Java get all enabled TLS cipher suites on Windows via Powershell

A Java installation by default supports various TLS ciphers for Java applications that use HTTPS / SSL. Some of these TLS ciphers are marked as “vulnerable” and should not be used in production environments for security. Examples of this are TLS 1.0 and TLS 1.1 ciphers, which are deemed no longer secure and should not be used. Many organizations have already disabled these ciphers. However, in some Java installations these ciphers might still be enabled by default. This article shows you how to check which TLS ciphers are currently enabled in your Java installation, and how to manually disable specific TLS ciphers.

Note: the instructions below are based on a Windows Server that has a local Java installation (.exe), however they should also work on other environments but you might need to change the way how you call the java executable.

1. Create a “Ciphers.java” file

Create a new text file called “Ciphers.java” with the following content:

import java.util.Iterator;
import java.util.Map;
import java.util.TreeMap;
import javax.net.ssl.SSLServerSocketFactory;

public class Ciphers
{
    public static void main(String[] args)
        throws Exception
    {
        SSLServerSocketFactory ssf = (SSLServerSocketFactory)SSLServerSocketFactory.getDefault();

        String[] defaultCiphers = ssf.getDefaultCipherSuites();
        String[] availableCiphers = ssf.getSupportedCipherSuites();

        TreeMap<String, Boolean> ciphers = new TreeMap<String, Boolean>();

        for(int i=0; i<availableCiphers.length; ++i )
            ciphers.put(availableCiphers[i], Boolean.FALSE);

        for(int i=0; i<defaultCiphers.length; ++i )
            ciphers.put(defaultCiphers[i], Boolean.TRUE);

        System.out.println("Default\tCipher");
        for(Iterator i = ciphers.entrySet().iterator(); i.hasNext(); ) {
            Map.Entry cipher=(Map.Entry)i.next();

            if(Boolean.TRUE.equals(cipher.getValue()))
                System.out.print('*');
            else
                System.out.print(' ');

            System.out.print('\t');
            System.out.println(cipher.getKey());
        }
    }
}

2. Execute the “Ciphers.java” file via Powershell

Then run the following command from the command line (e.g. in Powershell on Windows):

PS [install-dir-of-java]\bin> .\java.exe Ciphers.java

This will output the following list of all enabled SSL ciphers of this local Java installation:

Default Cipher
*       TLS_AES_128_GCM_SHA256
*       TLS_AES_256_GCM_SHA384
*       TLS_CHACHA20_POLY1305_SHA256
*       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
*       TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
*       TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
*       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
*       TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
*       TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
*       TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
*       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
*       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
*       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
*       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
*       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
*       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
*       TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
*       TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
*       TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
*       TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
*       TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
*       TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
*       TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
*       TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
*       TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
*       TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
*       TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
*       TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
*       TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
*       TLS_EMPTY_RENEGOTIATION_INFO_SCSV
*       TLS_RSA_WITH_AES_128_CBC_SHA
*       TLS_RSA_WITH_AES_128_CBC_SHA256
*       TLS_RSA_WITH_AES_128_GCM_SHA256
*       TLS_RSA_WITH_AES_256_CBC_SHA
*       TLS_RSA_WITH_AES_256_CBC_SHA256
*       TLS_RSA_WITH_AES_256_GCM_SHA384

3. (Optionally) Disable certain SSL ciphers in Java

If you wish to disable a certain SSL cipher, edit the file in the directory “conf\security\java.security” and look for the following line. Here you can add individual SSL ciphers to disable. The below shows an example that disables common weak TLS ciphers.

jdk.tls.disabledAlgorithms=SSLv3,TLSv1.0, TLSv1.1, RC4, DES, \
            MD5withRSA,                          \
            DH keySize < 2048,                   \
            EC keySize < 224,                    \
            3DES_EDE_CBC,                        \
            anon,                                \
            NULL,                                \
            TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, \
            TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, \
            TLS_DHE_RSA_WITH_AES_256_CBC_SHA,    \
            TLS_DHE_DSS_WITH_AES_256_CBC_SHA,    \
            TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, \
            TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, \
            TLS_DHE_RSA_WITH_AES_128_CBC_SHA,    \
            TLS_DHE_DSS_WITH_AES_128_CBC_SHA,    \
            TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, \
            TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, \
            TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, \
            TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, \
	    TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256

By Leendert de Borst

Freelance software architect with 10+ years of experience. Expert in translating complex technical problems into creative & simple solutions.