How can I disable 112 bits cipher suite in SSL of a java server

Question

How can I disable insecure 112 bit cipher suite in a java application server, specifically these ones:

TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

I have edited the java.security file and added jdk.tls.disabledAlgorithms=SSLv3, MD5withRSA, DH keySize < 2048, but still these algorithms are listed.

I also want to prevent downgrade attacks by disabling TLS_FALLBACK_SCSV.

How can I do this?

You'll need to explain what the SSL server is that you're using; for example, the settings you modified in the java.security just prevent the normal Java connections from using them. However, if you're using another SSL library (like bouncy castle) then there will be a different way of specifying the valid suites. — AlBlue, Apr 14 '16 at 22:14

score 0 · Accepted Answer · answered Apr 15 '16 at 13:56

0

This did the work. Edited the java.security file and added jdk.tls.disabledAlgorithms=SSLv3, DESede,DES,DH keySize < 2048

These names are defined in the cryptographic providers documentation, in case to disable any others.

answered Apr 15 '16 at 13:56

jgm

1,230
1
19
39

How can I disable 112 bits cipher suite in SSL of a java server

1 Answers1