unsupported SSL ciphersuite

I am trying to use some custom SSL cipher suites. Specifically my list is

<util:list id="ciphers" value-type="java.lang.String">
    <value>DHE-RSA-AES256-SHA</value>
    <value>DHE-DSS-AES256-SHA</value>
    <value>DHE-RSA-CAMELLIA256-SHA</value>
    <value>DHE-DSS-CAMELLIA256-SHA</value>
    <value>AES256-SHA</value>
    <value>CAMELLIA256-SHA</value>
    <value>SSL_RSA_WITH_RC4_128_MD5</value>    <---this is the only one working
    <value>PSK-AES256-CBC-SHA</value>
    <value>EDH-RSA-DES-CBC3-SHA</value>
    <value>EDH-DSS-DES-CBC3-SHA</value>
    <value>DES-CBC3-SHA</value>
    <value>PSK-3DES-EDE-CBC-SHA</value>
    <value>DHE-RSA-AES128-SHA</value>
    <value>DHE-DSS-AES128-SHA</value>
    <value>DHE-RSA-CAMELLIA128-SHA</value>
    <value>DHE-DSS-CAMELLIA128-SHA</value>
    <value>AES128-SHA</value>
    <value>CAMELLIA128-SHA</value>
    <value>PSK-AES128-CBC-SHA</value>
</util:list>

,initialized by Spring and passed to method

tlsClientParameters.setCipherSuites()

Unfortunately my client fails to connect to a stub server that I have created. The exception I am getting is:

Caused by: java.lang.IllegalArgumentException: Unsupported ciphersuite DHE-RSA-AES256-SHA
at com.sun.net.ssl.internal.ssl.CipherSuite.valueOf(CipherSuite.java:171)
at com.sun.net.ssl.internal.ssl.CipherSuiteList.<init>(CipherSuiteList.java:62)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.setEnabledCipherSuites(SSLSocketImpl.java:1977)
at org.apache.cxf.transport.https.SSLSocketFactoryWrapper.enableCipherSuites(SSLSocketFactoryWrapper.java:101)
at org.apache.cxf.transport.https.SSLSocketFactoryWrapper.createSocket(SSLSocketFactoryWrapper.java:71)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:372)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:883)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1394)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1336)
at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:42)
at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1414)
... 41 more

When I tried removing the ciphers suites one by one, the same exception kept appearing with a different cipher every time, until there was only SSL_RSA_WITH_RC4_128_MD5 left. This is the only one that seems to be working.

I had a look at How to control the SSL ciphers available to Tomcat that seems an identical issue, but I don’t have an whitespaces.

Edit: as a sidenote, my system is running on Java 1.5 could it be that these ciphers are just not supported at this java version? If not, is there a way around this ?

Update: We migrated to Java 7 and I am still getting the same issue. I think that it’s related to one of the answers below saying that these are not the standard names for the ciphers, and are thus not recognized by java. If that is the case, how can I find the standard names for these ciphers ?

Answer

For future reference, the list of ciphers I was using was from openssl and they were generated by

openssl ciphers -v 'ALL:!ADH:!EXPORT:!SSLv2:+HIGH:-MEDIUM:-LOW:-KRB5'. 

I never found how to translate the openssl list of ciphers to the java 7 supported ones (or confirm whether they are the same ciphers, just under different names). I just changed my ciphers list to be the list provided here by Java

http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html

and everything worked okay.

Leave a Reply

Your email address will not be published. Required fields are marked *