how to add unsupported cipher suites(not included in the default cipher suites) to client hello message

Question

the requirement is client shall support following cipher suites for TLS encryption：

  private String[] cipherSuites = new String[] {
          "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
          "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
          "TLS_DHE_RSA_WITH_AES_256_CBC_SHA ",
          "TLS_RSA_WITH_AES_256_GCM_SHA384",
          "TLS_RSA_WITH_AES_256_CBC_SHA256",
          "TLS_RSA_WITH_AES_256_CBC_SHA",
          "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
          "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
          "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
          "TLS_RSA_WITH_AES_128_GCM_SHA256",
          "TLS_RSA_WITH_AES_128_CBC_SHA256",
      };

this is the main code:

public static void main(String []args) throws IOException {
        Hashtable<String, String> env = new Hashtable<>();
        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
        env.put(Context.PROVIDER_URL, "ldap://10.159.218.169:636/ou=LDAPConfData,ou=Nokia,dc=solution,dc=com");
        env.put(Context.SECURITY_AUTHENTICATION, "simple");
        env.put(Context.SECURITY_PRINCIPAL, "uid=username,ou=People,dc=solution,dc=com");
        env.put(Context.SECURITY_CREDENTIALS, "123456");
        env.put(Context.SECURITY_PROTOCOL, "ssl");
        env.put("java.naming.ldap.factory.socket", CustomSocketFactory.class.getName());

        try {
            InitialDirContext context = new InitialDirContext(env);
        } catch (NamingException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }
    }

override socket factory:

  @Override
  public Socket createSocket(String host, int port) throws IOException, UnknownHostException {
    SSLSocketFactory sslFact = (SSLSocketFactory)SSLSocketFactory.getDefault();
    SSLSocket sslSocket = (SSLSocket) sslFact.createSocket(host, port);
    sslSocket.setEnabledCipherSuites(cipherSuites);
    return sslSocket;
  }

when run the main code, it will occur exception: Root exception is java.lang.IllegalArgumentException: Cannot support TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 with currently installed providers

the supported cipher suites size is 56, but only four require cipher in it. whether any solution to solve this question? thanks a lot.

Answer 1

The problem is caused by the US cryptography export restrictions. By default, you cannot use ciphers with a key size of 256 bit.

Due to import control restrictions by the governments of a few countries, the jurisdiction policy files shipped specify that “strong” but limited cryptography may be used. An “unlimited strength” version of these files indicating no restrictions on cryptographic strengths is available for those living in eligible countries (which is most countries). But only the “strong” version can be imported into those countries whose governments mandate restrictions. The JCE framework will enforce the restrictions specified in the installed jurisdiction policy files.

To disable the limitations, you will need to

• download the JCE unlimited strength jurisdiction

• Locate and change into the jre/lib/security directory

• remove local_policy.jar and US_export_policy.jar

• put the JCE unlimited strength jar files

Answer 2

Upgrade to a more recent version of Java 6, 7, or 8, unlimited strength crypto is supported in versions 8u161, 7u171, and 6u181 and higher. If you must use an earlier jre version, you'll have to drop the crypto extension jars into the jre/lib/security folder as detailed by Shilong's answer.