how to add unsupported cipher suites(not included in the default cipher suites) to client hello message

Question

the requirement is client shall support following cipher suites for TLS encryption?

  private String[] cipherSuites = new String[] {
          "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
          "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
          "TLS_DHE_RSA_WITH_AES_256_CBC_SHA ",
          "TLS_RSA_WITH_AES_256_GCM_SHA384",
          "TLS_RSA_WITH_AES_256_CBC_SHA256",
          "TLS_RSA_WITH_AES_256_CBC_SHA",
          "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
          "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
          "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
          "TLS_RSA_WITH_AES_128_GCM_SHA256",
          "TLS_RSA_WITH_AES_128_CBC_SHA256",
      };

this is the main code:

public static void main(String []args) throws IOException {
        Hashtable<String, String> env = new Hashtable<>();
        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
        env.put(Context.PROVIDER_URL, "ldap://10.159.218.169:636/ou=LDAPConfData,ou=Nokia,dc=solution,dc=com");
        env.put(Context.SECURITY_AUTHENTICATION, "simple");
        env.put(Context.SECURITY_PRINCIPAL, "uid=username,ou=People,dc=solution,dc=com");
        env.put(Context.SECURITY_CREDENTIALS, "123456");
        env.put(Context.SECURITY_PROTOCOL, "ssl");
        env.put("java.naming.ldap.factory.socket", CustomSocketFactory.class.getName());

        try {
            InitialDirContext context = new InitialDirContext(env);
        } catch (NamingException e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }
    }

override socket factory:

  @Override
  public Socket createSocket(String host, int port) throws IOException, UnknownHostException {
    SSLSocketFactory sslFact = (SSLSocketFactory)SSLSocketFactory.getDefault();
    SSLSocket sslSocket = (SSLSocket) sslFact.createSocket(host, port);
    sslSocket.setEnabledCipherSuites(cipherSuites);
    return sslSocket;
  }

运行主代码时，会出现异常：Root exception is java.lang.IllegalArgumentException: Cannot support TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 with current installed providers

支持的密码套件大小为 56，但其中只有四个需要密码。是否有任何解决方案来解决这个问题？多谢。

Answer 1

该问题是由美国密码学出口限制引起的。默认情况下，您不能使用密钥大小为 256 位的密码。

由于少数国家政府的进口管制限制，随附的管辖政策文件指定可以使用“强”但有限的密码学。这些文件的“无限强度”版本表明对居住在符合条件的国家/地区（大多数国家/地区）的人没有加密强度限制。但只有“强”版本才能进口到政府强制实施限制的国家。JCE 框架将强制执行已安装的权限策略文件中指定的限制。

要禁用这些限制，您需要

• 下载JCE无限实力管辖

• 找到并切换到 jre/lib/security 目录

• 删除 local_policy.jar 和 US_export_policy.jar

• 把JCE无限强度的jar文件