How do I set up the cipher suites in java/eclipse for an http client?

Question

Our server has just had it's cipher suites restricted to:

SSLCipherSpec ALL TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384

And now my test java client code fails with this message in the server log:

SSL Handshake Failed, No ciphers specified

and this stack trace on the client side:

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    at com.ibm.jsse2.j.a(j.java:42)
    at com.ibm.jsse2.j.a(j.java:41)
    at com.ibm.jsse2.qc.b(qc.java:485)
    at com.ibm.jsse2.qc.a(qc.java:381)
    at com.ibm.jsse2.qc.h(qc.java:453)
    at com.ibm.jsse2.qc.a(qc.java:625)
    at com.ibm.jsse2.qc.startHandshake(qc.java:113)
    at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:188)
    at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:9)
    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1103)
    at com.ibm.net.ssl.www2.protocol.https.b.getOutputStream(b.java:84)

Can anyone advise what I need to setup in my HttpURLConnection to get it to use these restricted cipher suites? Or is this something I need to setup in the JVM arguments (in Eclipse)?

Many thanks

Answer 1

You're visibly using the IBM JSSE. According to its documentation (see Customizing JSSE -> Customization) ., this can be done by setting the https.cipherSuites system property:

This contains a comma-separated list of cipher suite names specifying which cipher suites to enable for use on this HttpsURLConnection .

This is of course exactly the same parameter as for the Sun/Oracle JSSE . (You might also find https.protocols useful, if you need to set the protocol too.)

If you want to achieve this on a per-connection basis, you can pass specific settings to your HttpsURLConnection using a custom SSLSocketFactory . Typically, you would implement your own SSLSocketFactory that delegates all calls to the default SSLSocketFactory ( SSLSocketFactory.getDefault() ), or an SSLSocketFactory coming from a custom SSLContext , but changes the SSLSocket created by any createSocket(...) method to change set its cipher suites. Something along these lines:

class MySSLSocketFactory {
     public Socket createSocket(...) {
         SSLSocket s = (SSLSocket) SSLSocketFactory.getDefault().createSocket(...);
         s.setEnabledCipherSuites(...);
         return s;
     }
     ...
 }

Then:

URLConnection urlConnection = url.openConnection();
HttpsURLConnection httpsUrlConnection = (HttpsURLConnection) urlConnection;
httpsUrlConnection.setSSLSocketFactory(new MySSLSocketFactory());

---

That said, the two cipher suites you're trying to use ( TLS_RSA_WITH_AES_128_GCM_SHA256 and TLS_RSA_WITH_AES_256_GCM_SHA384 ) have only been supported in the Oracle JRE since Java 8 , but they're already enabled by default there, so you shouldn't need any customisation.

The same table for the IBM® SDK, Java™ Technology Edition, Version 8 only has columns up to version 7, and these cipher suites are not listed at all. I'm not sure whether this is just a part of the documentation that has not been updated, or whether the IBM JSSE does not support these cipher suites, even in version 8.