Does the JDK/JRE version alone determine the result of SSLSocket.getSupportedProtocols()?

0
votes

Does the JDK/JRE version alone determine the result of SSLSocket.getSupportedProtocols()? Or are there any other configuration/startup parameters that can impact this result?

For example, if an application is running on JDK 1.7 update 21, this method will return [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]. But if the app ran on JDK 1.8, which does not support SSLv3, would this method return only [TLSv1, TLSv1.1, TLSv1.2]?

And I assume the answer to this question applies to the default enabled list as well. For example, in JDK 1.7 update 21, SSLSocket.getEnabledProtocols() by default returns [SSLv3, TLSv1]. So with JDK 1.8, would the default enabled list be [TLSv1.1, TLSv1.2]?

1
javassljsse

1 Answers

2
votes

No.

Prior to Java 7, you just had jdk.certpath.disabledAlgorithms to disable algorithms.

Starting in later versions of Java 7, you also have jdk.tls.disabledAlgorithms. The difference between the two seems to be that jdk.tls.disabledAlgorithms can also restrict TLS/SSL versions.

jdk.tls.legacyAlgorithms also exists. Protocols on this list will only be used after all other allowed protocols have been rejected.

In Java 8u51, the defaults for these (found in Java's lib/security/java.security file) are:

jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768

jdk.tls.legacyAlgorithms= \
        K_NULL, C_NULL, M_NULL, \
        DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \
        DH_RSA_EXPORT, RSA_EXPORT, \
        DH_anon, ECDH_anon, \
        RC4_128, RC4_40, DES_CBC, DES40_CBC