Versions Compared

Old Version 1

changes.mady.by.user Dick Visser

Saved on

compared with

New Version 2

changes.mady.by.user Dick Visser

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Problem

If you use Sun JDK6 to run Java apps such as Atlassian Confluence (the page you're looking at now), JIRA, etc, via HTTPS, you might have noticed that your browser will not negotiate any ciphers stronger than 128 bit. 256 bit ciphers. The sslscan tool confirms this, and reports:

No Format
Accepted  SSLv3  128 bits  DHE-RSA-AES128-SHA
Accepted  SSLv3  128 bits  AES128-SHA
Accepted  SSLv3  168 bits  EDH-RSA-DES-CBC3-SHA
Accepted  SSLv3  56 bits   EDH-RSA-DES-CBC-SHA
Accepted  SSLv3  40 bits   EXP-EDH-RSA-DES-CBC-SHA
Accepted  SSLv3  168 bits  DES-CBC3-SHA
Accepted  SSLv3  56 bits   DES-CBC-SHA
Accepted  SSLv3  40 bits   EXP-DES-CBC-SHA
Accepted  SSLv3  128 bits  RC4-SHA
Accepted  SSLv3  128 bits  RC4-MD5
Accepted  SSLv3  40 bits   EXP-RC4-MD5
Accepted  TLSv1  128 bits  DHE-RSA-AES128-SHA
Accepted  TLSv1  128 bits  AES128-SHA
Accepted  TLSv1  168 bits  EDH-RSA-DES-CBC3-SHA
Accepted  TLSv1  56 bits   EDH-RSA-DES-CBC-SHA
Accepted  TLSv1  40 bits   EXP-EDH-RSA-DES-CBC-SHA
Accepted  TLSv1  168 bits  DES-CBC3-SHA
Accepted  TLSv1  56 bits   DES-CBC-SHA
Accepted  TLSv1  40 bits   EXP-DES-CBC-SHA
Accepted  TLSv1  128 bits  RC4-SHA
Accepted  TLSv1  128 bits  RC4-MD5
Accepted  TLSv1  40 bits   EXP-RC4-MD5

What is the problem here?

...

Due to import control restrictions for some countries, the Java Cryptography Extension (JCE) policy files shipped with the Java SE Development Kit and the Java SE Runtime Environment allow strong but limited cryptography to be used.

Fix

From the Sun website, download the JCE Unlimited Strength Jurisdiction Policy Files 6 Release Candidate.
Unpack the ZIP file - it will contain two jar files: local_policy.jar and US_export_policy.jar.
On our Ubuntu boxes we use the packages sun-java6-jdk, sun-java6-bin, and sun-java6-jre. The files in question are stored in /usr/lib/jvm/java-6-sun/jre/lib/security.

...

Your browser should now be able to negotiate 256 bit ciphers. This is also confirmed by running sslscan again, which will now report all the previously accepted ciphers, plus these ones:

No Format

Accepted  SSLv3  256 bits  AES256-SHA
Accepted  SSLv3  256 bits  DHE-RSA-AES256-SHA
Accepted  TLSv1  256 bits  AES256-SHA
Accepted  TLSv1  256 bits  DHE-RSA-AES256-SHA