Home > Software engineering >  Bouncy Castle and TLS_RSA_WITH_AES_128_CCM
Bouncy Castle and TLS_RSA_WITH_AES_128_CCM

Time:05-04

One of my test tools(I only have the binary), uses java for TLS communication. Since standard java does not provide support, Bouncy Castle is used for ciphers that use CCM. After configuring Bouncy Castle, my tool works for majority of CCM related ciphers (Eg: TLS_DHE_RSA_WITH_AES_128_CCM). However, the tool fails for TLS_RSA_WITH_AES_128_CCM cipher suite.

Below is the error trace:

14:34:15.350 INFO  - Start TCP Listener on 0.0.0.0/0.0.0.0:10075 14:34:23.818 INFO  - Accept connection Socket[addr=/127.0.0.1,port=53357,localport=10075] 14:34:23.831 DEBUG
- /127.0.0.1:10075<-/127.0.0.1:53357(1): enter state: Sta2 - Transport connection open May 02, 2022 2:34:23 PM org.bouncycastle.jsse.provider.ProvTlsServer notifyAlertRaised INFO: Server raised fatal(2) handshake_failure(40) alert: Failed to read record org.bouncycastle.tls.TlsFatalAlert: handshake_failure(40); No selectable cipher suite
        at org.bouncycastle.tls.AbstractTlsServer.getSelectedCipherSuite(Unknown Source)
        at org.bouncycastle.jsse.provider.ProvTlsServer.getSelectedCipherSuite(Unknown Source)
        at org.bouncycastle.tls.TlsServerProtocol.generateServerHello(Unknown Source)
        at org.bouncycastle.tls.TlsServerProtocol.handleHandshakeMessage(Unknown Source)
        at org.bouncycastle.tls.TlsProtocol.processHandshakeQueue(Unknown Source)
        at org.bouncycastle.tls.TlsProtocol.processRecord(Unknown Source)
        at org.bouncycastle.tls.RecordStream.readRecord(Unknown Source)
        at org.bouncycastle.tls.TlsProtocol.safeReadRecord(Unknown Source)
        at org.bouncycastle.tls.TlsProtocol.blockForHandshake(Unknown Source)
        at org.bouncycastle.tls.TlsServerProtocol.accept(Unknown Source)
        at org.bouncycastle.jsse.provider.ProvSSLSocketDirect.startHandshake(Unknown Source)
        at org.bouncycastle.jsse.provider.ProvSSLSocketDirect.handshakeIfNecessary(Unknown Source)
        at org.bouncycastle.jsse.provider.ProvSSLSocketDirect$AppDataInput.read(Unknown Source)
        at org.dcm4che3.util.StreamUtils.readAvailable(StreamUtils.java:57)
        at org.dcm4che3.util.StreamUtils.readFully(StreamUtils.java:68)
        at org.dcm4che3.net.PDUDecoder.readFully(PDUDecoder.java:225)
        at org.dcm4che3.net.PDUDecoder.nextPDU(PDUDecoder.java:159)
        at org.dcm4che3.net.Association$2.run(Association.java:571)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
        at java.lang.Thread.run(Unknown Source)

14:34:23.918 INFO  - /127.0.0.1:10075<-/127.0.0.1:53357(1): i/o exception: org.bouncycastle.tls.TlsFatalAlert: handshake_failure(40); No selectable cipher suite in State: Sta2 - Transport connection open

Any pointers to why it fails for this cipher whereas TLS_DHE_RSA_WITH_AES_128_CCM works?

Thanks in advance.

CodePudding user response:

With help from BouncyCastle github forum, I have found the solution for the issue. It required 2 additional steps to be performed:

  1. Copy bcpkix-$version.jar to %JAVA_HOME%\lib\ext path
  2. Update ssl.KeyManagerFactory.algorithm=PKIX in java.security file

Page link:https//www.codepudding.com/Softwareengineering/394848.html

Prev:Error when writing bitmap to directory even with directory access
Next:disallow direct access to nginx location
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding