Java - How can I disable a TLS cipher for only some protocols using JVM Config?

Question

I\'ve seen lots of examples of disabling TLS ciphers in java using jdk.tls.disabledAlgorithms, for example:

 jdk.tls.disabledAlgorithms=MD2, RSA keySize < 102         


        

Answer 1

Posting my comment as an answer because why not.

Other answers, and every doc I've found online, seems to agree that what you are asking for is not possible to do within Java, not yet at least. You can enable / disable protocols globally, and you can enable / disable cipher types globally, but you cannot do one based on the other.

However, since you are on the DevOps side, maybe a non-Java solution is possible. You could run separate instances of the app, each one having only TLSv1.1, only TLSv1.2 etc. enabled, and apply the desired cipher filter to each one; and then have nginx (or whatever you use) redirect traffic to the appropriate instance depending on the detected protocol.

So, one instance at NODE1 with:

jdk.tls.client.protocols=TLSv1.1
jdk.tls.disabledAlgorithms=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

Another instance at NODE2 with:

jdk.tls.client.protocols=TLSv1.2
jdk.tls.disabledAlgorithms=...

And some nginx rules (use return or rewrite as you see fit):

server {
    [...]
    if ( $ssl_protocol = TLSv1.1 ) {
        return 302 $scheme://NODE1.yourhost.com$request_uri;
    }
    if ( $ssl_protocol = TLSv1.2 ) {
        rewrite ^ $scheme://NODE2.yourhost.com$request_uri;
    }

I'm just a Java dev, my experience with nginx is very limited so you might need to tweak the config a bit. Just trying to help.