Java Cryptography Extension (JCE) unlimited strength policy files

Owned by Karl Henselin
Feb 19, 2024
1 min read

This is not necessary for newer JDK versions, if you see limited and unlimited folders under jre/lib/security/policy, then your JDK is generally setup for it.

Problem

java.security.InvalidKeyException: Illegal key size or default parameters  OR

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure OR

Unable to reach a settlement: [aes128-cbc, aes128-ctr, blowfish-cbc, cast128-cbc, cast128-ctr, idea-cbc, idea-ctr, serpent128-cbc, serpent128-ctr, 3des-cbc, 3des-ctr, twofish128-cbc, twofish128-ctr, arcfour, arcfour128] and [aes256-ctr]].

Solution

Due to import control restrictions by the governments of a few countries, the jurisdiction policy files shipped with the JDK from Sun Microsystems specify that "strong" but limited cryptography may be used. That means the JDK has a deliberate key size restriction by default. So you cannot perform an encryption with key more than 128 bits.

An "unlimited strength" version of these files indicating no restrictions on cryptographic strengths is available for those living in eligible countries (which is most countries). But only the "strong" version can be imported into those countries whose governments mandate restrictions. The JCE framework will enforce the restrictions specified in the installed jurisdiction policy files.

You may also encounter this issue when accessing SSL resources (e.g. RiouxSVN) which use encryption keys with a size greater than the default limit. 

To overcome this restriction you need to download and install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for into the JRE.
  1. Download according to your JRE version:
    1. Java 6 Policy Files
    2. Java 7 Policy Files
    3. Java 8 Policy Files
  2. Unzip into <JRE_HOME>/lib/security (overwrite existing files)
  3. Restart your JVM
The following macros are not currently supported in the footer:
  • style