search

bcgit / bc-java

Bouncy Castle Java Distribution (Mirror)
https://www.bouncycastle.org/java.html
MIT License
2.3k stars 1.14k forks source link

org.bouncycastle.tls.TlsFatalAlert: insufficient_security(71) #1401

Open srk12318 opened 1 year ago

srk12318 commented 1 year ago

Hi Team,

We updated bouncy castle jars to 1.7 after upgrading , few of API calls are failing in our java application.

Internal Exception: org.bouncycastle.tls.TlsFatalAlert: insufficient_security(71) at org.eclipse.persistence.exceptions.XMLMarshalException.marshalException(XMLMarshalException.java:104) ~[eclipselink.jar:2.6.7.v20190604-418f1a1c56] at org.eclipse.persistence.oxm.record.OutputStreamRecord.flush(OutputStreamRecord.java:584) ~[eclipselink.jar:2.6.7.v20190604-418f1a1c56] at org.eclipse.persistence.internal.oxm.XMLMarshaller.marshalStreamOrWriter(XMLMarshaller.java:1148) ~[eclipselink.jar:2.6.7.v20190604-418f1a1c56] at org.eclipse.persistence.internal.oxm.XMLMarshaller.marshal(XMLMarshaller.java:934) ~[eclipselink.jar:2.6.7.v20190604-418f1a1c56] at org.eclipse.persistence.internal.oxm.XMLMarshaller.marshal(XMLMarshaller.java:877) ~[eclipselink.jar:2.6.7.v20190604-418f1a1c56] at org.eclipse.persistence.jaxb.JAXBMarshaller.marshal(JAXBMarshaller.java:496) ~[eclipselink.jar:2.6.7.v20190604-418f1a1c56] at com.sun.jersey.core.provider.jaxb.AbstractRootElementProvider.writeTo(AbstractRootElementProvider.java:179) ~[com.sun.jersey.jersey-core.jar:1.19.4]

    at com.sun.jersey.core.provider.jaxb.AbstractRootElementProvider.writeTo(AbstractRootElementProvider.java:157) ~[com.sun.jersey.jersey-core.jar:1.19.4]
    at

com.sun.jersey.api.client.RequestWriter.writeRequestEntity(RequestWriter.java:300) ~[com.sun.jersey.jersey-client.jar:1.19.4] at com.sun.jersey.client.urlconnection.URLConnectionClientHandler._invoke(URLConnectionClientHandler.java:217) ~[com.sun.jersey.jersey-client.jar:1.19.4] at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:153) ~[com.sun.jersey.jersey-client.jar:1.19.4 Caused by: org.bouncycastle.tls.TlsFatalAlert: insufficient_security(71) at org.bouncycastle.tls.TlsDHUtils.receiveDHConfig(Unknown Source) ~[bctls-jdk15on-1.70.jar:1.70.00.0] at org.bouncycastle.tls.TlsDHEKeyExchange.processServerKeyExchange(Unknown Source) ~[bctls-jdk15on-1.70.jar:1.70.00.0] at org.bouncycastle.tls.TlsClientProtocol.handleHandshakeMessage(Unknown Source) ~[bctls-jdk15on-1.70.jar:1.70.00.0] at org.bouncycastle.tls.TlsProtocol.processRecord(Unknown Source) ~[bctls-jdk15on-1.70.jar:1.70.00.0] at org.bouncycastle.tls.RecordStream.readRecord(Unknown Source) ~[bctls-jdk15on-1.70.jar:1.70.00.0] at org.bouncycastle.tls.TlsProtocol.safeReadRecord(Unknown Source) ~[bctls-jdk15on-1.70.jar:1.70.00.0] at org.bouncycastle.tls.TlsProtocol.blockForHandshake(Unknown Source) ~[bctls-jdk15on-1.70.jar:1.70.00.0] at

org.bouncycastle.tls.TlsClientProtocol.connect(Unknown Source) ~[bctls-jdk15on-1.70.jar:1.70.00.0] at org.bouncycastle.jsse.provider.ProvSSLSocketDirect.startHandshake(Unknown Source) ~[bctls-jdk15on-1.70.jar:1.70.00.0] at org.bouncycastle.jsse.provider.ProvSSLSocketDirect.startHandshake(Unknown Source) ~[bctls-jdk15on-1.70.jar:1.70.00.0] at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) ~[?:1.8.0_112] at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) ~[?:1 .8.0_112] com.sun.jersey.api.client.CommittingOutputStream.commitStream(CommittingOutputStream.java:117) ~[com.sun.jersey.jersey-client.jar:1.19.4] at com.sun.jersey.api.client.CommittingOutputStream.write(CommittingOutputStream.java:89) ~[com.sun.jersey.jersey-client.jar:1.19.4] at org.eclipse.persistence.oxm.record.OutputStreamRecord.flush(OutputStreamRecord.java:580) ~[eclipselink.jar:2.6.7.v20190604-418f1a1c56] at org.eclipse.persistence.internal.oxm.XMLMarshaller.marshalStreamOrWriter(XMLMarshaller.java:1148) ~[eclipselink.jar:2.6.7.v20190604-418f1a1c56] at org.eclipse.persistence.internal.oxm.XMLMarshaller.marshal(XMLMarshaller.java:934) ~[eclipselink.jar:2.6.7.v20190604-418f1a1c56] at org.eclipse.persistence.internal.oxm.XMLMarshaller.marshal(XMLMarshaller.java:877) ~[eclipselink.jar:2.6.7.v20190604-418f1a1c56] at org.eclipse.persistence.jaxb.JAXBMarshaller. com.sun.jersey.core.provider.jaxb.AbstractRootElementProvider.writeTo(AbstractRootElementProvider.java:179) ~[com.sun.jersey.jersey-core.jar:1.19.4] at com.sun.jersey.core.provider.jaxb.AbstractRootElementProvider.writeTo(AbstractRootElementProvider.java:157) ~[com.sun.jersey.jersey-core.jar:1.19.4] at com.sun.jersey.api.client.RequestWriter.writeRequestEntity(RequestWriter.java:300) ~[com.sun.jersey.jersey-client.jar:1.19.4] at com.sun.jersey.client.urlconnection.URLConnectionClientHandler._invoke(URLConnectionClientHandler.java:217) ~[com.sun.jersey.jersey-client.jar:1.19.4] at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:153) ~[com.sun.jersey.jersey-client.jar:1.19.4]

peterdettman commented 1 year ago

Recent versions of BCJSSE default to rejecting DH groups proposed by the server that are not in the list of standard groups. To confirm that this is the issue, you can try running with "-Dorg.bouncycastle.jsse.client.dh.unrestrictedGroups=true" (and possibly also "org.bouncycastle.jsse.client.dh.minimumPrimeBits=1024" to only require 1024 bit group instead of default minimum 2048).

The following alternatives would be preferable though: