So this is the code of my Java ssl Server. ctx
is an SSLContext
initialised with the server keystore.
public SSLEngine createSSLEngine() {
SSLEngine sslEngine = ctx.createSSLEngine();
String[] ciphersuites = new String[]{
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
};
sslEngine.setEnabledCipherSuites(ciphersuites);
sslEngine.setUseClientMode(false);
return sslEngine;
}
I tested it with cipherscan (https://github.com/jvehent/cipherscan), the ciphersuites look fine, but the server supports all possible elliptic curves (sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp160k1, secp160r1, secp160r2, secp192k1, prime192v1, secp224k1, secp224r1, secp256k1, prime256v1, secp384r1, secp521r1).
Is there a way to disable all curves, except the strong ones like secp384r1?
As of Java8 u121 it is possible to configure which elliptic curve are to be used.
Use a parameter at VM startup of your programm i.e.:
-Djdk.tls.namedGroups="secp521r1, secp256r1, secp256k1"
Or if you want a JDK/JRE wide policy alter the java.security file and add the property. i.e.:
jdk.tls.namedGroups=secp521r1, secp256r1, secp256k1
As reference see: http://www.oracle.com/technetwork/java/javase/8u121-relnotes-3315208.html paragraph "Improve the default strength of EC in JDK"
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With