(Note that this has nothing whatsoever to to with Apache Tomcat. These
connections are between services running on Tomcat and others, but
Tomcat's TLS code or configuration is in no way involved.)
I recently upgraded my OpenJDK Java 8 installations on a few servers and
started getting this error when connecting between two services
involving a specific server:
javax.net.ssl.SSLException: No preferred signature algorithm for
I believe I have tracked this back to the fact that this server's client
key/cert was using the secp256k1 curve instead of the more
widely-supported secp256r1 curve (this is the "NIST P-256" curve). I
think Java dropped support for the non-NIST curves at some point yet the
documentation says that they are supported for compatibility.
I founds a bug in the JDK listed here  which may or may not be related.
There is a workaround mentioned in the bug report:
Configure server so that supported_signature_algorithms prefers
signature algorithms supported by the SunPKCS11 provider
(RSA_PKCS1_SHA256, RSA_PKCS1_SHA384, RSA_PKCS1_SHA_512, RSA_SHA224,
I don't think this will apply to me, since this is all about RSA
signatures, but I suppose it could be adapted to the EC signature
algorithms (e.g. EC_PKCS1_SHA256 or whatever).
Does anyone know how to "configure [...]
supported_signature_algorithms"? I've never heard of that setting before
and some web searching isn't coming up with much for me.
Back to the deprecated curves. I can't find any reference to them being
disabled by default, and the java.security file contains a disabled
algorithms setting that doesn't mention EC crypto at all:
On 10/26/20 13:02, Steve Sanders wrote:
> We ran into similar issues when upgrading to latest JDK 8 (and 11). We
> found that the fix was to add the sun.security.ec.SunEC as a security
> provider in java.security like so:
I'll have to try that. I can easily use my SSLTest tool to test
> After adding this we were able to continue using our current certificates
> and communicate with services using the updated ciphers. Depending on the
> version / flavor of JDK you're using you may also need to apply the
> unlimited strength JCE policy patch found here:
If you still need this, then you really need to upgrade your Java. Java
8 no longer requires application of a separate, "unlimited" policy file
since u162, released January 2018.