Enable ECDHE ciphers With IBM JDK 6

Question

Using IBM Rational® Software Architect for WebSphere Software Version: 9.0.0.1 with JDK 6

Trying to add ECDHE ciphers to the run time environment. at at https://www.ibm.com/support/knowledgecenter/SSYKE2_6.0.0/com.ibm.java.security.component.60.doc/security-component/jsse2Docs/ciphersuites.html, IBM says "The second list shows the (ECDHE) cipher suites that are supported by the IBMJSSE provider, but disabled by default".

I can change ClientHello to TLSv1.0, TLSv1.1, or TLSv1.3 but the same Cipher Suites are always returned. None of them are ECDHE.

Greatly appreciate if anyone knows how to enable ECDHE ciphers.

Here is the console output.

    SSLContextImpl:  Using X509ExtendedKeyManager com.ibm.jsse2.hd
    SSLContextImpl:  Using X509TrustManager com.ibm.jsse2.pc
    JsseJCE:  Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.2
    trigger seeding of SecureRandom
    done seeding SecureRandom
    instantiated an instance of class com.ibm.jsse2.SSLSocketFactoryImpl
    IBMJSSE2 will not enable CBC protection
    IBMJSSE2 to send SCSV Cipher Suite on initial ClientHello
    JsseJCE:  Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.2
    JsseJCE:  Using cipher AES/CBC/NoPadding from provider TBD via init 
    CipherBox:  Using cipher AES/CBC/NoPadding from provider from init IBMJCE version 1.2
    IBMJSSE2 will allow RFC 5746 renegotiation per com.ibm.jsse2.renegotiate set to none or default
    IBMJSSE2 will not require renegotiation indicator during initial handshake per com.ibm.jsse2.renegotiation.indicator set to OPTIONAL or default taken
    IBMJSSE2 will not perform identity checking against the peer cert check during renegotiation per com.ibm.jsse2.renegotiation.peer.cert.check set to OFF or default

    Is initial handshake: true
    %% No cached client session
    *** ClientHello, TLSv1.2
    RandomCookie:  GMT: 1503070341 bytes = { 152, 50, 18, 78, 108, 96, 63, 98, 44, 14, 255, 58, 89, 161, 90, 194, 150, 17, 22, 60, 58, 30, 156, 194, 83, 148, 201, 11 }
    Session ID:  {}
    Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_RC4_128_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_RENEGO_PROTECTION_REQUEST]
    Compression Methods:  { 0 }
    Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA256withDSA, SHA1withDSA, MD5withRSA
    ***
    main, WRITE: TLSv1.2 Handshake, length = 121
    main, READ: TLSv1.2 Alert, length = 2
    main, RECV TLSv1 ALERT:  fatal, handshake_failure
    main, called closeSocket()
    main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    Exception in thread "main" javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
        at com.ibm.jsse2.o.a(o.java:8)
        at com.ibm.jsse2.o.a(o.java:4)
        at com.ibm.jsse2.SSLSocketImpl.b(SSLSocketImpl.java:40)
        at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:554)
        at com.ibm.jsse2.SSLSocketImpl.h(SSLSocketImpl.java:223)
        at com.ibm.jsse2.SSLSocketImpl.a(SSLSocketImpl.java:724)
        at com.ibm.jsse2.SSLSocketImpl.startHandshake(SSLSocketImpl.java:81)
        at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:8)
        at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:20)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1207)
        at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:390)
        at com.ibm.net.ssl.www2.protocol.https.b.getResponseCode(b.java:36)
        at Java6withHostHeader.main(Java6withHostHeader.java:94)

You have to explicitly enable those ciphersuites, either by using the appropriate [`setEnabledCipherSuites()`](https://docs.oracle.com/javase/6/docs/api/javax/net/ssl/SSLSocket.html#setEnabledCipherSuites(java.lang.String%5B%5D)) call or by setting the `https.cipherSuites` [system property](https://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#Customization) — President James K. Polk, Feb 28 '18 at 20:48
@James - Do you know if IBM's Java 6 support ECDHE? The EC ciphers were added to TLS at 1.1. Mike - Does the server have an EC certificate? You can't do EC if the server only has a RSA key. — jww, Feb 28 '18 at 23:18
@jww: I'm not sure but I think so. Also, there are ECDHE_RSA ciphersuites that only require the usual RSA certificate, e.g. `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA` — President James K. Polk, Mar 01 '18 at 02:00
@jww: not really. 4492 was published almost the same time as 4346, but it does apply to 2246. Sun Java6 did implement ECC suites _in JSSE_, but they only work if you add a provider for the ECC primitives, such as BouncyCastle (Java7 has SunEC), while Sun Java6 did NOT implement 1.1 or 1.2 at all. OpenSSL similarly implemented ECC at 1.0.0 (2010) but 1.1 and 1.2 at 1.0.1 (2012). MikeT: Although IBM does not use the Sun/Oracle/OpenJDK providers, it might still have the same issue: does your JRE have a provider for the ECC primitives? And I concur with James you need to enable the suites. — dave_thompson_085, Mar 01 '18 at 06:05
FWIW near the link you gave, https://www.ibm.com/support/knowledgecenter/SSYKE2_6.0.0/com.ibm.java.security.component.60.doc/security-component/JceDocs/jca_spec.html under Appendix A does not list ECC, but under Appendix G it says "IBM provides more algorithms than Oracle. To get a list of IBM algorithms, run the JCEAlgorithms.java sample program" with a link, so maybe you need to try that. — dave_thompson_085, Mar 01 '18 at 06:31
@James - could not get the setEnabledCipherSuites() to work. They did not error, but did not change the client ciphers used during the handskake. I'm using the IBM RAD/RAS tool, and doing a Run command. Have not discovered a way to list all of the available ciphers. — Mike T, Mar 01 '18 at 17:47
Solved it! First I used this code to list out the available ciphers which confirmed the required ciphers were installed and gave their correct names - https://confluence.atlassian.com/stashkb/files/679609085/679772359/1/1414093373406/Ciphers.java Then I set the below values under Run Configurations / VM Arguments and it worked. -Dhttps.protocols="TLSv1.1" -Dhttps.cipherSuites="SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, etc." Thank you all for your help. — Mike T, Mar 01 '18 at 18:59
@MikeT: Please add the steps you took to solve the problem as an answer, you can (and should) answer your own question. Please include enough detail so that someone who is having the same problem and encounters your question will be able to solve their problem by reading your answer. — President James K. Polk, Mar 01 '18 at 22:29

score 1 · Answer 1 · answered Mar 05 '18 at 17:23

With the help of everyone who responded, I was able to figure this out. First I used this code to list out all the available ciphers which confirmed the required ECDHE ciphers were installed but not enabled, and it gave the correct spelling of each cipher - https://confluence.atlassian.com/stashkb/files/679609085/679772359/1/1414093373406/Ciphers.java Then in the IDE, I set the below values under Run Configurations / VM Arguments and it worked. -Dhttps.protocols="TLSv1.1" -Dhttps.cipherSuites="SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, etc."

Thank you all for your help

Enable ECDHE ciphers With IBM JDK 6

1 Answers1