How To Add Additional Cipher Suites to A Java Application Server?
(1) That webpage is dated 2014; unlimited policy is no longer used at all for Oracle Java versions after 2017, and before that (which e.g. 7u80 was) it only mattered for symmetric encryption over 128 bits which here would affect only the AES256 suites not the AES128 ones. (It was never applicable to OpenJDK, although OpenJDK below 8 was/is mostly available only on major Linux distros like RedHat and Debian that could allocate staff for building and packaging; you don't say which you are using.)
(2) Java (1.)7 does support the CBC ciphersuites you show (not the GCM ones, and for Oracle versions below 7u171 the AES256 ones do require unlimited policy) but ONLY when TLS1.2 is used (these ciphersuites did not exist in lower version protocols) and by default j7 disables TLS1.2 (and 1.1) clientside.
If you are explicitly doing the connection to this API with HttpsURLConnection
(e.g. new URL("https://something").openConnection()
) you can tweak the socketfactory to use SSLContext.getInstance("TLSv1.2")
and/or explicitly setEnabledProtocols
on the socket. If you are using other middleware e.g. Apache HttpComponents there are usually similar methods but they vary in detail; you would need to show us the code, and that would probably belong on StackOverflow not here. If you are calling a library that does the connection internally, it may have options, or not.
For all or many calling methods, you can alter defaults like SSLContext.setDefault()
or HttpsURLConnection.setDefaultSSLSocketFacfory()
if these defaults are not overridden in the relevant code and making a global change like that doesn't cause trouble for anything else running in your same JVM.
Alternatively (and more on topic!) if you have a sufficiently recent j7 update, I'm pretty sure they backported the system property jdk.tls.client.protocols
which you could set to e.g. TLSv1,TLSv1.1,TLSv1.2
to change the default with no code change (but again only if not overridden and not harming anything else). I don't recall exactly when this was but definitely after 7u80, so you would have it only with paid Oracle support or OpenJDK supported by somebody else with or without pay. That's easy to try and may work.