does jdk/jre version alone determine result of sslsocket.getsupportedprotocols()? or there other configuration/startup parameters can impact result?
for example, if application running on jdk 1.7 update 21, method return [sslv2hello, sslv3, tlsv1, tlsv1.1, tlsv1.2]. if app ran on jdk 1.8, not support sslv3, method return [tlsv1, tlsv1.1, tlsv1.2]?
and assume answer question applies default enabled list well. example, in jdk 1.7 update 21, sslsocket.getenabledprotocols() default returns [sslv3, tlsv1]. jdk 1.8, default enabled list [tlsv1.1, tlsv1.2]?
no.
prior java 7, had jdk.certpath.disabledalgorithms disable algorithms.
starting in later versions of java 7, have jdk.tls.disabledalgorithms. difference between 2 seems jdk.tls.disabledalgorithms can restrict tls/ssl versions.
jdk.tls.legacyalgorithms exists. protocols on list used after other allowed protocols have been rejected.
in java 8u51, defaults these (found in java's lib/security/java.security file) are:
jdk.certpath.disabledalgorithms=md2, rsa keysize < 1024 jdk.tls.disabledalgorithms=sslv3, dh keysize < 768 jdk.tls.legacyalgorithms= \ k_null, c_null, m_null, \ dhe_dss_export, dhe_rsa_export, dh_anon_export, dh_dss_export, \ dh_rsa_export, rsa_export, \ dh_anon, ecdh_anon, \ rc4_128, rc4_40, des_cbc, des40_cbc 
Comments
Post a Comment