Problems with TLS ciphers on ARM
Michael Barnwell
m.p.barnwell at gmail.com
Fri Jan 20 15:53:55 UTC 2017
Hi y'all,
I hope this is an appropriate place to send this. I believe I've identified
an issue with certain TLS ciphers when using OpenJDK 1.8.0_111 on ARMv7 and
I've reached the end of my abilities in terms of trying to solve them.
I have a fairly standard TLS endpoint, in this case its an MQTT broker
which requires a client side certificate to connect, however I'm not even
getting past validating the server certificate so the test case doesn't
rely on that.
What I've found is that on a Raspberry Pi 3 running Ubuntu 16.04 and
OpenJDK, several ciphers will throw a "signature validation" error,
specifically the following cipher suites:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
However, if I run the exact same test on Oracle JVM 1.8.0_121, the cipher
suites all work perfectly. Likewise, if I run the test on x86 using the
same version of OpenJDK, the tests run perfectly.
I've thrown a test together at https://github.com/mpbarnwell/tlstest - just
run mvn test and it'll try and connect to my TLS protected endpoint using
all the cipher suites available, one by one.
The different outputs from JVMs on ARM, x86 and Oracle vs OpenJDK can be
found at https://gist.github.com/mpbarnwell/663e041db10714a78b94fc12d4ac9a4e
Any help is much appreciated! I can provide more debug output but I didn't
want to get carried away if this is the wrong place.
Kind regards,
Michael Barnwell
More information about the aarch32-port-dev
mailing list