BCJSSE with Java 25 and Default Configuration Disables ML-KEM Named Groups #2252
Description
When Configuring BCJSSE with the default configuration with Java 25 ML-KEM Named Groups are logged as disabled and are not available.
@Test
void pqcNamedGroups() throws NoSuchAlgorithmException, IOException {
System.setProperty("jdk.tls.namedGroups", "X25519MLKEM768");
Security.insertProviderAt(new BouncyCastleJsseProvider("default"), 1);
Security.addProvider(new BouncyCastleProvider());
try(final Socket socket = SSLContext.getDefault().getSocketFactory().createSocket()) {
}
}When running this with Java 25 the following is logged
INFO: Found string system property [jdk.tls.namedGroups]: X25519MLKEM768
Feb 06, 2026 8:28:23 AM org.bouncycastle.jsse.provider.NamedGroupInfo createCandidates
WARNING: 'jdk.tls.namedGroups' contains disabled NamedGroup: X25519MLKEM768
Feb 06, 2026 8:28:23 AM org.bouncycastle.jsse.provider.NamedGroupInfo createCandidates
SEVERE: 'jdk.tls.namedGroups' contained no usable NamedGroup values
If pass in BouncyCastleProvider for the Provider into BCJSSE, it works as expected.
@Test
void pqcNamedGroups() throws NoSuchAlgorithmException, IOException {
System.setProperty("jdk.tls.namedGroups", "X25519MLKEM768");
Security.insertProviderAt(new BouncyCastleJsseProvider(new BouncyCastleProvider()), 1);
try(final Socket socket = SSLContext.getDefault().getSocketFactory().createSocket()) {
}
}I suspect this is due to the ML-KEM support that was added in Java 24
and the implementation coming from SunJCE is not compatible with BCJSSE.