Java SSL Server disable weak elliptic curves

Question

So this is the code of my Java ssl Server. ctx is an SSLContext initialised with the server keystore.

public SSLEngine createSSLEngine() {

        SSLEngine sslEngine = ctx.createSSLEngine();

        String[] ciphersuites = new String[]{
                "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
                "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
                "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
                "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
                "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
                "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
                "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
        };

        sslEngine.setEnabledCipherSuites(ciphersuites);

        sslEngine.setUseClientMode(false);

        return sslEngine;
    }

I tested it with cipherscan (https://github.com/jvehent/cipherscan), the ciphersuites look fine, but the server supports all possible elliptic curves (sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, secp192k1, prime192v1, secp224k1, secp224r1, secp256k1, prime256v1, secp384r1, secp521r1).

Is there a way to disable all curves, except the strong ones like secp384r1?

Answer 1

As of Java8 u121 it is possible to configure which elliptic curve are to be used.

Use a parameter at VM startup of your programm i.e.:

-Djdk.tls.namedGroups="secp521r1, secp256r1, secp256k1"

Or if you want a JDK/JRE wide policy alter the java.security file and add the property. i.e.:

jdk.tls.namedGroups=secp521r1, secp256r1, secp256k1

As reference see: http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html paragraph "Improve the default strength of EC in JDK"