Unsupported ciphers with Java and Shield

security

(Jason Newmoyer) #1

Using Java 1.7 with Shield to connect to our Found hosted instance using ElasticSearch 1.7.3. Getting the following stack when connecting:

ERROR 2015-11-13 06:09:56,500 [main] (AbstractSSLService.java:175) - [Saturnyne] unsupported ciphers [[TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]] were requested but cannot be used
in this JVM. If you are trying to use ciphers
with a key length greater than 128 bits on an Oracle JVM, you will need to install the unlimited strength
JCE policy files. Additionally, please ensure the PKCS11 provider is enabled for your JVM.

We have installed the Unlimited Strength Cryptography jars to the JRE. But I'm unsure about PKCS11. Thanks.


(Jay Modi) #2

Hi Jason,

That message is a generic warning to indicate that some of the configured ciphers could not be used. Different JDK distributions enable different providers statically in the $JAVA_HOME/jre/lib/security/java.security file. The SunPKCS11 provider typically is the one that provides support for TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA. Which JDK are you using? OpenJDK, Oracle? Is it packaged by a linux distribution? In the past, I've been able to add the SunPKCS11 provider to the JDKs in a linux distribution and use that cipher by uncommenting the line that looks like:

security.provider.X=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg

X above is a number that specifies the order of that provider. You will need to have nss libraries installed for this to work.

If you do not wish to edit the JDK files, you can specify:

shield.ssl.ciphers: [ "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA" ]

This simply leaves out the unavailable cipher from the default ciphers list for Shield as specified in the reference.


(Jason Newmoyer) #3

Running on Heroku, here's our JVM:

java version "1.7.0_79"
OpenJDK Runtime Environment (IcedTea 2.5.5) (Ubuntu build 1.7.0_79-b14)
OpenJDK 64-Bit Server VM (build 24.79-b02, mixed mode)

Went with the path of least resistance, and defined shield.ssl.ciphers as suggested. We're up and running now. Thanks!


(system) #4