Is it possible to configure the BouncyCastleJsseProvider to use a specific elliptic curve without modifying the system property jdk.tls.namedGroups
in Java 17?
I need an SSLContext
supporting only a specific curve. Ideally this should be achievable without tinkering with the system property to not interfere with other TLS connections.
Java 20 adds support for this configuration via the SSLParameters
but updating to Java 20 is not a real option for now.
BCJSSE has not yet added the new SSLParameters
methods; I will look at adding them now. I would expect similar methods to then also be backwardly available (i.e. in all supported JDK versions) via our extension API.
Also, just to clarify, BCJSSE supports the jdk.tls.namedGroups property always (no JDK or BCJSSE version dependency).
In the meantime it should be possible to subclass JcaTlsCrypto
and override hasNamedGroup()
. To enable this in your provider instance, subclass also JcaTlsCryptoProvider
and override create(SecureRandom, SecureRandom)
to create an instance of your JcaTlsCrypto subclass.
Finally, either pass your JcaTlsCryptoProvider to BouncyCastleJsseProvider(boolean, JcaTlsCryptoProvider)
constructor or if you are using java.security configuration use the config string to name your JcaTlsCryptoProvider subclass.
UPDATE:
We just released 1.74 which contains support for the new SSLParameters
properties. In earlier Java versions you would need to access the functionality though our extension API. e.g. cast SSLSocket
to org.bouncycastle.jsse.BCSSLSocket
and call BCSSLSocket#setParameters(BCSSLParameters)
after using BCSSLParameters#setNamedGroups
.