1

I am trying to connect to a webservice through a java client. I am using JRE 1.6 (IBM):

java version "1.6.0"
Java(TM) SE Runtime Environment (build pwi3260_26sr2fp1-20120622_01(SR2 FP1))
IBM J9 VM (build 2.6, JRE 1.6.0 Windows 7 x86-32 20120618_113791 (JIT enabled, A
OT enabled).

I have specified in my code to use TLSv1.2 for ssl security.

System.setProperty("javax.net.debug", "ssl");
System.setProperty("https.protocols", "TLSv1.2");

And I specifically want SHA256 message digest to be used while performing handshake but, form the logs below i see that SHA256 is not being used.

*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1438792776 bytes = { 179, 7, 242, 221, 47, 208, 29, 106,238, 203, 116, 71, 161, 184, 231, 114, 231, 208, 6, 66, 183, 12, 170, 245, 15, 62, 193, 235 }
Session ID:  {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RENEGO_PROTECTION_REQUEST]
Compression Methods:  { 0 }
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA1withECDSA, SHA1withRSA, SHA256withDSA, SHA1withDSA, MD5withRSA
***

Could any one suggest what I can do to enable using SHA256?

jww
  • 97,681
  • 90
  • 411
  • 885
Harsha
  • 69
  • 2
  • 8
  • 1
    Maybe you could try Java 1.5, or maybe 1.4? Oh wait, it must be in Java 1.2 :) – Maarten Bodewes Feb 15 '16 at 22:11
  • @Maarten - I think [TLS 1.1 and 1.2 made their debut Java 7](https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html). I think OP is in SSLv3 and TLS 1.0 territory due to the downlevel JVM. – jww Feb 15 '16 at 23:01
  • You could maybe try iSaSiLk or another 3rd party TLS library. But note that using TLSon an old runtime may not give you full protection. – Maarten Bodewes Feb 15 '16 at 23:19
  • What do mean by "SHA256 ... used while performing handshake"? The signing algs for ServerKX, and ClientKX if authenticated, are controlled by sigalgs (which in your hello offers all SHA2s) and for TLSv1.2 the PRF uses HMAC-SHA256 for all older suites (including those you list). If your goal is security and not fetishising "256", what is important is for *certificates* to be signed with SHA256 or better, and that has nothing at all to do with the contents of ClientHello. – dave_thompson_085 Feb 16 '16 at 01:14
  • @jww OP is using the *IBM* JRE not the Oracle one, and IBM substitutes their own cryptoproviders including SSL. Note the log *says* TLSv1.2 and includes signature_algorithms which only exists in 1.2. – dave_thompson_085 Feb 16 '16 at 01:16
  • @dave_thompson_085 you are Right. IBM used their own version of JRE. It actually supports TLSv1.2. – Harsha Feb 16 '16 at 15:41

1 Answers1

2

Could any one suggest what I can do to enable using SHA256?

TLS 1.1 and 1.2 made their debut Java 7. See the heading Cipher Suites, and the chart named Default Enabled Cipher Suites in the Java Cryptography Architecture.

If IBM's JVM has what you need such that it is available, then you need to do something like described in Which Cipher Suites to enable for SSL Socket to ensure they are enabled. Though not intuitive, available and enabled are two different things in Java.

Community
  • 1
  • 1
jww
  • 97,681
  • 90
  • 411
  • 885