Problems connecting via HTTPS/SSL through own Java client

Thanks to Steffen Ullrich's tipp I checked the ciphers java had available. Apparently, in Java 8 you don't have unlimited strength for your ciphers. For example, in my case my program couldn't use a AES 256bit cipher which the server required.

To solve this, oracle provides a bundle of policy files that allow for unlimited strength encryption. You can find it here.

The README states:

Due to import control restrictions of some countries, the version of the JCE policy files that are bundled in the Java Runtime Environment, or JRE(TM), 8 environment allow "strong" but limited cryptography to be used.

Just download the bundle and replace appropriate files as stated in the install instructions. After I did that, the handshake worked like a charm.


Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, ...

There are no AES256 cipher suites offered by you Java client.

Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA

Because they are not available in your application. I'm not an Java expert but either these are not available in your Java or they need to be explicitly enabled. They are needed because the server only supports AES256 ciphers:

 $ perl analyze-ssl.pl -v3 --all-ciphers trackobot.com
 ...
* supported ciphers with SSLv23 handshake
 * TLSv1_2 ECDHE-RSA-AES256-GCM-SHA384
 * TLSv1_2 ECDHE-RSA-AES256-SHA384
 * TLSv1_2 ECDHE-RSA-AES256-SHA
 * TLSv1_2 DHE-RSA-AES256-GCM-SHA384
 * TLSv1_2 DHE-RSA-AES256-SHA256
 * TLSv1_2 DHE-RSA-AES256-SHA

It might be that the version of Java you use has no support for AES256 because of export regulations, see https://knowledge.safe.com/articles/Error_Unexpected_Behavior/Enabling-AES256-in-the-Java-Runtime-Environment-for-Single-Sign-On


According to https://www.ssllabs.com, the server supports cipher suites

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA 

They are listed as "unavailable cipher suite" as you can see in the debug messages.

In the JRE/lib/security/local_policy.jar, we see

// Some countries have import limits on crypto strength. This policy file
// is worldwide importable.

grant {
    permission javax.crypto.CryptoPermission "DES", 64;
    permission javax.crypto.CryptoPermission "DESede", *;
    permission javax.crypto.CryptoPermission "RC2", 128, 
                                     "javax.crypto.spec.RC2ParameterSpec", 128;
    permission javax.crypto.CryptoPermission "RC4", 128;
    permission javax.crypto.CryptoPermission "RC5", 128, 
          "javax.crypto.spec.RC5ParameterSpec", *, 12, *;
    permission javax.crypto.CryptoPermission "RSA", *;
    permission javax.crypto.CryptoPermission *, 128;
};

Download and install "(JCE) Unlimited Strength Jurisdiction Policy Files" - http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html - and I can confirm that the problem is solved. The read me file says

Due to import control restrictions of some countries, the version of the JCE policy files that are bundled in the Java Runtime Environment, or JRE(TM), 8 environment allow "strong" but limited cryptography to be used. This download bundle (the one including this README file) provides "unlimited strength" policy files which contain no restrictions on cryptographic strengths.