java version "1.7.0_171" to support ciphersuite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Question

I am using java version

java version "1.7.0_171"
OpenJDK Runtime Environment (amzn-2.6.13.0.76.amzn1-x86_64 u171-b01)
OpenJDK 64-Bit Server VM (build 24.171-b01, mixed mode)

when i try to call a HTTPS webservice I got exception

java.lang.IllegalArgumentException: Unsupported ciphersuite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    at sun.security.ssl.CipherSuite.valueOf(CipherSuite.java:235)
    at sun.security.ssl.CipherSuiteList.<init>(CipherSuiteList.java:82)
    at sun.security.ssl.SSLSocketImpl.setEnabledCipherSuites(SSLSocketImpl.java:2413)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:384)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
    at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)

the server ssl connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

this is the server information

* TCP_NODELAY set
* Connected to api..... (1xx.2xx.1xx.1xx) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* ALPN, server accepted to use http/1.1
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*   subject: CN=api.....
*   start date: Apr 27 09:29:11 2018 GMT
*   expire date: Jul 26 09:29:11 2018 GMT
*   common name: api.server1.ih.testenv.io
*   issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
> GET / HTTP/1.1
> Host: api.server1.ih.testenv.io
> User-Agent: curl/7.53.1
> Accept: */*
> 
< HTTP/1.1 404 Not Found
< Server: nginx/1.10.3 (Ubuntu)
< Date: Thu, 03 May 2018 08:43:05 GMT
< Content-Type: application/json; charset=utf-8
< Content-Length: 39
< Connection: keep-alive
< cache-control: max-age=0, private, must-revalidate
< x-request-id: 2klhbq0t5ahtlndlmc0003k2

how can i support this ciphersuite ?

EDIT: I cannot upgrade to java 8

Answer 1

The problem is that TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and most other GCM cipher suites are not supported by the default security provider found in Java 7. Support for those was added in Java 8.

You can compare the specification and supported cipher suites for Java 7 and Java 8 for confirmation here.

As your edit suggests that you can not upgrade to Java 8 at this point I don't think you have many choices other than using an external security provider.

An example would be the

Legion of the Bouncy Castle Java cryptography APIs

which include a security provider for both the JCE and the JCA. Using an external security provider obviously means dealing with their licensing model, which for Bouncy Castle is quite simple though as they use a slightly adapted version of the MIT License.

There are good tutorials out there how to change the default security provider for Java, a quick search should help here.

Answer 2

In order to debug this problem try to add "-Djavax.net.debug=ssl" when running your client application.

java -Djavax.net.debug=ssl com.sample.Test

or by command line using OpenSSL:

openssl s_client -cipher 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384' -connect api.server:443

If you have control/access to the server, try to add this cipher on the server side.

• Apache SSLCipherSuite: https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html

If you are using NGinx: How to add ssl cipher to ssl_ciphers in nginx

Caution

In some environments, certain algorithms or key lengths may be undesirable when using SSL/TLS. This section describes the mechanism for disabling algorithms during SSL/TLS security parameters negotiation, including protocol version negotiation, cipher suites selection, peer authentication and key exchange mechanisms.

• To determine the default value for the property "jdk.certpath.disabledAlgorithms" and the syntax, check the "jre/lib/security/java.security" file

Please also check this thread here: