH_anon_WITH_AES_256_CBC_SHA 
    TLS_DH_anon_WITH_AES_128_CBC_SHA256 
    TLS_ECDH_anon_WITH_AES_128_CBC_SHA 
    TLS_DH_anon_WITH_AES_128_CBC_SHA 
    TLS_ECDH_anon_WITH_RC4_128_SHA 
    SSL_DH_anon_WITH_RC4_128_MD5 
    TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA 
    SSL_DH_anon_WITH_3DES_EDE_CBC_SHA 
    TLS_RSA_WITH_NULL_SHA256 
    TLS_ECDHE_ECDSA_WITH_NULL_SHA 
    TLS_ECDHE_RSA_WITH_NULL_SHA 
    SSL_RSA_WITH_NULL_SHA 
    TLS_ECDH_ECDSA_WITH_NULL_SHA 
    TLS_ECDH_RSA_WITH_NULL_SHA 
    TLS_ECDH_anon_WITH_NULL_SHA 
    SSL_RSA_WITH_NULL_MD5 
    SSL_RSA_WITH_DES_CBC_SHA 
    SSL_DHE_RSA_WITH_DES_CBC_SHA 
    SSL_DHE_DSS_WITH_DES_CBC_SHA 
    SSL_DH_anon_WITH_DES_CBC_SHA 
    SSL_RSA_EXPORT_WITH_RC4_40_MD5 
    SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 
    SSL_RSA_EXPORT_WITH_DES40_CBC_SHA 
    SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA 
    SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA 
    SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA 
    TLS_KRB5_WITH_RC4_128_SHA 
    TLS_KRB5_WITH_RC4_128_MD5 
    TLS_KRB5_WITH_3DES_EDE_CBC_SHA 
    TLS_KRB5_WITH_3DES_EDE_CBC_MD5 
    TLS_KRB5_WITH_DES_CBC_SHA 
    TLS_KRB5_WITH_DES_CBC_MD5 
    TLS_KRB5_EXPORT_WITH_RC4_40_SHA 
    TLS_KRB5_EXPORT_WITH_RC4_40_MD5 
    TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA 
    TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 
Enabled cipher suites: 
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 
    TLS_RSA_WITH_AES_256_CBC_SHA 
    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 
    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 
    TLS_DHE_RSA_WITH_AES_256_CBC_SHA 
    TLS_DHE_DSS_WITH_AES_256_CBC_SHA 
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 
    TLS_RSA_WITH_AES_128_CBC_SHA 
    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 
    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 
    TLS_DHE_RSA_WITH_AES_128_CBC_SHA 
    TLS_DHE_DSS_WITH_AES_128_CBC_SHA 
    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 
    TLS_ECDHE_RSA_WITH_RC4_128_SHA 
    SSL_RSA_WITH_RC4_128_SHA 
    TLS_ECDH_ECDSA_WITH_RC4_128_SHA 
    TLS_ECDH_RSA_WITH_RC4_128_SHA 
    TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 
    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 
    SSL_RSA_WITH_3DES_EDE_CBC_SHA 
    TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 
    TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 
    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA 
    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA 
    SSL_RSA_WITH_RC4_128_MD5 
    TLS_EMPTY_RENEGOTIATION_INFO_SCSV

I Trovo strano che i registri di debug riportino che alcuni codici non sono supportati, ma vengono comunque riportati nell'elenco supportato restituito da getSupportedCiphersSuites().

C'è qualcosa di sbagliato sulla mia piattaforma?

fonte

2013-11-15 dolmen

risposta

3

Penso che tu abbia ragione e il messaggio di avviso non è utile. Se si guarda il codice in sun.security.ssl.SSLContextImpl dove è generato:

 for (CipherSuite suite : allowedCipherSuites) { 
      /* snip */ 

      if (suite.isAvailable() && 
        suite.obsoleted > protocols.min.v && 
        suite.supported <= protocols.max.v) { 
       /* snip */ 
      } else if (debug != null && 
        Debug.isOn("sslctx") && Debug.isOn("verbose")) { 
       if (suite.obsoleted <= protocols.min.v) { 
        System.out.println(
         "Ignoring obsoleted cipher suite: " + suite); 
       } else if (suite.supported > protocols.max.v) { 
        System.out.println(
         "Ignoring unsupported cipher suite: " + suite); 
       } else { 
        System.out.println(
         "Ignoring unavailable cipher suite: " + suite); 
       } 
      } 
     }

Sta scorrendo le consentiti pacchetti di crittografia, non il supportato quelli.

fonte

2013-11-15 15:27:24 artbristol

+0

Grazie! Un link a una versione online dell'ultima fonte sarebbe utile anche per verificare se il problema è stato risolto ... – dolmen

Problemi correlati

 Problemi correlati