Cipher suite not available - how to add/enable? Tomcat SSL

Question

I have this list of enabled and supported ciphers in java

-----------SUPPORTED CIPHERS-------------

Supported cipher suites:
 SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
 SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
 SSL_DHE_DSS_WITH_DES_CBC_SHA
 SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
 SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
 SSL_DHE_RSA_WITH_DES_CBC_SHA
 SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
 SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
 SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
 SSL_DH_anon_WITH_DES_CBC_SHA
 SSL_DH_anon_WITH_RC4_128_MD5
 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
 SSL_RSA_EXPORT_WITH_RC4_40_MD5
 SSL_RSA_WITH_3DES_EDE_CBC_SHA
 SSL_RSA_WITH_DES_CBC_SHA
 SSL_RSA_WITH_NULL_MD5
 SSL_RSA_WITH_NULL_SHA
 SSL_RSA_WITH_RC4_128_MD5
 SSL_RSA_WITH_RC4_128_SHA
 TLS_DHE_DSS_WITH_AES_128_CBC_SHA
 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
 TLS_DH_anon_WITH_AES_128_CBC_SHA
 TLS_EMPTY_RENEGOTIATION_INFO_SCSV
 TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
 TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
 TLS_KRB5_EXPORT_WITH_RC4_40_MD5
 TLS_KRB5_EXPORT_WITH_RC4_40_SHA
 TLS_KRB5_WITH_3DES_EDE_CBC_MD5
 TLS_KRB5_WITH_3DES_EDE_CBC_SHA
 TLS_KRB5_WITH_DES_CBC_MD5
 TLS_KRB5_WITH_DES_CBC_SHA
 TLS_KRB5_WITH_RC4_128_MD5
 TLS_KRB5_WITH_RC4_128_SHA
 TLS_RSA_WITH_AES_128_CBC_SHA
-----------ENABLED CIPHERS---------------

Enabled cipher suites:
 SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
 SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
 SSL_DHE_DSS_WITH_DES_CBC_SHA
 SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
 SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
 SSL_DHE_RSA_WITH_DES_CBC_SHA
 SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
 SSL_RSA_EXPORT_WITH_RC4_40_MD5
 SSL_RSA_WITH_3DES_EDE_CBC_SHA
 SSL_RSA_WITH_DES_CBC_SHA
 SSL_RSA_WITH_RC4_128_MD5
 SSL_RSA_WITH_RC4_128_SHA
 TLS_DHE_DSS_WITH_AES_128_CBC_SHA
 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
 TLS_EMPTY_RENEGOTIATION_INFO_SCSV
 TLS_RSA_WITH_AES_128_CBC_SHA

However the cipher I need available is

TLS_RSA_WITH_AES_256_CBC_SHA.

I obtained this info by writing a quick java class which runs getSupportedCipherSuites() and getEnabledCipherSuites(), I have run this on JRE 6 32 and 64 Bit and also on JRE 7 32 and 64 Bit, but due to the systems I am working with, I have to run 32 bit JRE. I cannot find anything online other than this list of which ciphers should be supported http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html

This link shows the cipher I am looking as available but after checking i obviously don't see it as available to me. My question is, is there any way to add this cipher in or a different version of Java that I can use which will have this available? Also, how can those which are supported but not enabled be enabled?

As a note, I do have the files located here installed for Java 6: http://www.oracle.com/technetwork/java/javase/downloads/jce-6-download-429243.html and Here for Java 7: http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html . I already had the files and overwrote them anyway with the files downloaded from those links. Did not help.

This is all to lead to working with Tomcat in eclipse. When trying to run Tomcat with a working certificate I get this: java.io.IOException: SSL configuration is invalid due to No available certificate or key corresponds to the SSL cipher suites which are enabled.

While this usually point to a an alias not being stated, in my situation I believe my problem is related to the cipher.

[The Legion of the Bouncy Castle](http://www.bouncycastle.org/java.html). — Elliott Frisch, Jun 24 '14 at 18:40
Does [this](http://www.bouncycastle.org/wiki/plugins/servlet/mobile#content/view/362261) help? — Elliott Frisch, Jun 24 '14 at 19:38
It does, I was able to add this to my code to list out the available ciphers, only problem is the cipher i need is not listed. — wondergoat77, Jun 24 '14 at 19:45
I switched the jre being used and the one i need showed up. Thanks! — wondergoat77, Jun 24 '14 at 19:49
@ElliottFrisch add an answer and I can mark it as the answer if you like. — wondergoat77, Jun 24 '14 at 19:49
This got the cipher showing, but didnt get me past the problem i thought this would fix. the tomcat problem i mention above in my original post. — wondergoat77, Jun 24 '14 at 20:30
Did you try OpenJDK? The openjdk builds don't have export restrictions and hence there is no need to install the JCE policy files. — HRJ, Dec 21 '14 at 17:30

score 1 · Accepted Answer · answered Jun 24 '14 at 20:07

1

I would start by using the Legion of the Bouncy Castle, and per the directions here I would triple check that

Be careful if you are using Windows as the JDK install will normally install a JRE and a JDK in two separate places - generally both of these will need to have the policy files installed in it.

answered Jun 24 '14 at 20:07

Elliott Frisch

198,278
20
158
249

I tried copying "bcprov-ext-jdk15on-152.jar" in the $JDK_HOME$\jre\lib\ext and edited java.security file to add the provider but I still don't get the "TLS_RSA_WITH_AES_256_CBC_SHA" in the supported cipher list. What could be missing? – Andy Dufresne May 21 '15 at 07:35
1

An alternative was to apply JCE jars - http://stackoverflow.com/a/30370530/537503. This worked ! – Andy Dufresne May 22 '15 at 09:50

Cipher suite not available - how to add/enable? Tomcat SSL

1 Answers1