I am using a test app that used java for TLS communication. Standard Oracle java is installed in my system.

I need to use the TLS_DHE_RSA_WITH_AES_128_CCM cipher suite, which is not supported by standard Java, so many suggested using Bouncy Castle. I downloaded and copied the bcprov-ext-jdk18on-171.jar to $JAVA_HOME/lib folder. Also, updated java.security file to include Bouncy Castle in the provider list as below:

security.provider.4=org.bouncycastle.jce.provider.BouncyCastleProvider

I still cannot get TLS_DHE_RSA_WITH_AES_128_CCM to work though.

Are the steps I did sufficient and correct? Can someone suggest the steps to install and configure Bouncy Castle?

CodePudding user response：

No, because you need to not add the JCE provider first to the classpath as bctls-$version.jar as it is not included in the standard Bouncy Castle (BC) provider. It is required to register the TLS / JSSE provider as well:

Security.insertProviderAt(new rg.bouncycastle.jsse.provider.BouncyCastleJsseProviderBouncyCastleJsseProvider(), 1);

Or register it any other way, e.g. by including it in the java.security file.

As you probably want to use the provider for all if not most of your TLS needs, adding it at the highest priority makes sense. Note that the JSSE provider doesn't provide implementations such as RSA or AES for Cipher or Signature so it should not be in the way.

Note that the RSA and AES implementations of Sun could still be used by the Bouncy Castle JSSE provider, and since these are probably better tested and may use hardware acceleration you'll probably want to make sure that the BouncyCastleProvider is loaded as last provider in the list using addProvider. The provider may indeed be required as CCM support seems to be missing from the default providers delivered with the standard Java installation.

In case you are wondering: JSSE is the Java Secure Socket Extension.