I think I figured out what the reason is.
I could reproduce the problem using this test code inside "appwork.utils" project:
Code:
public static void main(String[] args) throws NoSuchAlgorithmException {
HTTPConnectionFactory f = new HTTPConnectionFactory();
try {
HTTPProxy p = new HTTPProxy(TYPE.HTTPS, "ch250.nordvpn.com", 89);
HTTPConnection conn = f.createHTTPConnection(new URL("https://www.google.com"), p);
try {
conn.connect();
} catch (IOException e) {
e.printStackTrace();
}
} catch (MalformedURLException e) {
e.printStackTrace();
}
}
After some debugging I think the problem is that some hardcoded ciphers do get removed in the code of appwork.utils by the variable disabledCipherSuites:
Code:
protected void initCipherSuitesLists() {
// still so many servers with 'server-preferred order'
disabledCipherSuites.add("AES_128_GCM");
disabledCipherSuites.add("GCM");
switch (CrossSystem.getARCHFamily()) {
case X86:
// **External links are only visible to Support Staff**
// **External links are only visible to Support Staff**
// **External links are only visible to Support Staff**
if (JVMVersion.isMinimum(JVMVersion.JAVA_11)) {
// Java>=11, fixed known issues and we assume cpu aes-ni support
preferredCipherSuites.add("GCM");
} else {
// Java<=11, avoid due to known issues
avoidedCipherSuites.add("AES_128_GCM");
avoidedCipherSuites.add("GCM");
}
break;
case ARM:
if (CrossSystem.is64BitArch() && Application.is64BitJvm() && JVMVersion.isMinimum(JVMVersion.JAVA_11)) {
// Java>=11, fixed known issues and we assume 64bit java on armv8 cpu with hardware support
preferredCipherSuites.add("GCM");
} else {
avoidedCipherSuites.add("AES_128_GCM");
avoidedCipherSuites.add("GCM");
preferredCipherSuites.add("CHACHA20");
}
break;
default:
break;
}
}
I can successfully handshake with the proxy in question when I allow GCM by removing this line:
Code:
disabledCipherSuites.add("GCM");
I am not an expert there but it fits the fact that the proxy's supported ciphers always include GCM:
Code:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
I don't know why appwork.utils is removing GCM. I could not find indication that GCM is considered bad or something. But again I am not an expert there.
So could GCM maybe be supported in JD? Or maybe give the users an option to modify the ciphers suite themselfs or just an option to enable GCM specifically?