Disabling TLSv1.0 in java8

Asked 16/12, 2016 at 9:59 Answered 7/1, 2019 at 6:3

I'm trying to disable TLSv1.0 in Java 8

I have included TLSv1.0 in the following line as follow in the JRE/lib/security/java.security

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH, TLSv1.0

still, I'm getting the ciphers from the TLSv1.0 when I tested, but when I configured other versions like TLSv1.1, I was able to successfully remove the respective ciphers

What might be the issue for this ?

Is there is any way to remove a specific ciphers in JRE level?

Tiffie answered 16/12, 2016 at 9:59 Comment(0)

You can disable TLSv1 and whatever ciphers you want using command line args, like so:

java -Djava.security.properties=disabled_tlsv1.properties

The file disabled_tlsv1.properties has a list of ciphers to disable, and supports protocols as well, e.g. TLSv1. The rest of the ciphers I list below are deemed insecure for TLSv1.1.

This still leaves TLSv1.1 workable though, as some ciphers for it are still enabled. Note that you can also do this in the JRE itself, to affect the entire server if you prefer, as detailed in the question itself.

disabled_tlsv1.properties

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768,TLSv1,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA

A git repo showing this, and how to verify that TLSv1 is disabled can be found here

Privet answered 22/6, 2018 at 18:34 Comment(0)

Replace TLSv1.0 with TLSv1:

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH, TLSv1

How to test?

openssl s_client -connect ip:port -tls1

Myrmidon answered 7/1, 2019 at 6:3 Comment(1)

try to highlight the keywords and be clear with the format it will help to reach out your answer for others – Calcic 7/1, 2019 at 6:22

for the first part question I was able to disable TLSv1.0 by modifying the line as below(used TLSv1 instead of TLSv1.0)

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH, TLSv1

but I still want to get to know, is there are any possibilities that I can disable an entire cipher suite in JRE level, for example, removing below 3 ciphers

>    RSA_WITH_3DES_EDE_CBC_SHA
>      RSA_WITH_AES_128_CBC_SHA
>      RSA_WITH_AES_256_CBC_SHA

Tiffie answered 16/12, 2016 at 15:20 Comment(0)

You could force the client to use a specific protocol by setting the java option

-Djdk.tls.client.protocols=TLSv1.1,TLSv1.2

Or if are looking for disabling a specific cipher you could try setting

jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

in java.security file

Epistemology answered 16/12, 2016 at 13:13 Comment(3)

Let's say I want to disable a cipher suite like below, is there is any way to do that ? RSA_WITH_3DES_EDE_CBC_SHA – Tiffie 16/12, 2016 at 15:14

The prefix jdk.certpath indicates that this is used for validating certificate chains, not for TLS as asked – Vigesimal 25/8, 2020 at 20:12

Using -Djdk.tls.client.protocols=TLSv1.1,TLSv1.2 doesn't seem to change anything on openjdk 11. – Straphanger 27/4, 2021 at 10:54

disabled_tlsv1.properties

Recommended topics

Hot tags