Add cipher suites to JSSE provider

[aDramaQueen]

Hi,

i managed to run Bouncy Castle JSSE with Spring Boot. Problem: If i run the application with BCJSSE my TLS connection gets rejected:

org.bouncycastle.tls.TlsFatalAlert: handshake_failure(40); [server #1 @3fb651da] found no selectable cipher suite among the 18 offered: [{0x13,0x02}(TLS_AES_256_GCM_SHA384), {0x13,0x03}(TLS_CHACHA20_POLY1305_SHA256), {0x13,0x01}(TLS_AES_128_GCM_SHA256), {0xc0,0x2c}(TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384), {0xc0,0x30}(TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384), {0xc0,0x2b}(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), {0xc0,0x2f}(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256), {0xcc,0xa9}(TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256), {0xcc,0xa8}(TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256), {0xc0,0x24}(TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384), {0xc0,0x28}(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384), {0xc0,0x23}(TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256), {0xc0,0x27}(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256), {0x00,0x9f}(TLS_DHE_RSA_WITH_AES_256_GCM_SHA384), {0x00,0x9e}(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256), {0x00,0x6b}(TLS_DHE_RSA_WITH_AES_256_CBC_SHA256), {0x00,0x67}(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256), {0x00,0xff}(TLS_EMPTY_RENEGOTIATION_INFO_SCSV)]
	at org.bouncycastle.tls.AbstractTlsServer.getSelectedCipherSuite(Unknown Source)
	at org.bouncycastle.jsse.provider.ProvTlsServer.getSelectedCipherSuite(Unknown Source)
	at org.bouncycastle.tls.TlsServerProtocol.generate13ServerHello(Unknown Source)
	at org.bouncycastle.tls.TlsServerProtocol.generateServerHello(Unknown Source)
	at org.bouncycastle.tls.TlsServerProtocol.handleHandshakeMessage(Unknown Source)
	at org.bouncycastle.tls.TlsProtocol.processHandshakeQueue(Unknown Source)
	at org.bouncycastle.tls.TlsProtocol.processRecord(Unknown Source)
	at org.bouncycastle.tls.RecordStream.readFullRecord(Unknown Source)
	at org.bouncycastle.tls.TlsProtocol.safeReadFullRecord(Unknown Source)
	at org.bouncycastle.tls.TlsProtocol.offerInput(Unknown Source)
	at org.bouncycastle.jsse.provider.ProvSSLEngine.unwrap(Unknown Source)
	at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:679)
	at org.apache.tomcat.util.net.SecureNioChannel.handshakeUnwrap(SecureNioChannel.java:480)
	at org.apache.tomcat.util.net.SecureNioChannel.handshake(SecureNioChannel.java:214)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1716)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1190)
	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
	at java.base/java.lang.Thread.run(Thread.java:1583)

If I run this application with the default JSSE provider (SunJSSE) everything works.
Now the question: Is there a special place, where i may add the missing ciphers?

[peterdettman]

I doubt the ciphers are missing. The error message is saying none of the cipher suites can be selected. By far the most common reason for that is misconfiguration of the server's key store (KeyManagerFactory) - so no cipher suite can be selected because no suitable server credentials can be located.

The first thing to check is that you have the ssl.KeyManagerFactory.algorithm security property to "PKIX" (usually in your java.security file).