I am using a test app that used java for TLS communication. Standard Oracle java is installed in my system.
I need to use the TLS_DHE_RSA_WITH_AES_128_CCM
cipher suite, which is not supported by standard Java, so many suggested using Bouncy Castle. I downloaded and copied the bcprov-ext-jdk18on-171.jar
to $JAVA_HOME/lib
folder.
Also, updated java.security
file to include Bouncy Castle in the provider list as below:
security.provider.4=org.bouncycastle.jce.provider.BouncyCastleProvider
I still cannot get TLS_DHE_RSA_WITH_AES_128_CCM
to work though.
Are the steps I did sufficient and correct? Can someone suggest the steps to install and configure Bouncy Castle?
The BouncyCastleProvider
adds cryptographic algorithms such as the AES in the CCM mode of operation to the available algorithms of Cipher
and other classes. As CCM is not included by default in Java, you will need to register this provider through code (i.e. Security.addProvider(new BouncyCastleProvider)
) or adding it into the java.security
file (as demonstrated in the question). You will probably want to add it to the end of the provider list as the algorithms of the Oracle provider are generally better tested and may be sped up using hardware acceleration.
However, the BouncyCastleProvider
does not contain an implementation of the TLS protocol. You'd need to register the BouncyCastleJsseProvider
for that instead. This is required as the Java TLS implementation won't magically know how to use the CCM implementation within Bouncy Castle. JSSE is an acronym of the Java Secure Socket Extension.
You can add that provider at the start of the providers so you know for sure that this provider is used for implementing TLS:
Security.insertProviderAt(new org.bouncycastle.jsse.provider.BouncyCastleJsseProvider(), 1);
And you can also directly register it in the java.security
file.
Note that the JSSE provider doesn't provide implementations such as RSA or AES for Cipher
or Signature
so it should not be in the way.
To add the two providers the bctls-jdk18on.jar
, bcprov-jdk18on
and probably bcutil-jdk18on.jar
(see the comment of Amal below) need to be in the class- or module-path. These are of course also present as artifacts in many Maven repositories.