0

I am having trouble in calling services from Java 1.7 to Java 1.8. I will try to explain what I am doing.

Server 1 java version is 1.7.0_79 (unfortunately I can not change that). I am using Spring Rest Template to communicate. I understand that 1.7 uses TLS1 and Java 8 uses TLS1.2. I tried this communication with both sides on version 1.8 and I was able to communicate so I am sure certificate is fine.

I used the command to check the cipher being used by Server 2

$ openssl s_client -connect <server>:8443 -tls1_2

and got response

..... Long certificate chain

SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: AC92BFBC090F4245271C10B9C5B968D1845278AE03714ED5806B4929DC3D0CC9

So in my opinion server is using these protocol and cipher. So if I use the same protocol and cipher, I should be able to communicate. To again make sure that this particular cipher is there, I asked my colleague to run following command on Server 2

openssl ciphers -v

and got following response

... lot of ciphers
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD

So I am sure server supports ECDHE-RSA-AES128-GCM-SHA256 and I amde changes on my Rest Template's SSLConnectionSocketFactory

public SSLConnectionSocketFactory sslConnectionSocketFactory() throws Exception {

        return new SSLConnectionSocketFactory(sslContext(),
                new String[] {
                        "TLSv1.2"
                },
                new String[] {
                        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
                },
                NoopHostnameVerifier.INSTANCE);
    }

But I am still getting error

"Unsupported ciphersuite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"

Could you please guide me in right direction? I have searched a lot but could not find solution. Thanks in advance.

Sandeep Kumar
  • 33
  • 6
  • Where are you running your `openssl` command? Is it from the same environment where you run your `RestTemplate` client? – Savior Nov 25 '20 at 01:04
  • TLS 1.2 could be enabled by environment setting: https://stackoverflow.com/questions/39157422/how-to-enable-tls-1-2-in-java-7 Have you tried? – Alex Chernyshev Nov 25 '20 at 02:12
  • @Alex Chernyshev I tried doing that but that did not work. I think my java version is 1.7.0_79 and I think these variables work for later versions. UNfortunately I cant change Java version. – Sandeep Kumar Nov 25 '20 at 02:23
  • @Savior Server 1 is running 1.7 and spring template is running on this one. I ran ``` openssl s_client -connect :8443 -tls1_2``` and got ```..... Long certificate chain SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: AC92BFBC090F4245271C10B9C5B968D1845278AE03714ED5806B4929DC3D0CC9``` Server 2 is running 1.8 ```openssl ciphers -v``` is run on Server 2 which gave response ```... lot of ciphers ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD``` – Sandeep Kumar Nov 25 '20 at 02:27
  • @SandeepKumar you can try to make the reverse thing: allow old TLS on Java8 side, its there from backward compatibility, but just disabled by default. – Alex Chernyshev Nov 25 '20 at 02:28
  • @Alex Chernyshev We dont own those servers and not in our control. Additionally I think TLS1 is not safe as TLS1.2 – Sandeep Kumar Nov 25 '20 at 02:29
  • I used the script given at https://superuser.com/questions/109213/how-do-i-list-the-ssl-tls-cipher-suites-a-particular-website-offers to list which ciphers are successsfully used in handshake and only one connection was successful - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 I used the same in RestTemplate still the same error - Unsupported ciphersuite -. This is so frustating. – Sandeep Kumar Nov 25 '20 at 03:56
  • Running `openssl ciphers` on server2 tells you what OpenSSL supports, NOT what Java8 supports -- unless the server is actually using OpenSSL, like Tomcat/JbossWS/Wildfly native/APR mode, and even then it is often using an embedded copy of OpenSSL not the commandline one. Anyway, **free versions of Oracle Java 7 including 7u79 DO NOT SUPPORT GCM CIPHERSUITES**. (They are added in PAID version 7u191 up, and MAY be in OpenJDK versions.) If the server supports only a GCM ciphersuite you can't connect to it, except by going through a proxy or relay. – dave_thompson_085 Nov 25 '20 at 05:45
  • Sorry, I meant are they running on the same host or is the connection going through the Internet? – Savior Nov 25 '20 at 14:16
  • @dave_thompson_085 both the servers are running on office LAN using openjdk and both the servers running JBoss. What I am not understanding is if the script at https://superuser.com/questions/109213/how-do-i-list-the-ssl-tls-cipher-suites-a-particular-website-offers is able to successfully connect using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 then why is it giving error when I use it from program. – Sandeep Kumar Nov 25 '20 at 23:12
  • 1
    If you mean the script in the first&accepted answer at that link, it uses OpenSSL (specifically, `openssl` commandline which calls the OpenSSL libraries `libssl` and `libcrypto`) of a version that apparently supports GCM ciphersuites. Your client program is Java, and normal Java doesn't use OpenSSL, although Wildlfly 'native' can on _incoming_. The Java implementation of SSL/TLS is called JSSE, and as I said, JSSE in Oracle Java 7, except in recent paid versions you don't have, doesn't support GCM ciphersuites. That's why the exception says 'Unsupported'; it means that it is not supported. – dave_thompson_085 Nov 26 '20 at 19:28

1 Answers1

0

As @dave_thompson_085 mentioned, the issue was with the cipher suite. I should have found out sooner :) the Second Server only had 2 cipher suite for TLS 1.2 (don't know why or how) and both were GCM and not supported by my server. Thanks for the help everybody.

Sandeep Kumar
  • 33
  • 6