We require using cipher "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA". On Windows this is working, but on Red Hat Enterprise Linux FIX-protocol SSL connections are failing with an "SSL handshake failed" error.

What should we correct to allow this cipher?

Available solutions.

The StreamBase platform does not implement SSL on its own but relies on the Java and underlying OS implementation.

To see more about the SSL handshake failure, turn on in your sbd.sbconf configuration <java-vm> setting:

<java-vm>
  <sysproperty name="javax.net.debug" value="all"/>

This is described here:
  Debugging SSL/TLS Connections
  https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html
This will show the certificate and cipher settings used during the handshake (with a lot of other detail). Output will be in the console log, so make sure you are capturing the console to a file for review. In the log, find the error "SSL handshake failed" and work backwards to see what part of the negotiation failed. Once this issue is resolved, turn off this debugging setting since it can reveal security information which should not be generally shared.


There are several configuration and capability items to check to make sure advanced ciphers are not blocked from use.

Configurations to check:

A. Confirm your OS supports the required cipher.

To support TLS, see references:
  OpenSSL on RHEL6: https://access.redhat.com/articles/1462223
  OpenSSL on RHEL7: https://access.redhat.com/articles/1462343

B. Check the java.security file for restrictions.

The target cipher may be restricted by settings in file: 
  jdk/jre/lib/security/java.security
If you find that ECDHE is present on the java.security "jdk.tls.disabledAlgorithms" line, then remove it from that line (and any other exclusions which match the desired cipher). In this file, hash-comments (#) only work if the hash is the first character on the line.

C. Add the Java Cryptography Extension to your Oracle Java install.

The Oracle Java JDK and JRE shipped with StreamBase does not have support for the Java Cryptography Extension (JCE). To use ciphers with AES256 and ECDHE download and install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy:
  http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
Installation instructions for the JCE are here:
  https://docs.oracle.com/cd/E19944-01/819-4480/IM_installation_appendixF_JCE.html

Install the JCE into the Java install being used by StreamBase, as determined by the JAVA_HOME environment variable which may override the embedded Java included in the StreamBase install.

D. Install an alternative cryptography provider

This has been resolved in some cases on RHEL using the alternative cryptography provider, BouncyCastle as described by Red Hat here:
  https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Web_Platform/5/html/Administration_And_Configuration_Guide/ch08s21s02s04.html
and compared here to other providers:
  https://en.wikipedia.org/wiki/Comparison_of_cryptography_libraries

To install, download the JAR file from here:
  http://www.bouncycastle.org/latest_releases.html
for the JDK 1.8 provider: 
  bcprov-jdk15on-159.jar
and place it in:
  jdk/jre/lib/ext

Edit jdk/jre/lib/security/java.security to add the line:
security.provider.<n>=org.bouncycastle.jce.provider.BouncyCastleProvider
...replacing <n> with one additional numbered security provider. For example if there are '10' this would be "security.provider.11=...".

Their install instructions are here:
  http://www.bouncycastle.org/wiki/display/JA1/Provider+Installation