Disabling TLSv1.0 in java8

Question

I'm trying to disable TLSv1.0 in Java 8

I have included TLSv1.0 in the following line as follow in the JRE/lib/security/java.security

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH, TLSv1.0

still, I'm getting the ciphers from the TLSv1.0 when I tested, but when I configured other versions like TLSv1.1, I was able to successfully remove the respective ciphers

What might be the issue for this ?

Is there is any way to remove a specific ciphers in JRE level?

Answer 1

You can disable TLSv1 and whatever ciphers you want using command line args, like so:

java -Djava.security.properties=disabled_tlsv1.properties

The file disabled_tlsv1.properties has a list of ciphers to disable, and supports protocols as well, e.g. TLSv1. The rest of the ciphers I list below are deemed insecure for TLSv1.1.

This still leaves TLSv1.1 workable though, as some ciphers for it are still enabled. Note that you can also do this in the JRE itself, to affect the entire server if you prefer, as detailed in the question itself.

disabled_tlsv1.properties

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768,TLSv1,TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_RC4_128_SHA

A git repo showing this, and how to verify that TLSv1 is disabled can be found here

Answer 2

Replace TLSv1.0 with TLSv1:

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH, TLSv1

How to test?

openssl s_client -connect ip:port -tls1