How can I edit the list of cipher suite in Java using Bouncy Castle

Question

The following code lists the supported cipher suites by Java SE 8:

import java.io.IOException;
import java.net.UnknownHostException;
import java.util.Arrays;         


        

Answer 1

TLS_ECDHE_ECDSA_WITH_AES_256_SHA is supported by Java 8 (and 7) without adding BouncyCastle, and it is enabled in JSSE by default so you don't need to "edit" anything. But all JREs disallow all 256-bit symmetric crypto (including 256-bit SSL/TLS ciphersuites) unless you install the "JCE Unlimited Strength Jurisdiction Policy Files"; see http://www.oracle.com/technetwork/java/javase/downloads/index.html under "Additional Resources" near the bottom.

Answer 2

You can't edit the cipher suites directly on factory.

However you can choose what exact ciphers to support (from the available) on the SSLSocket

SSLSocketFactory factory = HttpsURLConnection.getDefaultSSLSocketFactory();
String[] cipherSuites = factory.getSupportedCipherSuites();
SSLSocket sslSocket = (SSLSocket) factory.createSocket();

// Choose the exact ciphers you need from the available
String[] filteredCipherSuites = cipherSuites; 

sslSocket.setEnabledCipherSuites(filteredCipherSuites);

Answer 3

How can I edit the list of cipher suite in Java using Bouncy Castle

See Which Cipher Suites to enable for SSL Socket? and use SSLSocketFactoryEx. Its a drop-in replacement for Java's SSLSocketFactory

If you don't want to use SSLSocketFactoryEx, then rip the code to find the intersection of cipher suites.

It controls both protocols and cipher suites. There are no unexpected surprises, like getting a SSLv3 socket back from SSLSocketFactory.getInstance("TLS");.

Nothing is configurable, so the user cannot shoot themselves in the foot. It's also ready for TLS 1.3