Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8162362 Introduce system property to control enabled ciphersuites
  3. JDK-8162787

Documentation the customization of the default enabled cipher suites via system properties

    XMLWordPrintable

    Details

    • Type: Sub-task
    • Status: Resolved
    • Priority: P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 10
    • Component/s: docs
    • Labels:

      Description

      jdk.tls.client.cipherSuites:
      ----------------------------
      This system property contains a comma-separated list of supported cipher suite names specifying the client side default enabled cipher suites. All other supported cipher suites are disabled for this default setting. Unrecognized or unsupported cipher suite names specified in the property are ignored. Explicit setting of enabled cipher suites will override this system property.
       
       
      jdk.tls.server.cipherSuites:
      ----------------------------
      This system property contains a comma-separated list of supported cipher suite names specifying the server side default enabled cipher suites. This has the same syntax and behavior as the jdk.tls.client.cipherSuites system property.
       
      Please refer to "Java Cryptography Architecture Standard Algorithm Name Documentation" for the standard JSSE cipher suite names, and "Java Cryptography Architecture Oracle Providers Documentation" for the cipher suite names supported by the SunJSSE provider.
       
       
      Applications can explicitly set the enabled cipher suites with:
      1. SSLSocket.setEnabledCipherSuites(String[])
      2. SSLEngine.setEnabledCipherSuites(String[])
      3. SSLServerSocket.setEnabledCipherSuites(String[])
      4. SSLParameters(String[] cipherSuites)
      5. SSLParameters(String[] cipherSuites, String[] protocols)
      6. SSLParameters.setCipherSuites(String[])
      7. "https.cipherSuites" system property for HttpsURLConnection
       
       
      The system properties, "jdk.tls.client.cipherSuites" and "jdk.tls.server.cipherSuites", define the customized default enabled cipher suites for client side and server side accordingly.
       
      Each JSSE provider has its own provider default enabled cipher suites too.
       
      There are three enabled cipher suites mechanisms in total. The order of preference is (favorite choice first):
      1. explicit setting
      2. customized default
      3. provider default
       
      Explicit setting overrides the customized default and the provider default enabled cipher suites. The customized default overrides the provider default enabled cipher suites.
       
      Note that the actually use of enabled cipher suites is restricted by algorithm constraints.
       
      Note that this system property is currently supported by the JDK Reference implementation. It is not guaranteed to be supported by other implementations.

      Warning: the system property can be used to configure weak cipher suites, or the configured cipher suites may be weak in the future. We do not recommend to use the system property unless you know what you're doing. Use it at your own risk.

        Attachments

          Activity

            People

            Assignee:
            rgallard Raymond Gallardo
            Reporter:
            xuelei Xue-Lei Fan
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: