How to enable ECDHE ciphers with openjdk 14 on an Alpine docker container?

Others 2022-04-22 02:48:36 views: 0
Pierre Leonard :

One API I have to use for my app only supports ECDHE ciphers for TLS connections. 

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (rsa 2048) - A
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
|     compressors:
|       NULL
|     cipher preference: server
|_  least strength: A

Nmap done: 1 IP address (1 host up) scanned in 15.16 seconds

It looks like my app doesn't support those, I get: 

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

Here's the list of ciphers I can see in the logs:

"ClientHello": {
  "client version"      : "TLSv1.2",
  "random"              : "FE 6E D4 06 07 51 D0 66 1A 6A B8 60 84 B0 C7 9F 07 82 8F 92 13 48 2A 72 DC BD 80 39 B9 33 7A 1D",
  "session id"          : "8C 37 D0 37 88 6C D6 5C 59 94 5B AD E6 6E 0F 50 1D F2 9E 06 F6 17 3F 85 44 AB 12 82 E1 1F F5 53",
  "cipher suites"       : "[TLS_AES_256_GCM_SHA384(0x1302), TLS_AES_128_GCM_SHA256(0x1301), TLS_CHACHA20_POLY1305_SHA256(0x1303), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCAA), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",

And my Dockerfile

FROM alpine:3.10 as jdk-14-alpine

# Add the musl-based JDK 14 distribution
RUN apk update \
    && apk add wget \
    && apk --no-cache add ca-certificates

RUN wget -q https://download.java.net/java/early_access/alpine/12/binaries/openjdk-14-ea+12_linux-x64-musl_bin.tar.gz && \
    echo "f6247b208eae214562ec69ec928a238ec26a15b7d18a435523c3ceb3f3f18a7c *openjdk-14-ea+12_linux-x64-musl_bin.tar.gz" | sha256sum -c -
RUN tar -x -f openjdk-14-ea+12_linux-x64-musl_bin.tar.gz -C /opt
RUN rm openjdk-14-ea+12_linux-x64-musl_bin.tar.gz

# Set up env variables
ENV JAVA_HOME=/opt/jdk-14
ENV PATH=$PATH:$JAVA_HOME/bin

# Strip away unnecessary parts of the JDK
# The java.desktop module is needed because Jersey's RenderedImageProvider references java.awt.image.RenderedImage
# The java.sql module is needed because Snakeyaml's Tag references java.sql.Date

RUN jlink --module-path /opt/jdk-14/jmods \
    --add-modules java.base,java.logging,java.xml,jdk.unsupported,java.desktop,java.management,java.naming,java.sql,jdk.jdi,jdk.jdwp.agent \
    --compress 2 \
    --no-header-files \
    --output /opt/jdk-14-alpine-linked

CMD ["/opt/jdk-14-alpine-linked/bin/java", "-version"]

FROM alpine:3.10

# Copy the stripped JDK 14 from the previous stage
COPY --from=jdk-14-alpine /opt/jdk-14-alpine-linked /opt/jdk-14
COPY --from=jdk-14-alpine /opt/jdk-14-alpine-linked /opt/jre-14
ENV JAVA_HOME=/opt/jre-14
ENV PATH=$PATH:$JAVA_HOME/bin

# Add the application jar file
ADD target/app-backend.jar /opt/app/app-backend.jar

ADD run.sh /opt/app/run.sh
RUN chmod +x /opt/app/run.sh


CMD ["sh", "/opt/app/run.sh"]

I tried to enable unlimited security by adding 

Security.setProperty("crypto.policy", "unlimited");

But it didn't make a difference. I also tried to add bouncycastle in my pom file and I instead got:

Caused by: java.lang.RuntimeException: Could not generate XDH keypair

This could be fixed by applying the solution described here but then I get back to the initial error.

Any idea of what I could do? I works on my local machine, it's only when I deploy that the issue appears.

This app is using Apache http so an alternative would be to inject support for these ciphers directly at that level. Can it be done?

Pierre Leonard :

This actually has nothing to do with Alpine or OpenJDK 14. I found the solution at http://www.gubatron.com/blog/2019/04/25/solving-received-fatal-alert-handshake_failure-error-when-performing-https-connections-on-a-custom-made-jre-with-jlink/ , just add jdk.crypto.cryptoki to the list of modules to add with jlink

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=165714&siteId=1
Recommended
NetBSD bans submission of code generated by AI
Ranking
Talk dubbo of LRUCache
Chapter 1 Learning Summary
Introduction to Virtualization
pytorch 调用lstm
Six modules
[8086] The natural number of 1 to 36 into a 6x6 two-dimensional array of line-sequentially, and then print out the lower left half of the triangular array
mybatis mapper mapping file $ # {} {} understanding and
C language input and output buffer
c language floating-point input and output
andorid P version compatible, refer to Huawei
Daily
More
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)

Code World

© 2018 codetd.com