[prev in list] [next in list] [prev in thread] [next in thread]
List: bouncycastle-crypto-dev
Subject: RE: [dev-crypto] Does BC actually provide cipher suites unavailable in Java 7?
From: "DiBaggio, Michael" <mdibaggio () cleo ! com>
Date: 2019-07-09 14:28:28
Message-ID: BYAPR17MB23758342DF2A41AA69F77105D5F10 () BYAPR17MB2375 ! namprd17 ! prod ! outlook ! com
[Download RAW message or body]
Thanks to all who replied with suggestions. We were able to get this working, \
although it required a code change to explicitly pass in the BC JSSEProvider to the \
SSLContext.
Mike
Michael
DiBaggio
Cleo |
Sr Software Engineer II
Email: mdibaggio@cleo.com
|
Web: www.cleo.com
Join us for Cleo Connect 2019, October 7-10 in Orlando! Register today!
-----Original Message-----
From: Peter Dettman <peter.dettman@bouncycastle.org>
Sent: Monday, July 1, 2019 11:16 AM
To: dev-crypto@bouncycastle.org
Subject: Re: [dev-crypto] Does BC actually provide cipher suites unavailable in Java \
7?
Hi Michael,
Responses inline:
On 1/7/19 9:14 pm, DiBaggio, Michael wrote:
> Hi everyone. I haven't pestered this list with my questions for
> several years, but I'm in a bind again.
>
> I am supporting a product that, for now, is absolutely restricted to
> Java 7. However, we have an application that connects to NetSuite, and
> about a week ago, NetSuite stopped allowing access to any of the
> ciphersuites we support out of the box.
>
> The ones we need to support are:
>
> * ECDHE-RSA-AES128-GCM-SHA256
> * ECDHE-RSA-AES256-GCM-SHA384
> * AES128-GCM-SHA256
> * AES256-GCM-SHA384
>
> None of which are available in Java 7.
BCJSSE supports the first two; the last 2 are TLS 1.3 ciphers which we don't support \
yet (TLS 1.3 that is). BCJSSE and all its implemented ciphersuites support Java \
versions back to Java 5.
> I copied the latest BCprov and BCtls jars into my jre/lib/ext, updated
> the java.security to list
> org.bouncycastle.jce.provider.BouncyCastleProvider and
> org.bouncycastle.jsse.provider.BouncyCastleJsseProvider as my first
> and second providers, and loaded the unlimited strength crypto policy jars.
> I then added the following arguments when I launch the application:
>
> -Dhttps.protocols=TLSv1.2
> -Dhttps.cipherSuites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
So these are intended to configure HttpsURLConnection? BCJSSE should be fine with \
those settings, but note that BCJSSE itself is not the code that processes those \
properties.
> But I get an "unsupported cipher" exception.
Please provide the stack trace of this exception.
I would guess that the HTTPS code isn't actually selecting BCJSSE for some reason. I \
would suggest debugging into HttpsURLConnection to find out how it's setting up an \
SSLContext and whether (or why not) it's finding BCJSSE.
> So now I'm wondering if BC will actually provide ciphers it knows
> about if the underlying JRE doesn't support them. On the other hand,
> if it is possible, I would appreciate some advice.
Yes, all BCJSSE ciphersuites are implemented internally and do not rely on the \
underlying JRE. Available ciphersuites are in theory constrained by the cryptographic \
primitives available in your configured providers, but the BC provider supplies all \
of them in any case.
Regards,
Pete Dettman
[Attachment #3 (text/html)]
<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" \
/></head><body><div>Thanks to all who replied with suggestions. We were able to get \
this working, although it required a code change to explicitly pass in the BC \
JSSEProvider to the SSLContext.<br /><br />Mike<br /><br /><div \
style="mso-line-height-rule:exactly;-webkit-text-size-adjust:100%;"><table \
cellpadding="0" cellspacing="0" border="0" style="width:100%;"><tr \
style="font-size:0;"><td align="left" style="vertical-align:top;"><table \
cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr \
style="font-size:0;"><td align="left" style="padding:40px 0 \
0;vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" \
style="font-size:0;"><tr style="font-size:0;"><td align="left" \
style="vertical-align:top;"><table cellpadding="0" cellspacing="0" border="0" \
style="font-size:0;"><tr style="font-size:0;"><td align="left" \
style="padding:0;vertical-align:top;"><table cellpadding="0" cellspacing="0" \
border="0" style="font-size:0;color:#000001;font-style:normal;font-weight:700;white-space:nowrap;"><tr \
style="font-size:14.67px;"><td align="left" \
style="vertical-align:top;font-family:Calibri,Arial,sans-serif;">Michael<span \
style="font-family:remialcxesans;font-size:1px;color:#FFFFFF;line-height:1px;">​</span></td><td \
align="left" style="vertical-align:top;font-family:Calibri,Arial,sans-serif;font-weight:400;"> <br \
/></td><td align="left" \
style="vertical-align:top;font-family:Calibri,Arial,sans-serif;">DiBaggio</td></tr></table></td></tr><tr \
style="font-size:0;"><td align="left" style="padding:0;vertical-align:top;"><table \
cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr \
style="font-size:0;"><td align="left" style="vertical-align:top;"><table \
cellpadding="0" cellspacing="0" border="0" \
style="font-size:0;color:#000001;font-style:normal;font-weight:700;white-space:nowrap;"><tr \
style="font-size:14.67px;"><td align="left" \
style="vertical-align:top;font-family:Calibri,Arial,sans-serif;">Cleo</td><td \
align="left" style="vertical-align:top;font-family:Calibri,Arial,sans-serif;"> | <br \
/></td><td align="left" \
style="vertical-align:top;font-family:Calibri,Arial,sans-serif;font-weight:400;">Sr Software Engineer II</td></tr></table></td></tr><tr \
style="font-size:0;"><td align="left" style="vertical-align:top;"><table \
cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr \
style="font-size:0;"><td align="left" style="padding:0;vertical-align:top;"><table \
cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr \
style="font-size:0;"><td align="left" style="vertical-align:top;"><table \
cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr \
style="font-size:0;"><td align="left" style="padding:0;vertical-align:top;"><table \
cellpadding="0" cellspacing="0" border="0" style="font-size:0;"><tr \
style="font-size:0;"><td style="padding:0;"> </td><td \
style="padding:0;"> </td></tr></table></td><td \
style="padding:0;"> </td></tr><tr style="font-size:0;"><td align="left" \
style="padding:0;vertical-align:top;"><table cellpadding="0" cellspacing="0" \
border="0" style="font-size:0;color:#000001;font-style:normal;font-weight:400;white-space:nowrap;"><tr \
style="font-size:14.67px;"><td align="left" \
style="vertical-align:top;font-size:0;"><table cellpadding="0" cellspacing="0" \
border="0" style="font-size:0;color:#000001;font-style:normal;font-weight:400;white-space:nowrap;"><tr \
style="font-size:14.67px;"><td align="left" \
style="vertical-align:top;font-family:Calibri,Arial,sans-serif;">Email: </td><td \
align="left" style="vertical-align:top;font-family:Calibri,Arial,sans-serif;"><a \
href="mailto:mdibaggio@cleo.com" target="_blank" id="LPlnk689713" \
style="text-decoration:none;color:#000001;"><strong \
style="font-weight:400;">mdibaggio@cleo.com</strong></a></td></tr></table></td><td \
align="left" style="vertical-align:top;font-family:Calibri,Arial,sans-serif;"> | <br \
/></td><td align="left" \
style="vertical-align:top;font-family:Calibri,Arial,sans-serif;">Web: </td><td \
align="left" style="vertical-align:top;font-family:Calibri,Arial,sans-serif;"><a \
href="https://www.cleo.com/" target="_blank" id="LPlnk689713" \
style="text-decoration:none;color:#000001;"><strong \
style="font-weight:400;">www.cleo.com</strong></a></td></tr></table></td><td \
align="left" style="padding:0;vertical-align:top;"><table cellpadding="0" \
cellspacing="0" border="0" style="font-size:0;"><tr style="font-size:0;"><td \
style="padding:0;"> </td><td \
style="padding:0;"> </td></tr></table></td></tr><tr style="font-size:0;"><td \
style="padding:0;"> </td><td \
style="padding:0;"> </td></tr></table></td></tr></table></td></tr><tr \
style="font-size:0;"><td align="left" style="padding:0;vertical-align:top;"><table \
cellpadding="0" cellspacing="0" border="0" \
style="white-space:nowrap;color:#1056EC;font-size:14.67px;font-family:Calibri,Arial,sa \
ns-serif;font-weight:400;font-style:normal;text-align:left;line-height:16px;"><tr \
style="font-size:16px;"><td style="font-family:Calibri,sans-serif;"><span \
style="background-color:#FFFCFC;"><a href="https://www.cleo.com/cleo-connect" \
target="_blank" id="LPlnk689713" style="text-decoration:none;color:#1056EC;"><strong \
style="font-weight:400;">Join us for Cleo Connect 2019, \
October 7-10 in Orlando! Register today!</strong></a></span><br \
/></td></tr></table></td></tr><tr style="font-size:0;"><td \
style="padding:0;"> </td></tr><tr style="font-size:0;"><td \
style="padding:0;"> </td></tr></table></td></tr></table></td></tr></table></td></tr></table></td></tr></table></td></tr></table></div>-----Original \
Message-----<br />From: Peter Dettman <peter.dettman@bouncycastle.org> <br \
/>Sent: Monday, July 1, 2019 11:16 AM<br />To: dev-crypto@bouncycastle.org<br \
/>Subject: Re: [dev-crypto] Does BC actually provide cipher suites unavailable in \
Java 7?<br /><br />Hi Michael,<br /><br />Responses inline:<br /><br />On 1/7/19 9:14 \
pm, DiBaggio, Michael wrote:<br />> Hi everyone. I haven't pestered this list with \
my questions for <br />> several years, but I'm in a bind again.<br />> <br \
/>> I am supporting a product that, for now, is absolutely restricted to <br \
/>> Java 7. However, we have an application that connects to NetSuite, and <br \
/>> about a week ago, NetSuite stopped allowing access to any of the <br />> \
ciphersuites we support out of the box.<br />> <br />> The ones we need to \
support are:<br />> <br />> * ECDHE-RSA-AES128-GCM-SHA256<br />> * \
ECDHE-RSA-AES256-GCM-SHA384<br />> * AES128-GCM-SHA256<br />> * \
AES256-GCM-SHA384<br />> <br />> None of which are available in Java 7.<br \
/><br />BCJSSE supports the first two; the last 2 are TLS 1.3 ciphers which we \
don't support yet (TLS 1.3 that is). BCJSSE and all its implemented ciphersuites \
support Java versions back to Java 5.<br /><br /><br />> I copied the latest \
BCprov and BCtls jars into my jre/lib/ext, updated <br />> the java.security to \
list <br />> org.bouncycastle.jce.provider.BouncyCastleProvider and <br />> \
org.bouncycastle.jsse.provider.BouncyCastleJsseProvider as my first <br />> and \
second providers, and loaded the unlimited strength crypto policy jars.<br />> I \
then added the following arguments when I launch the application:<br />> <br \
/>> -Dhttps.protocols=TLSv1.2<br />> \
-Dhttps.cipherSuites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256<br /><br />So these are \
intended to configure HttpsURLConnection? BCJSSE should be fine with those settings, \
but note that BCJSSE itself is not the code that processes those properties.<br /><br \
/><br />> But I get an "unsupported cipher" exception.<br /><br />Please provide \
the stack trace of this exception.<br /><br />I would guess that the HTTPS code \
isn't actually selecting BCJSSE for some reason. I would suggest debugging into \
HttpsURLConnection to find out how it's setting up an SSLContext and whether (or \
why not) it's finding BCJSSE.<br /><br /><br />> So now I'm wondering if BC \
will actually provide ciphers it knows <br />> about if the underlying JRE doesn't \
support them. On the other hand, <br />> if it is possible, I would appreciate \
some advice.<br /><br />Yes, all BCJSSE ciphersuites are implemented internally and \
do not rely on the underlying JRE. Available ciphersuites are in theory constrained \
by the cryptographic primitives available in your configured providers, but the BC \
provider supplies all of them in any case.<br /><br />Regards,<br />Pete Dettman<br \
/><br /></div></body></html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic