Hi Ashkay, Stian and Marko,
This question helps me with something similar I asked yesterday. I enabled strong ciphers in the JVM (JCE installed). However, when I switch SSL logging on using "-Djavax.net.debug=ssl:handshake" I see that strong ciphers on the ssl proxy (ECDHE) are not supported (therefore the message Ignoring unsupported cipher suites).
2016-04-13 22:05:43,040 INFO [stdout] (default task-15) Allow unsafe renegotiation: false
2016-04-13 22:05:43,042 INFO [stdout] (default task-15) Allow legacy hello messages: true
2016-04-13 22:05:43,043 INFO [stdout] (default task-15) Is initial handshake: true
2016-04-13 22:05:43,044 INFO [stdout] (default task-15) Is secure renegotiation: false
2016-04-13 22:05:43,048 INFO [stdout] (default task-15) Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
2016-04-13 22:05:43,049 INFO [stdout] (default task-15) Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
2016-04-13 22:05:43,050 INFO [stdout] (default task-15) Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
2016-04-13 22:05:43,050 INFO [stdout] (default task-15) Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
2016-04-13 22:05:43,051 INFO [stdout] (default task-15) Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
2016-04-13 22:05:43,052 INFO [stdout] (default task-15) Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
2016-04-13 22:05:43,055 INFO [stdout] (default task-15) %% No cached client session
2016-04-13 22:05:43,056 INFO [stdout] (default task-15) *** ClientHello, TLSv1.2
2016-04-13 22:05:43,058 INFO [stdout] (default task-15) RandomCookie: GMT: 1460512151 bytes = { 14, 53, 153, 224, 92, 2, 43, 139, 161, 201, 181, 69, 65, 9, 110, 156, 40, 223, 11, 184, 237, 137, 9, 239, 221, 180, 164, 163}
2016-04-13 22:05:43,059 INFO [stdout] (default task-15) Session ID: {}
2016-04-13 22:05:43,060 INFO [stdout] (default task-15) Cipher Suites: [TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Which ciphers are used by the Bouncycastle provider? Can I enable the use of ECDHE ciphers? These ciphers are enabled in the ssl proxy:
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
Best regards, Bart