- Jamf Nation Community
- Products
- Jamf Pro
- Disabling weak ciphers on a Linux JSS - how do you...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Disabling weak ciphers on a Linux JSS - how do you make sense of it?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-26-2016 09:01 AM
I'm curious how other CentOS- or RHEL-hosted JSS admins are handling this.
I recently found that the JAMF article Configuring Supported Ciphers for Tomcat HTTPS Connections is only partially effective in my environment. We run a CentOS cluster that was set up using the manual installation/config guide. As recommended in release notes, we use OpenJDK and Tomcat 7.
The core problem I find with limiting tomcat to the recommended ciphers is that OpenJDK doesn't have them. I see two approaches to working around this, adding BouncyCastle as an OpenJDK provider, or using some other JDK (Oracle?).
I've got the BouncyCastle option working in my environment. but not how I would have expected. Because JAMF bundles a version of the bc provider in the jss web app, installing the latests bc provider in $JAVA_HOME/lib/ext/ causes some strange behavior. Instead, I symlinked to from $JAVA_HOME/lib/ext/bcprov.jar to .../tomcat/webapps/root/WEB-INF/lib/bcprov.jar, then referenced the provider in java.security as normal. This seems to be working well in that the web app initializes normally, and can access the recommended cipher set.
Aside from the obvious maintenance concerns this raises around updates(etc), how bad an idea do you find the BouncyCastle symlink workaround? What alternatives do you prefer?
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-28-2016 01:59 PM
Hi @mwright
Did you ever find a better solution to this? I'm seeing issues with iOS Self Service not able to connect to our server and I think it's because of this.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-29-2016 12:07 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-30-2016 08:45 AM
Hi @bentoms,
I've got those in my server.xml, but only this one is actually supported by OpenJDK 8:
In addition, if you are running Java 1.6 or a JDS instance in your environment, you must also include the following cipher: TLS_RSA_WITH_AES_128_CBC_SHA
When this is removed, Tomcat fails to start because of SSL handshake errors. I found this out when I tried to get the iOS Self Service app working. The webclip works, but the app gets a server communication error.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-30-2016 10:46 AM
@andykang ah, odd.
We're hosted on Ubuntu & do not need that cipher.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-30-2016 06:25 PM
I also had this problem. OpenJDK didn't have the necessary support for elliptic curve and was causing a lot of trouble, especially with iOS. Switching to Oracle Java resolved it. Chris Meyer wrote a very useful article exploring the cause: "How to use ECC with OpenJDK"
... The reason for this is hidden in the provider's code. The following lines are taken from sun.security.ec.SunEC:Additionally, the following can be found in SunECEntries class, after some entries have been added to the list:private static final long serialVersionUID = -2279741672933606418L; // flag indicating whether the full EC implementation is present // (when native library is absent then fewer EC algorithms are available) private static boolean useFullImplementation = true; static { try { AccessController.doPrivileged(new PrivilegedAction() { public Void run() { System.loadLibrary("sunec"); // check for native library return null; } }); } catch (UnsatisfiedLinkError e) { useFullImplementation = false; } } public SunEC() { super("SunEC", 1.7d, "Sun Elliptic Curve provider (EC, ECDSA, ECDH)"); // if there is no security manager installed, put directly into // the provider. Otherwise, create a temporary map and use a // doPrivileged() call at the end to transfer the contents if (System.getSecurityManager() == null) { SunECEntries.putEntries(this, useFullImplementation); } else { Map<Object, Object> map = new HashMap<Object, Object>(); SunECEntries.putEntries(map, useFullImplementation); AccessController.doPrivileged(new PutAllAction(this, map)); } }Ok, this explains the behaviour. The algorithms are only present if a native library could be successfully loaded.../ Register the algorithms below only when the full ECC implementation is available / if (!useFullImplementation) { return; }
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-31-2016 11:13 AM
Thanks @aurica
We switched to Oracle Java along with the JCE policy and it is now working with all ciphers.
