BC cipher suite list

[tonyjeftimov]

Hi All,
We have an integration project with a third party that use to work. They have now restarted testing (after several months) and now it doesn't work.
From what I can piece together with the limited support that they can give, is that during those inactive months they implemented TLSv1.3. From what I can gather from BC is that TLSv1.3 is supported.

From the logs at my end, this is the reported error:
14-Oct-2025 15:44:32 org.bouncycastle.jsse.provider.ProvTlsClient notifyAlertReceived
INFO: Client received fatal(2) handshake_failure(40) alert

They (and I via Postman) have been able to confirm that TLSv1.2 is still allowed.

They have also supplied the below list of allowed ciphers, none of which I have been able to find in my logs.
TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

These are the jar's I have included.
bcpkix-jdk15to18-1.82.jar
bcprov-jdk15to18-1.82.jar
bctls-jdk15to18-1.82.jar
bcutil-jdk15to18-1.82.jar

I have limited knowledge of BC, but I'm sure I'm missing something.
I guess I just want to confirm for starters that the ciphers handled by BC. Secondly, can I get the logs to show anything more that might point to the issue.

Thanks, Tony.

[tonyjeftimov]

Sorry, I left out some important info:

Java(TM) SE Runtime Environment (build 1.6.0_11-b03)
Sun Microsystems Inc. (home C:\Sonic\Test\MQ8.0\jre, version 1.6.0_11)
Java HotSpot(TM) Client VM (build 11.0-b16, mixed mode)

[peterdettman]

The above contains several factual errors and irrelevant advice (and smells of AI); please ignore.

Edit: the offending comment has since been removed.

[peterdettman]

BCJSSE indeed supports TLS 1.3 and should do so fine in Java 6, although you may need to use BC extensions if you want similar features (like SSLParameters options) to more recent Java versions. All the listed cipher suites are supported, and enabled by default. The list of jars seems fine.

Since the fatal alert is being raised by the server (and the TLS protocol does not include error details), the answer to why the handshake failed actually lies with the server's logs. It may yet be useful to see more detailed client logs; BCJSSE uses the Java Logging API, so you could configure logging to FINEST for org.bouncycastle.jsse.**.

[tonyjeftimov]

Thank you Peter for you response and sorry for my late reply.
I did enable more detailed logging as you suggested, but it didn't offer any more insight to the issue.
Finally arranged a catch-up with the third last Friday just passed. Unfortunately they weren't able to to view the server logs and provide any more info than what I already have. All they can say at the moment while they try(?) to access the server logs, is to confirm that we have those ciphers installed.
I'm feeling like Alice going down the rabbit hole.
How can I verify whether those ciphers are installed?

Regards and grateful for your help,
Tony.

[tonyjeftimov]

Hi Peter, found the issue. It was as thought, cipher negotiation.
I had misunderstood where/how to set the cipher suites to use. All seems happy on that front. The next issue I have found is the TLS/1.3 -half duplex close policy.
Tried setting this on startup, -Djdk.tls.acknowledgeCloseNotify=true, but doesn't seen to be helping.
Is there an additional JAR I need from BC?

Regards,
Tony.

[peterdettman]

BCJSSE does not reference the jdk.tls.acknowledgeCloseNotify property. However we also currently don't support the TLS 1.3 half-close feature, so any close is bidirectional and should send close_notify by default prior to closing.

[tonyjeftimov]

Thank you Peter for your help. All appears to be working as expected now.