I'm facing a problem with a Jboss server and the https connector, running on Java 6. I want to make my server using only TLSv1.2 and using the cipher suites "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" for decoding the certificate.
I know that Java 6 does not support TLSv1.2, but I added the Bouncy Castle JCE and JSSE provider to the JDK (https://www.bouncycastle.org/latest_releases.html) :
Added the JARs files (bcprov-jdk15on-159.jar and bctls-jdk15on-159.jar) in path_to_jdk/jre/lib/ext folder
Edited file path_to_jdk/jre/lib/security/java.security to add lines :
security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider security.provider.11=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider
The java instruction : SSLContext.getInstance("TLSv1.2"); does not throw a NoSuchAlgorithmException anymore if I test it on a small test class.
On Jboss :
Edited file path_to_jboss/server/default/deploy/jbossweb.sar/server.xml to have :
< Connector protocol="HTTP/1.1" SSLEnabled="true" port="8443" address="${jboss.bind.address}" keystoreFile="${jboss.server.home.dir}/conf/jboss.pfx" keystorePass="password" sslProtocols="TLSv1.2" maxThreads="170"/>
After that, jboss is still providing only SSLv3 and TLSv1 protocols for https connection.
Any solution ?
Thanks
I believe the 'sslProtocols' attribute translates to a call to SSLParameters.setProtocols (later given effect by SSLSocket.setParameters), and doesn't affect the SSLContext.getInstance call. So you are still getting a SunJSSE SSLContext because you added BCJSSE at lower priority.
I suggest moving the BouncyCastleJsseProvider entry in java.security to a higher priority (than com.sun.net.ssl.internal.ssl.Provider).
Also in java.security you will need to set the default KMF type from SunX509 to PKIX (change the existing entry):
ssl.KeyManagerFactory.algorithm=PKIX
This is because BCJSSE currently only works with its own KMF implementation.