Configuring embedded Tomcat to serve FIPS-compliant HTTP2 with BouncyCastle

I'm trying to configure an embedded Tomcat server so that it can serve HTTP2 in FIPs mode, using BouncyCastle's FIPs libraries. I've set the accepted protocols to TLSv1.2+TLSv1.3. I've tried various suggested cipher suites, but it seems no matter what I set as the cipher suite, Chrome/FF rejects connections on the grounds of "Inadequate Security". If I disable HTTP2, it does not matter what I set as the cipher suite - it just works.

I'm a bit confused.

Solution

When BC is in FIPS mode, it requires PKIX as algorithm for the KeyManagerFactory and TrustManagerFactory:

Security.setProperty("ssl.KeyManagerFactory.algorithm", "PKIX");
Security.setProperty("ssl.TrustManagerFactory.algorithm", "PKIX");

Without these two lines the server will be unable to retrieve the keys required by the cipher suite.

SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
Can't send client certificate via SslStream
How to secure multiple wildcard domain names in single SSL certificate?
cURL error 60: SSL certificate problem: certificate has expired
Importing SSL Certificate into Eclipse
WARN: Establishing SSL connection without server's identity verification is not recommended
How to connect an ESP32 to MQTT server with public IP and SSL?
SSL Localhost Privacy error
Load CA root certificate at runtime in Java
CertPathValidatorException : Trust anchor for certificate path not found - Retrofit Android
CURL showing "No required SSL certificate was sent" eve
How to know which TLS version is being used by gRPC?
Securing grafana ingress with tls in kube-prometheus-stack values.yaml and make grafana available via https
MariaDB update causes client connection problem : mariadb.OperationalError: TLS/SSL error: SSL is required, but the server does not support it
HTTPS connections to cloudfront / S3 using godaddy domain
SSL Self-Signed Certificates Issue in Gitlab
Composer Curl error 60: SSL certificate problem: unable to get local issuer certificate
Nginx keeps showing "welcome to nginx" for https but it's working fine with http
PostgreSQL `aws_s3` Extension: SSL Certificate Verification Failed with Self-Signed Certificate
SSLmode in FireDac for connection to Postgres
SSL/TLS error on exposing Fuction App in API Management
Mutual TLS connection from OpenLiberty with custom keystore
How to solve SSL certificate: self signed certificate when cloning repo from github?
How to disable HTTPS or change to HTTP in dev and prod version on symfony?
TCP proxy with reading payload
Unable to establish SSL connection, how do I fix my SSL cert?
How to make Sinatra work over HTTPS/SSL?
How to disable SSL verification in alpine's apk?
Add Self Signed Certificate without prompting Yes/No from User
.NET 8 api with Caddy reverse proxy not working for SSL