Missing Common Cipher Suite in Payara 5

[Per Lindberg]

I am migrating from Glassfish 3 / Java 1.6 to Payara 5.184 / Java 1.8.0_192.

Unfortunately, some of our clients can't connect, because my Payara lacks the cipher suite SSL_RSA_WITH_3DES_EDE_CBC_SHA (as shown in the server console for http-listener-2). I believe that Java 8 support this cipher suite (see https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html).

How can I enable Payara 5 to provide this cipher suite?

[Rudy De Busscher]

Hi,

According to the information I can find, SSL_RSA_WITH_3DES_EDE_CBC_SHA belongs to SSLv3 which is disabled by default on JDK 8 (since u31) because it is insecure (and thus highly discouraged to use in production) (1)

You can try by enabling it again in the JDK. Have a look at the /jre/lib/security/java.security file, it contains a line like this

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \

    EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC

You should remove the SSLv3 entry from this list.

regards

Rudy

(1) https://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.html