Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Restrict cipher suites on JRE level

Tags:

java

jce

Our Java application exposes a lot of different interfaces (SMTP, FTP, HTTP), secured by SSL/TLS. The goal now is to limit cipher suites allowed on these interfaces to include only "strong" ones. I already have a list and it's clear how to make it working for a particular socket

socket.setEnabledCipherSuites(ENABLED_SECURE_CIPHER_SUITES);

or for Tomcat connector

 <Connector port="443" ciphers="..."/>

The problem is that there are already 5 places in the application where I should apply this limitation manualy. Common SocketFactory does not seem to help, as it's not always feasible to supply custom SocketFactory to third-party API or framework. Is it possible to somehow introduce this limitation on JRE level, e.g. with JCE providers configuration or policy file?

JRE: Oracle JRE 1.7.0_17

like image 818
Jk1 Avatar asked Sep 03 '13 10:09

Jk1


People also ask

How do you restrict a cipher?

Disable RC4/DES/3DES cipher suites in Windows using registry, GPO, or local security settings. You can do this using GPO or Local security policy under Computer configuration -> Administrative Templates -> Network -> SSL Configuration Settings -> SSL Cipher Suite Order. Set this policy to enable.

Which cipher suites should be disabled?

Weak cipher suites should be disabled regardless of SSL/TLS version. Also, yes: disabling versions of SSL/TLS older than TLS 1.2 is highly recommended.


1 Answers

Well, I managed to get that working. Thanks to EJP for pointing in the right direction. Since Java 1.7 there are two additional properties in $JRE_HOME/lib/security/java.security:

jdk.certpath.disabledAlgorithms=MD2

Controls algorithms for certification path building and validation.

jdk.tls.disabledAlgorithms=MD5, SHA1, RC4, RSA keySize < 1024

JVM-wide algorithm restrictions for SSL/TLS processing, the one I was looking for. Notation is quite obvious here; it's possible to disallow certain algorithms or limit key sizes. Both properties are supported in Oracle JRE 7, Open JRE 7 and (surprisingly) IBM Java v7

like image 176
Jk1 Avatar answered Oct 04 '22 03:10

Jk1