How to disable weak cipher suites in Java

If you want to set up used cipher suites in your Java application, you can do it by property jdk.tls.disabledAlgorithms for TLS ciphers and jdk.certpath.disabledAlgorithms for SSL certificates, in security policy file This file is located in {APP_HOME}/jre/lib/security folder.

If you want to set which TLS will be used, you can do it in the same file via property jdk.tls.client.protocols.

Let’s say, we want to use only TLSv1.2 and only A (strong) grade cipher suites.

jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, DESede, DES, RSA keySize < 2048

Note to disabled algorithms: DESede and DES are disabled to disable 3DES. RSA keySize < 2048, this will disable all RSA with 2048 and less bits.

Keep on mind that there are cipher suites, which are disabled by default, for more information, see this article.

Leave a Reply

Your email address will not be published. Required fields are marked *