CODEWITHSUNDEEP
javasslencryption
Mubeen
Mubeen

Reputation: 41

[Unsupported ciphersuite][Java SSLSocket]

I'm trying to connect a server through SSLSocket using protocol TLSv1.2. The server only supports the following ciphers.

When I try to set enabled cipher suites, I'm facing following Exception:

java.lang.IllegalArgumentException: Unsupported ciphersuite ECDHE-ECDSA-AES128-GCM-SHA256
at sun.security.ssl.CipherSuite.valueOf(Unknown Source) ~[?:1.8.0_74]
at sun.security.ssl.CipherSuiteList.<init>(Unknown Source) ~[?:1.8.0_74]
at sun.security.ssl.SSLSocketImpl.setEnabledCipherSuites(Unknown Source) ~[?:1.8.0_74]

I had tried to replace Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 8 from the following URL on C:\Program Files\Java\jdk1.8.0_92\jre\lib\security But still unable to connect server.

URL: https://www.oracle.com/java/technologies/javase-jce8-downloads.html

I'm using the following Code to create SSLSocket:

protected void openSocket() throws IOException {
    LGR.info("Opening SSL socket to " + addr + ":" + port);
    String[] TLS_SUPPORTED_VERSIONS = new String[] { "TLSv1.2" };
    String[] CIPHER_SUITES = new String[] { "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES128-SHA256" };
    try {
        SSLSocket socket = (SSLSocket) SSLSocketFactory.getDefault().createSocket(addr, port);
        socket.setEnabledProtocols(TLS_SUPPORTED_VERSIONS);
        socket.setEnabledCipherSuites(CIPHER_SUITES);
        
    } catch (Exception ex) {
        LGR.error("##Exception##", ex);
    } catch (Throwable ex) {
        LGR.error("##Throwable##", ex);
    }
}

Upvotes: 1

Views: 3986

Answers (1)

Peter Walser
Peter Walser

Reputation: 15706

You can list the supported cipher suites using:

SSLSocketFactory socketFactory = SSLContext.getDefault().getSocketFactory();
for (String cipherSuite : socketFactory.getSupportedCipherSuites()) {
    System.out.println(cipherSuite);
}

The following entry matches your requested suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.

You no longer need the JCE Unlimited Strength Jurisdiction Policy Files:

  • in Java 8 u151/u152 the policy files were included in the standard Java distribution, but needed to be enabled explicitly: Security.setProperty("crypto.policy", "unlimited");
  • since Java 8 u161+ (and in all upcoming Java versions), these policy files are included, and unlimited crypto policy enabled by default.

You can verify it as follows: Cipher.getMaxAllowedKeyLength("AES") should return Integer.MAX_VALUE when unlimited strengh is enabled.

Upvotes: 1

Related Questions