How To Add Additional Cipher Suites to A Java Application Server?

java linux ssl cipher

(1) That webpage is dated 2014; unlimited policy is no longer used at all for Oracle Java versions after 2017, and before that (which e.g. 7u80 was) it only mattered for symmetric encryption over 128 bits which here would affect only the AES256 suites not the AES128 ones. (It was never applicable to OpenJDK, although OpenJDK below 8 was/is mostly available only on major Linux distros like RedHat and Debian that could allocate staff for building and packaging; you don't say which you are using.)

(2) Java (1.)7 does support the CBC ciphersuites you show (not the GCM ones, and for Oracle versions below 7u171 the AES256 ones do require unlimited policy) but ONLY when TLS1.2 is used (these ciphersuites did not exist in lower version protocols) and by default j7 disables TLS1.2 (and 1.1) clientside.

If you are explicitly doing the connection to this API with HttpsURLConnection (e.g. new URL("https://something").openConnection()) you can tweak the socketfactory to use SSLContext.getInstance("TLSv1.2") and/or explicitly setEnabledProtocols on the socket. If you are using other middleware e.g. Apache HttpComponents there are usually similar methods but they vary in detail; you would need to show us the code, and that would probably belong on StackOverflow not here. If you are calling a library that does the connection internally, it may have options, or not. For all or many calling methods, you can alter defaults like SSLContext.setDefault() or HttpsURLConnection.setDefaultSSLSocketFacfory() if these defaults are not overridden in the relevant code and making a global change like that doesn't cause trouble for anything else running in your same JVM.

Alternatively (and more on topic!) if you have a sufficiently recent j7 update, I'm pretty sure they backported the system property jdk.tls.client.protocols which you could set to e.g. TLSv1,TLSv1.1,TLSv1.2 to change the default with no code change (but again only if not overridden and not harming anything else). I don't recall exactly when this was but definitely after 7u80, so you would have it only with paid Oracle support or OpenJDK supported by somebody else with or without pay. That's easy to try and may work.

Related

How can I release a locked Hyper-V VHD that is used by another process?
Convert saved evtx files to text
Why is the clock out of sync on this VMWare Linux guest?
When do changes to the group policy take affect for remote desktop idle times?
iptables: How to block UDP between devices on LAN-side of gateway (using dd-wrt firmware)
losing line endings using Linux mail sending email to Windows Outlook
How does "DROP all anywhere" in the FORWARD table not render my router useless?
Wireshark find DNS response "Refused"
What does sfdisk do, and how does it compare to fdisk or parted?
How to copy only new files AND only those that are modified after a certain date?
Can I pair multiple hosts to a single Bluetooth headphones device?
No supported authentication methods available in FileZilla