bcgit
org.bouncycastle.tls.TlsFatalAlert: insufficient_security(71)
Hi Team,
We updated bouncy castle jars to 1.7 after upgrading , few of API calls are failing in our java application.
Internal Exception: org.bouncycastle.tls.TlsFatalAlert: insufficient_security(71) at org.eclipse.persistence.exceptions.XMLMarshalException.marshalException(XMLMarshalException.java:104) ~[eclipselink.jar:2.6.7.v20190604-418f1a1c56] at org.eclipse.persistence.oxm.record.OutputStreamRecord.flush(OutputStreamRecord.java:584) ~[eclipselink.jar:2.6.7.v20190604-418f1a1c56] at org.eclipse.persistence.internal.oxm.XMLMarshaller.marshalStreamOrWriter(XMLMarshaller.java:1148) ~[eclipselink.jar:2.6.7.v20190604-418f1a1c56] at org.eclipse.persistence.internal.oxm.XMLMarshaller.marshal(XMLMarshaller.java:934) ~[eclipselink.jar:2.6.7.v20190604-418f1a1c56] at org.eclipse.persistence.internal.oxm.XMLMarshaller.marshal(XMLMarshaller.java:877) ~[eclipselink.jar:2.6.7.v20190604-418f1a1c56] at org.eclipse.persistence.jaxb.JAXBMarshaller.marshal(JAXBMarshaller.java:496) ~[eclipselink.jar:2.6.7.v20190604-418f1a1c56] at com.sun.jersey.core.provider.jaxb.AbstractRootElementProvider.writeTo(AbstractRootElementProvider.java:179) ~[com.sun.jersey.jersey-core.jar:1.19.4]
at com.sun.jersey.core.provider.jaxb.AbstractRootElementProvider.writeTo(AbstractRootElementProvider.java:157) ~[com.sun.jersey.jersey-core.jar:1.19.4]
at
com.sun.jersey.api.client.RequestWriter.writeRequestEntity(RequestWriter.java:300) ~[com.sun.jersey.jersey-client.jar:1.19.4] at com.sun.jersey.client.urlconnection.URLConnectionClientHandler._invoke(URLConnectionClientHandler.java:217) ~[com.sun.jersey.jersey-client.jar:1.19.4] at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:153) ~[com.sun.jersey.jersey-client.jar:1.19.4 Caused by: org.bouncycastle.tls.TlsFatalAlert: insufficient_security(71) at org.bouncycastle.tls.TlsDHUtils.receiveDHConfig(Unknown Source) ~[bctls-jdk15on-1.70.jar:1.70.00.0] at org.bouncycastle.tls.TlsDHEKeyExchange.processServerKeyExchange(Unknown Source) ~[bctls-jdk15on-1.70.jar:1.70.00.0] at org.bouncycastle.tls.TlsClientProtocol.handleHandshakeMessage(Unknown Source) ~[bctls-jdk15on-1.70.jar:1.70.00.0] at org.bouncycastle.tls.TlsProtocol.processRecord(Unknown Source) ~[bctls-jdk15on-1.70.jar:1.70.00.0] at org.bouncycastle.tls.RecordStream.readRecord(Unknown Source) ~[bctls-jdk15on-1.70.jar:1.70.00.0] at org.bouncycastle.tls.TlsProtocol.safeReadRecord(Unknown Source) ~[bctls-jdk15on-1.70.jar:1.70.00.0] at org.bouncycastle.tls.TlsProtocol.blockForHandshake(Unknown Source) ~[bctls-jdk15on-1.70.jar:1.70.00.0] at
org.bouncycastle.tls.TlsClientProtocol.connect(Unknown Source) ~[bctls-jdk15on-1.70.jar:1.70.00.0] at org.bouncycastle.jsse.provider.ProvSSLSocketDirect.startHandshake(Unknown Source) ~[bctls-jdk15on-1.70.jar:1.70.00.0] at org.bouncycastle.jsse.provider.ProvSSLSocketDirect.startHandshake(Unknown Source) ~[bctls-jdk15on-1.70.jar:1.70.00.0] at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) ~[?:1.8.0_112] at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) ~[?:1 .8.0_112] com.sun.jersey.api.client.CommittingOutputStream.commitStream(CommittingOutputStream.java:117) ~[com.sun.jersey.jersey-client.jar:1.19.4] at com.sun.jersey.api.client.CommittingOutputStream.write(CommittingOutputStream.java:89) ~[com.sun.jersey.jersey-client.jar:1.19.4] at org.eclipse.persistence.oxm.record.OutputStreamRecord.flush(OutputStreamRecord.java:580) ~[eclipselink.jar:2.6.7.v20190604-418f1a1c56] at org.eclipse.persistence.internal.oxm.XMLMarshaller.marshalStreamOrWriter(XMLMarshaller.java:1148) ~[eclipselink.jar:2.6.7.v20190604-418f1a1c56] at org.eclipse.persistence.internal.oxm.XMLMarshaller.marshal(XMLMarshaller.java:934) ~[eclipselink.jar:2.6.7.v20190604-418f1a1c56] at org.eclipse.persistence.internal.oxm.XMLMarshaller.marshal(XMLMarshaller.java:877) ~[eclipselink.jar:2.6.7.v20190604-418f1a1c56] at org.eclipse.persistence.jaxb.JAXBMarshaller. com.sun.jersey.core.provider.jaxb.AbstractRootElementProvider.writeTo(AbstractRootElementProvider.java:179) ~[com.sun.jersey.jersey-core.jar:1.19.4] at com.sun.jersey.core.provider.jaxb.AbstractRootElementProvider.writeTo(AbstractRootElementProvider.java:157) ~[com.sun.jersey.jersey-core.jar:1.19.4] at com.sun.jersey.api.client.RequestWriter.writeRequestEntity(RequestWriter.java:300) ~[com.sun.jersey.jersey-client.jar:1.19.4] at com.sun.jersey.client.urlconnection.URLConnectionClientHandler._invoke(URLConnectionClientHandler.java:217) ~[com.sun.jersey.jersey-client.jar:1.19.4] at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:153) ~[com.sun.jersey.jersey-client.jar:1.19.4]
Recent versions of BCJSSE default to rejecting DH groups proposed by the server that are not in the list of standard groups. To confirm that this is the issue, you can try running with "-Dorg.bouncycastle.jsse.client.dh.unrestrictedGroups=true" (and possibly also "org.bouncycastle.jsse.client.dh.minimumPrimeBits=1024" to only require 1024 bit group instead of default minimum 2048).
The following alternatives would be preferable though:
- Try running with "-Dorg.bouncycastle.jsse.client.dh.disableDefaultSuites=true". Should work if the server supports any cipher suites that aren't DH. Alternatively you could explicitly configure the cipher suites you want to enable using the system property "jdk.tls.client.cipherSuites" (and don't include any DH suites).
- If you have control over the server, either configure it to not offer DH cipher suites, or else update the DH group that it is using to be a standard one (RFC 7919 best, RFC 3526 supported).
