Problem
If you use Sun JDK6 to run Java apps such as Atlassian Confluence (the page you're looking at now), JIRA, etc, via HTTPS, you might have noticed that your browser will not negotiate any 256 bit ciphers. The sslscan tool confirms this, and reports:
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA Accepted SSLv3 128 bits AES128-SHA Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA Accepted SSLv3 56 bits EDH-RSA-DES-CBC-SHA Accepted SSLv3 40 bits EXP-EDH-RSA-DES-CBC-SHA Accepted SSLv3 168 bits DES-CBC3-SHA Accepted SSLv3 56 bits DES-CBC-SHA Accepted SSLv3 40 bits EXP-DES-CBC-SHA Accepted SSLv3 128 bits RC4-SHA Accepted SSLv3 128 bits RC4-MD5 Accepted SSLv3 40 bits EXP-RC4-MD5 Accepted TLSv1 128 bits DHE-RSA-AES128-SHA Accepted TLSv1 128 bits AES128-SHA Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA Accepted TLSv1 56 bits EDH-RSA-DES-CBC-SHA Accepted TLSv1 40 bits EXP-EDH-RSA-DES-CBC-SHA Accepted TLSv1 168 bits DES-CBC3-SHA Accepted TLSv1 56 bits DES-CBC-SHA Accepted TLSv1 40 bits EXP-DES-CBC-SHA Accepted TLSv1 128 bits RC4-SHA Accepted TLSv1 128 bits RC4-MD5 Accepted TLSv1 40 bits EXP-RC4-MD5
What is the problem here?
The apps themselves by default do not do anything with crypto, the issue is with the so-called policy files of JDK6. According to Sun:
Due to import control restrictions for some countries, the Java Cryptography Extension (JCE) policy files shipped with the Java SE Development Kit and the Java SE Runtime Environment allow strong but limited cryptography to be used.
Fix
From the Sun website, download the JCE Unlimited Strength Jurisdiction Policy Files 6 Release Candidate.
Unpack the ZIP file - it will contain two jar files: local_policy.jar and US_export_policy.jar.
On our Ubuntu boxes we use the packages sun-java6-jdk, sun-java6-bin, and sun-java6-jre. The files in question are stored in /usr/lib/jvm/java-6-sun/jre/lib/security
.
Replace the two jar files and restart your Java app.
Your browser should now be able to negotiate 256 bit ciphers. This is also confirmed by running sslscan
again, which will now report all the previously accepted ciphers, plus these ones:
Accepted SSLv3 256 bits AES256-SHA Accepted SSLv3 256 bits DHE-RSA-AES256-SHA Accepted TLSv1 256 bits AES256-SHA Accepted TLSv1 256 bits DHE-RSA-AES256-SHA