One of my test tools(I only have the binary), uses java for TLS communication. Since standard java does not provide support, Bouncy Castle is used for ciphers that use CCM. After configuring Bouncy Castle, my tool works for majority of CCM related ciphers (Eg: TLS_DHE_RSA_WITH_AES_128_CCM). However, the tool fails for TLS_RSA_WITH_AES_128_CCM cipher suite.
Below is the error trace:
14:34:15.350 INFO - Start TCP Listener on 0.0.0.0/0.0.0.0:10075 14:34:23.818 INFO - Accept connection Socket[addr=/127.0.0.1,port=53357,localport=10075] 14:34:23.831 DEBUG
- /127.0.0.1:10075<-/127.0.0.1:53357(1): enter state: Sta2 - Transport connection open May 02, 2022 2:34:23 PM org.bouncycastle.jsse.provider.ProvTlsServer notifyAlertRaised INFO: Server raised fatal(2) handshake_failure(40) alert: Failed to read record org.bouncycastle.tls.TlsFatalAlert: handshake_failure(40); No selectable cipher suite
at org.bouncycastle.tls.AbstractTlsServer.getSelectedCipherSuite(Unknown Source)
at org.bouncycastle.jsse.provider.ProvTlsServer.getSelectedCipherSuite(Unknown Source)
at org.bouncycastle.tls.TlsServerProtocol.generateServerHello(Unknown Source)
at org.bouncycastle.tls.TlsServerProtocol.handleHandshakeMessage(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.processHandshakeQueue(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.processRecord(Unknown Source)
at org.bouncycastle.tls.RecordStream.readRecord(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.safeReadRecord(Unknown Source)
at org.bouncycastle.tls.TlsProtocol.blockForHandshake(Unknown Source)
at org.bouncycastle.tls.TlsServerProtocol.accept(Unknown Source)
at org.bouncycastle.jsse.provider.ProvSSLSocketDirect.startHandshake(Unknown Source)
at org.bouncycastle.jsse.provider.ProvSSLSocketDirect.handshakeIfNecessary(Unknown Source)
at org.bouncycastle.jsse.provider.ProvSSLSocketDirect$AppDataInput.read(Unknown Source)
at org.dcm4che3.util.StreamUtils.readAvailable(StreamUtils.java:57)
at org.dcm4che3.util.StreamUtils.readFully(StreamUtils.java:68)
at org.dcm4che3.net.PDUDecoder.readFully(PDUDecoder.java:225)
at org.dcm4che3.net.PDUDecoder.nextPDU(PDUDecoder.java:159)
at org.dcm4che3.net.Association$2.run(Association.java:571)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
14:34:23.918 INFO - /127.0.0.1:10075<-/127.0.0.1:53357(1): i/o exception: org.bouncycastle.tls.TlsFatalAlert: handshake_failure(40); No selectable cipher suite in State: Sta2 - Transport connection open
Any pointers to why it fails for this cipher whereas TLS_DHE_RSA_WITH_AES_128_CCM works?
Thanks in advance.
CodePudding user response:
With help from BouncyCastle github forum, I have found the solution for the issue. It required 2 additional steps to be performed:
- Copy bcpkix-$version.jar to %JAVA_HOME%\lib\ext path
- Update ssl.KeyManagerFactory.algorithm=PKIX in java.security file