3

My app is using OpenJDK 11 and fails with the following exception:

Caused by: java.lang.IllegalArgumentException: Unsupported CipherSuite: SSL_RSA_WITH_AES_256_CBC_SHA256
        at java.base/sun.security.ssl.CipherSuite.validValuesOf(CipherSuite.java:916)
        at java.base/sun.security.ssl.SSLSocketImpl.setEnabledCipherSuites(SSLSocketImpl.java:302)
        at com.ibm.mq.jmqi.remote.impl.RemoteTCPConnection.makeSocketSecure(RemoteTCPConnection.java:2084)

I am not sharing any code because I don't think the problem is there. I need to fix this exception somehow.

Is it possible to configure JRE to support this particular CipherSuite?

ikos23
  • 4,879
  • 10
  • 41
  • 60

1 Answers1

8

Generally TLS_RSA_... not SSL_RSA_... in recent Java versions as SSLv3 is no longer secure.

IBM JRE might supports SSL_RSA_WITH_AES_256_CBC_SHA256 cipher suite as per Configuring your application to use IBM Java or Oracle Java CipherSuite mappings docs but this is not a valid constant in OpenJDK.

The TLS_RSA_WITH_AES_256_CBC_SHA256 cipher suite was introduced in Java 7 as per Java Cryptography Architecture Oracle Providers Documentation for JDK 8 docs. Use this constant in OpenJDK.

Karol Dowbecki
  • 43,645
  • 9
  • 78
  • 111
  • Thanks. This is useful. I did that but got another exception : com.ibm.mq.MQException: JMSCMQ0001: IBM MQ call failed with compcode '2' ('MQCC_FAILED') reason '2400' ('MQRC_UNSUPPORTED_CIPHER_SUITE') My app needs to connect to IBM MQ. – ikos23 Apr 11 '19 at 14:42
  • 2
    You should refer to MQ development guide. It should tell you if you can run a client with OpenJDK or do you need IBM JRE. – Karol Dowbecki Apr 11 '19 at 14:48
  • 3
    Lust leave it here: using this jvm option `-Dcom.ibm.mq.cfg.useIBMCipherMappings=false` helped me. So `TLS_RSA_WITH_AES_256_CBC_SHA256` + `-Dcom.ibm.mq.cfg.useIBMCipherMappings=false` works :) – ikos23 Apr 12 '19 at 08:41
  • After using this jvm.option (in my Liberty server root), I am now getting error *RC=2397;AMQ9204: Connection to host '10.60.28.75(1418)' rejected. [1=com.ibm.mq.jmqi.JmqiException[CC=2;RC=2397;AMQ9771: SSL handshake failed. [1=javax.net.ssl.SSLHandshakeException[PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target],3=10.60.28.75/10.60.28.75:1418* – pixel Jan 12 '22 at 18:29