security - java ssl error Cannot support TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Question

I have one java based application which is provided by some clients . I get below error when I try to run that application, when I contacted the client they just asked to update JCE with 8 ,

I did below steps

1. Download the software from the Oracle JCE download site.
2. Unzipped the package and copy the files local_policy.jar and US_export_policy.jar into the JRE security libraries.

JRE — C:Program FilesJavajre1.8.0_144libsecurity

JDK — C:Program FilesJavajdk1.8.0_92jrelibsecurity

but still getting the below error.

23:12:53.652 ERROR [nioEventLoopGroup-4-5] c.s.w.s.s.h.CloudWebSocketFrameHandler - Cannot support TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 with currently installed providers java.lang.IllegalArgumentException: Cannot support TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 with currently installed providers at sun.security.ssl.CipherSuiteList.(CipherSuiteList.java:92) at sun.security.ssl.SSLEngineImpl.setEnabledCipherSuites(SSLEngineImpl.java:2038) at com.samsung.wwst.sdk.simulator.service.CloudClientManager.init(SamsungCloudClientManager.java:205) at com.samsung.wwst.sdk.simulator.handler.CloudWebSocketFrameHandler.channelRead(SamsungCloudWebSocketFrameHandler.java:72)

Answer 1

Note: This is not an answer, but a help for researching the issue.

Try listing all the cipher suites in your Java installation, using the following code.

SSLServerSocketFactory ssf = (SSLServerSocketFactory)SSLServerSocketFactory.getDefault();

TreeMap<String, Boolean> ciphers = new TreeMap<>();
for (String cipher : ssf.getSupportedCipherSuites())
    ciphers.put(cipher, Boolean.FALSE);
for (String cipher : ssf.getDefaultCipherSuites())
    ciphers.put(cipher, Boolean.TRUE);

System.out.println("Default Cipher");
for (Entry<String, Boolean> cipher : ciphers.entrySet())
    System.out.printf("   %-5s%s%n", (cipher.getValue() ? '*' : ' '), cipher.getKey());

When I run on jdk1.8.0_151 (Windows, 64-bit), I get the following output:

Default Cipher
        SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
   *    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        SSL_DHE_DSS_WITH_DES_CBC_SHA
        SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
   *    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        SSL_DHE_RSA_WITH_DES_CBC_SHA
        SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
        SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
        SSL_DH_anon_WITH_DES_CBC_SHA
        SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
   *    SSL_RSA_WITH_3DES_EDE_CBC_SHA
        SSL_RSA_WITH_DES_CBC_SHA
        SSL_RSA_WITH_NULL_MD5
        SSL_RSA_WITH_NULL_SHA
   *    TLS_DHE_DSS_WITH_AES_128_CBC_SHA
   *    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
   *    TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
   *    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
   *    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
   *    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
        TLS_DH_anon_WITH_AES_128_CBC_SHA
        TLS_DH_anon_WITH_AES_128_CBC_SHA256
        TLS_DH_anon_WITH_AES_128_GCM_SHA256
   *    TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
   *    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
   *    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
   *    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        TLS_ECDHE_ECDSA_WITH_NULL_SHA
   *    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
   *    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
   *    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
   *    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        TLS_ECDHE_RSA_WITH_NULL_SHA
   *    TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
   *    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
   *    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
   *    TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
        TLS_ECDH_ECDSA_WITH_NULL_SHA
   *    TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
   *    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
   *    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
   *    TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
        TLS_ECDH_RSA_WITH_NULL_SHA
        TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
        TLS_ECDH_anon_WITH_AES_128_CBC_SHA
        TLS_ECDH_anon_WITH_NULL_SHA
   *    TLS_EMPTY_RENEGOTIATION_INFO_SCSV
        TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
        TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
        TLS_KRB5_WITH_3DES_EDE_CBC_MD5
        TLS_KRB5_WITH_3DES_EDE_CBC_SHA
        TLS_KRB5_WITH_DES_CBC_MD5
        TLS_KRB5_WITH_DES_CBC_SHA
   *    TLS_RSA_WITH_AES_128_CBC_SHA
   *    TLS_RSA_WITH_AES_128_CBC_SHA256
   *    TLS_RSA_WITH_AES_128_GCM_SHA256
        TLS_RSA_WITH_NULL_SHA256

When I then add the policy files you linked to, output changes to:

Default Cipher
        SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
   *    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        SSL_DHE_DSS_WITH_DES_CBC_SHA
        SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
   *    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        SSL_DHE_RSA_WITH_DES_CBC_SHA
        SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
        SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
        SSL_DH_anon_WITH_DES_CBC_SHA
        SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
   *    SSL_RSA_WITH_3DES_EDE_CBC_SHA
        SSL_RSA_WITH_DES_CBC_SHA
        SSL_RSA_WITH_NULL_MD5
        SSL_RSA_WITH_NULL_SHA
   *    TLS_DHE_DSS_WITH_AES_128_CBC_SHA
   *    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
   *    TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
   *    TLS_DHE_DSS_WITH_AES_256_CBC_SHA
   *    TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
   *    TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
   *    TLS_DHE_RSA_WITH_AES_128_CBC_SHA
   *    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
   *    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
   *    TLS_DHE_RSA_WITH_AES_256_CBC_SHA
   *    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
   *    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
        TLS_DH_anon_WITH_AES_128_CBC_SHA
        TLS_DH_anon_WITH_AES_128_CBC_SHA256
        TLS_DH_anon_WITH_AES_128_GCM_SHA256
        TLS_DH_anon_WITH_AES_256_CBC_SHA
        TLS_DH_anon_WITH_AES_256_CBC_SHA256
        TLS_DH_anon_WITH_AES_256_GCM_SHA384
   *    TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
   *    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
   *    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
   *    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
   *    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
   *    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
   *    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        TLS_ECDHE_ECDSA_WITH_NULL_SHA
   *    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
   *    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
   *    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
   *    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
   *    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
   *    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
   *    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        TLS_ECDHE_RSA_WITH_NULL_SHA
   *    TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
   *    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
   *    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
   *    TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
   *    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
   *    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
   *    TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
        TLS_ECDH_ECDSA_WITH_NULL_SHA
   *    TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
   *    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
   *    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
   *    TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
   *    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
   *    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
   *    TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
        TLS_ECDH_RSA_WITH_NULL_SHA
        TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
        TLS_ECDH_anon_WITH_AES_128_CBC_SHA
        TLS_ECDH_anon_WITH_AES_256_CBC_SHA
        TLS_ECDH_anon_WITH_NULL_SHA
   *    TLS_EMPTY_RENEGOTIATION_INFO_SCSV
        TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
        TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
        TLS_KRB5_WITH_3DES_EDE_CBC_MD5
        TLS_KRB5_WITH_3DES_EDE_CBC_SHA
        TLS_KRB5_WITH_DES_CBC_MD5
        TLS_KRB5_WITH_DES_CBC_SHA
   *    TLS_RSA_WITH_AES_128_CBC_SHA
   *    TLS_RSA_WITH_AES_128_CBC_SHA256
   *    TLS_RSA_WITH_AES_128_GCM_SHA256
   *    TLS_RSA_WITH_AES_256_CBC_SHA
   *    TLS_RSA_WITH_AES_256_CBC_SHA256
   *    TLS_RSA_WITH_AES_256_GCM_SHA384
        TLS_RSA_WITH_NULL_SHA256

As you can see, adding the policy files enables the AES 256 cipher suites.