Disabling TLSv1.0 in java8

I'm trying to disable TLSv1.0 in Java 8

I have included TLSv1.0 in the following line as follow in the JRE/lib/security/java.security

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH, TLSv1.0

still, I'm getting the ciphers from the TLSv1.0 when I tested, but when I configured other versions like TLSv1.1, I was able to successfully remove the respective ciphers

What might be the issue for this ?

Is there is any way to remove a specific ciphers in JRE level?

4

Best Answer

You can disable TLSv1 and whatever ciphers you want using command line args, like so:

java -Djava.security.properties=disabled_tlsv1.properties

The file disabled_tlsv1.properties has a list of ciphers to disable, and supports protocols as well, e.g. TLSv1. The rest of the ciphers I list below are deemed insecure for TLSv1.1.

This still leaves TLSv1.1 workable though, as some ciphers for it are still enabled. Note that you can also do this in the JRE itself, to affect the entire server if you prefer, as detailed in the question itself.

disabled_tlsv1.properties

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768,TLSv1,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA

A git repo showing this, and how to verify that TLSv1 is disabled can be found here

Replace TLSv1.0 with TLSv1:

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH, TLSv1

How to test?

openssl s_client -connect ip:port -tls1

for the first part question I was able to disable TLSv1.0 by modifying the line as below(used TLSv1 instead of TLSv1.0)

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH, TLSv1

but I still want to get to know, is there are any possibilities that I can disable an entire cipher suite in JRE level, for example, removing below 3 ciphers

> RSA_WITH_3DES_EDE_CBC_SHA> RSA_WITH_AES_128_CBC_SHA> RSA_WITH_AES_256_CBC_SHA

You could force the client to use a specific protocol by setting the java option 

-Djdk.tls.client.protocols=TLSv1.1,TLSv1.2

Or if are looking for disabling a specific cipher you could try setting

jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

in java.security file

Random Posts

How to trigger XL Release task from Jenkins ? Is it possible?What’s the best way to reload / refresh an iframe?How to use Standalone Components, Pipes, or Directives in feature modulesCSS flexbox spacing issues with gap propertyCan AWS Eventbridge be used to pass SQS message to other AWS services?How can I get a "clean" list all currently banned IPs on fail2ban? One line per IPMake python code function as microphone using pyttsx3? [closed]python [:] notation and rangeRebuild IntelliJ project indexesAttributeError: 'str' object has no attributeWhat is the function of a Spring server in RoR?side-by-side subfigure in SharelatexError in sample.split in R, 'SplitRatio' parameter has to be i [0, 1]Java Heap Dump : How to find the objects/class that is taking memory by 1. io.netty.buffer.ByteBufUtil 2. byte[] arrayCannot find /lib/libc.so.6Clear an input field with Reactjs?Fiddler not capturing traffic from browsersMerge stashed change with current changesHow to encode a JWT in pythonCannot determine module path for source directory