Regarding the TLS Cipher Suite supported by Java8, I investigated whether there is a difference between OracleJDK / AdoptOpenJDK / OpenJDK provided by Linux.
I created the following command line tool and got the list.
I got a list of the following OpenJDK 8 with the above tool.
The details of the version are as follows.
OracleJDK8 for Win64:
> java -version
java version "1.8.0_192"
Java(TM) SE Runtime Environment (build 1.8.0_192-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.192-b12, mixed mode)
AdoptOpenJDK8 for Win64:
> java -version
openjdk version "1.8.0_192"
OpenJDK Runtime Environment (AdoptOpenJDK)(build 1.8.0_192-b12)
OpenJDK 64-Bit Server VM (AdoptOpenJDK)(build 25.192-b12, mixed mode)
CentOS7(64bit):
$ sudo yum install java-1.8.0-openjdk.x86_64
-> java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64 has been installed.
$ java -version
openjdk version "1.8.0_191"
OpenJDK Runtime Environment (build 1.8.0_191-b12)
OpenJDK 64-Bit Server VM (build 25.191-b12, mixed mode)
Amazon Linux 2(64bit):
$ sudo yum install java-1.8.0-openjdk.x86_64
-> java-1.8.0-openjdk-1.8.0.191.b12-0.amzn2.x86_64 has been installed.
$ java -version
openjdk version "1.8.0_191"
OpenJDK Runtime Environment (build 1.8.0_191-b12)
OpenJDK 64-Bit Server VM (build 25.191-b12, mixed mode)
Ubuntu 18.04 Bionic(64bit):
$ sudo apt update
$ sudo apt-get install openjdk-8-jdk
-> openjdk-8-jdk, 8u191-b12-0ubuntu0.18.04.1 has been installed.
$ java -version
openjdk version "1.8.0_191"
OpenJDK Runtime Environment (build 1.8.0_191-8u191-b12-0ubuntu0.18.04.1-b12)
OpenJDK 64-Bit Server VM (build 25.191-b12, mixed mode)
The following command results were redirected to a text file and saved in each environment.
java -jar java-jsse-cipher-suites-dump-demo-v201901.1.jar
java -Djava.security.properties=java.security.crypto.policy-limited -jar java-jsse-cipher-suites-dump-demo-v201901.1.jar
java -Djava.security.properties=java.security.crypto.policy-unlimited -jar java-jsse-cipher-suites-dump-demo-v201901.1.jar
https://github.com/msakamoto-sf/java-jsse-cipher-suites-dump-demo/tree/v201901.1/2019-01-14_result
Looking at the diffs for each, I got the following results:
is the same as the default state without customization of crypto.policy`.limited was also the same in all the environments surveyed.Therefore, it seems that the following can be confirmed.
crypto.policy = unlimited and it is in a secure state.Naturally, it goes without saying that JSSE was originally implemented in 100% Pure Java, and the source is managed by OpenJDK. Therefore, the same Cipher Suite can be used with any build binary as long as it is built from OpenJDK without modifying the source.
The existence of "Cipher Suite that can be used only with Oracle JDK" is possible, but in these days when interoperability and security are important, it is difficult to say whether such existence is allowed in the Java ecosystem. Seem. (It may be a special extension that can only be used by paid users of the Oracle JDK, but it is out of scope if the OpenJDK ecosystem is assumed.)
I've been worried about that for a while, "Really? It's true ... ??", so when I tried it briefly this time, I could confirm that there was no difference. It was. For more rigorous verification, it is necessary to actually prepare a server socket with a combination of each protocol version x single cipher suite and check whether the connection actually succeeds, but this time it is not so much. ... So, I decided to verify the difference within the range that can be seen from the SSLContext.
For the time being, with regard to SSL / TLS Cipher Suite, I was relieved because I was able to confirm that "Cipher Suite that can be used with binaries from any vendor is the same for OpenJDK-based builds".
Recommended Posts