Fix Version/s: 13
Compatibility Risk Description:No compatibility risk. New command.
Interface Kind:add/remove/modify command line option
Add a new
keytool -showinfo -tls command to display TLS configuration information.
TLS configuration information (including the enabled cipher suites, their order, and the enabled protocols, etc) is very useful to both users and administrators and can vary depending on what JDK release or update is installed on the system and if any changes have been made to the
java.security file to restrict cipher suites or protocols. Previously we had been documenting the enabled suites and protocols in the JSSE security guide, but that has been proven to be a moving target and difficult to keep up-to-date as additional weak cipher suites have been restricted, often in update releases. Thus, showing the information in keytool seems to be the best solution.
While keytool has been historically a tool managing keys and certificates, we think it can also be a home for this new function because (1) TLS is very close to key/cert and users of TLS and keytool are mostly the same, (2) it's the only security-related tool in java.base and we think it's not worth creating a separate new tool for the new function.
Add a new keytool command
-showinfo to display security-related information of the current JDK. Use an option to decide what kind of information to print out. The first such an option is
-tls which will display the TLS configuration.
keytool -help will show a new command:
-showinfo Displays security-related information
keytool -help -showinfo will show its available options:
keytool -showinfo [OPTION]... Displays security-related information Options: -tls Displays TLS configuration information -v verbose output
The exact output format of
keytool -showinfo -tls is not specified here and could evolve in future releases.