Question: What security protocols and cipher suites are available or enabled by default in a specific Java Release? For example:
zulu8.50.0.51 build jdk1.8.0_275-b01
Answer:
Zulu 8.50.0.51 is an OpenJDK 8 release of 1.8.0_275, sometimes also written as 8u275.
Officially OpenJDK 1.8.0_275 implements the following protocols (see output below for cipher suites):
- SSLv2Hello
- SSLv3
- TLSv1
- TLSv1.1
- TLSv1.2
To check the security protocols available and those enabled by default in any Java release, you can use the following "ProtocolTest.java" code (also attached).
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLContext;
import javax.net.SocketFactory;
import javax.net.ssl.SSLSocketFactory;
import java.security.NoSuchAlgorithmException;
public class ProtocolTest {
public static void main(String[] args) throws Exception {
SSLContext context = SSLContext.getInstance("TLS");
context.init(null,null,null);
SSLSocketFactory factory = (SSLSocketFactory)context.getSocketFactory();
SSLSocket socket = (SSLSocket)factory.createSocket();
String[] protocols = socket.getSupportedProtocols();
System.out.println("Supported Protocols: " + protocols.length);
for(int i = 0; i < protocols.length; i++) {
System.out.println(" " + protocols[i]);
}
protocols = socket.getEnabledProtocols();
System.out.println("\nEnabled Protocols: " + protocols.length);
for(int i = 0; i < protocols.length; i++) {
System.out.println(" " + protocols[i]);
}
System.out.println("\nSupported Cipher Suites: ");
try {
String[] ciphers = SSLContext.getDefault().getSocketFactory().getSupportedCipherSuites();
for (int i = 1; i < ciphers.length; i++) {
System.out.println(" " + i + ". " + ciphers[i]);
}
} catch (NoSuchAlgorithmException e) {
System.out.println("Failed to get default TLS context.");
}
}
}
Notice the difference between available protocols (supported protocols) and actually enabled by default protocols. For example:
$ javac ProtocolTest.java
$ java ProtocolTest
Supported Protocols: 6
TLSv1.3
TLSv1.2
TLSv1.1
TLSv1
SSLv3
SSLv2Hello
Enabled Protocols: 1
TLSv1.2
Supported Cipher Suites:
1. TLS_AES_256_GCM_SHA384
2. TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
3. TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
4. TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
5. TLS_RSA_WITH_AES_256_GCM_SHA384
6. TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
7. TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
8. TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
9. TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
10. TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
11. TLS_RSA_WITH_AES_128_GCM_SHA256
12. TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
13. TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
14. TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
15. TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
16. TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
17. TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
18. TLS_RSA_WITH_AES_256_CBC_SHA256
19. TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
20. TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
21. TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
22. TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
23. TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
24. TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
25. TLS_RSA_WITH_AES_256_CBC_SHA
26. TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
27. TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
28. TLS_DHE_RSA_WITH_AES_256_CBC_SHA
29. TLS_DHE_DSS_WITH_AES_256_CBC_SHA
30. TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
31. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
32. TLS_RSA_WITH_AES_128_CBC_SHA256
33. TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
34. TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
35. TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
36. TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
37. TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
38. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
39. TLS_RSA_WITH_AES_128_CBC_SHA
40. TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
41. TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
42. TLS_DHE_RSA_WITH_AES_128_CBC_SHA
43. TLS_DHE_DSS_WITH_AES_128_CBC_SHA
44. TLS_EMPTY_RENEGOTIATION_INFO_SCSV
Please also note the differences between server-side TLS 1.3 and client-side TLS 1.3 on Java 8. See https://bugs.openjdk.org/browse/JDK-8248721 for details.
Add Comment
Comments
Article is closed for comments.