A Java installation by default supports various TLS ciphers for Java applications that use HTTPS / SSL. Some of these TLS ciphers are marked as “vulnerable” and should not be used in production environments for security. Examples of this are TLS 1.0 and TLS 1.1 ciphers, which are deemed no longer secure and should not be used. Many organizations have already disabled these ciphers. However, in some Java installations these ciphers might still be enabled by default. This article shows you how to check which TLS ciphers are currently enabled in your Java installation, and how to manually disable specific TLS ciphers.
Note: the instructions below are based on a Windows Server that has a local Java installation (.exe), however they should also work on other environments but you might need to change the way how you call the java executable.
1. Create a “Ciphers.java” file
Create a new text file called “Ciphers.java” with the following content:
import java.util.Iterator; import java.util.Map; import java.util.TreeMap; import javax.net.ssl.SSLServerSocketFactory; public class Ciphers { public static void main(String[] args) throws Exception { SSLServerSocketFactory ssf = (SSLServerSocketFactory)SSLServerSocketFactory.getDefault(); String[] defaultCiphers = ssf.getDefaultCipherSuites(); String[] availableCiphers = ssf.getSupportedCipherSuites(); TreeMap<String, Boolean> ciphers = new TreeMap<String, Boolean>(); for(int i=0; i<availableCiphers.length; ++i ) ciphers.put(availableCiphers[i], Boolean.FALSE); for(int i=0; i<defaultCiphers.length; ++i ) ciphers.put(defaultCiphers[i], Boolean.TRUE); System.out.println("Default\tCipher"); for(Iterator i = ciphers.entrySet().iterator(); i.hasNext(); ) { Map.Entry cipher=(Map.Entry)i.next(); if(Boolean.TRUE.equals(cipher.getValue())) System.out.print('*'); else System.out.print(' '); System.out.print('\t'); System.out.println(cipher.getKey()); } } }
2. Execute the “Ciphers.java” file via Powershell
Then run the following command from the command line (e.g. in Powershell on Windows):
PS [install-dir-of-java]\bin> .\java.exe Ciphers.java
This will output the following list of all enabled SSL ciphers of this local Java installation:
Default Cipher * TLS_AES_128_GCM_SHA256 * TLS_AES_256_GCM_SHA384 * TLS_CHACHA20_POLY1305_SHA256 * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 * TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 * TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA * TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 * TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 * TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 * TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA * TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 * TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 * TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA * TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 * TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 * TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA * TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 * TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 * TLS_ECDH_RSA_WITH_AES_128_CBC_SHA * TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 * TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 * TLS_ECDH_RSA_WITH_AES_256_CBC_SHA * TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 * TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 * TLS_EMPTY_RENEGOTIATION_INFO_SCSV * TLS_RSA_WITH_AES_128_CBC_SHA * TLS_RSA_WITH_AES_128_CBC_SHA256 * TLS_RSA_WITH_AES_128_GCM_SHA256 * TLS_RSA_WITH_AES_256_CBC_SHA * TLS_RSA_WITH_AES_256_CBC_SHA256 * TLS_RSA_WITH_AES_256_GCM_SHA384
3. (Optionally) Disable certain SSL ciphers in Java
If you wish to disable a certain SSL cipher, edit the file in the directory “conf\security\java.security” and look for the following line. Here you can add individual SSL ciphers to disable. The below shows an example that disables common weak TLS ciphers.
jdk.tls.disabledAlgorithms=SSLv3,TLSv1.0, TLSv1.1, RC4, DES, \ MD5withRSA, \ DH keySize < 2048, \ EC keySize < 224, \ 3DES_EDE_CBC, \ anon, \ NULL, \ TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, \ TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, \ TLS_DHE_RSA_WITH_AES_256_CBC_SHA, \ TLS_DHE_DSS_WITH_AES_256_CBC_SHA, \ TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, \ TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, \ TLS_DHE_RSA_WITH_AES_128_CBC_SHA, \ TLS_DHE_DSS_WITH_AES_128_CBC_SHA, \ TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, \ TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, \ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, \ TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, \ TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256