Java - How can I disable a TLS cipher for only some protocols using JVM Config?

Question

I\'ve seen lots of examples of disabling TLS ciphers in java using jdk.tls.disabledAlgorithms, for example:

 jdk.tls.disabledAlgorithms=MD2, RSA keySize < 102         


        

Answer 1

edit lib/security/java.security (could be in a different location based on your JDK) and add the Algorithm to the jdk.tls.disabledAlgorithms

In addition to that keySize could be used to restrict weaker algorithms. jdk.tls.disabledAlgorithms=MD2, MD4, MD5, EC keySize < 160, RSA keySize < 2048, DSA keySize < 2048

I suppose, you already know all these, and are really looking to have these per version (ideally something like jdk.tls11.disabledAlgorithms) however, I am not aware of any such fine grained property.

However, protocol version could be restricted as such jdk.tls.client.protocols=TLSv1.1

If you want to support TLSv1.1 and TLSv1.2 a good strategy would be to support only those algorithms (or adjust keySize of algorithms) so that they will be strong in both versions of TLS.

For reference: https://www.java.com/en/configure_crypto.html