Why is Java 11 ignoring cipher suite TLS_AES_256_GCM_SHA384?

Question

I'm troubleshooting a problem and trying to force a java app to use the Cipher Suite = TLS_AES_256_GCM_SHA384.

But this is being ignored based on SSL debug handhake logging. I'll see a message like:

javax.net.ssl|DEBUG|27|http-bio-8443-exec-1|2023-03-22 15:24:23.221 GMT|
HandshakeContext.java:296|Ignore unsupported cipher suite: TLS_AES_256_GCM_SHA384 for TLSv1.2

I've placed this single log line on two lines for readability.

My questions are: What causes Java 11 to ignore this cipher suite? and Is there a way to make it get used?

Searching for solution

I found that openssl can list ciphers:

openssl ciphers -V | grep AES | grep GCM | grep 384
. . . not all shown . . .
  0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
  0xC0,0x2C - ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
  0x00,0xA5 - DH-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH/DSS   Au=DH   Enc=AESGCM(256) Mac=AEAD
  0x00,0x9D - AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD

I think the last one is the one I'm looking for, so perhaps the syntax I'm using is not correct.

Other SSL questions include:

• Wrong cipher suite or no connection with OpenSSL server

Answer 1

The cipher suite you've listed is supported in Java 11. The table at Java 11 Cipher Suites Supported documents the cipher suites supported and TLS_AES_256_GCM_SHA384 is included in that list.

At the end of the log message the string for TLSv1.2 appears. This appears because the cipher suite while supported is only supported for TLSv1.3, and so it's likely that the SSLManager context that was created or the connection that has been established was negotiated at version TLSv1.2 (by the server) so that cipher is not supported (in this situation).

To force it to be used, you might try only allowing TLSv1.3 to see if that fixes the problem and allows that cipher suite to be used.