{"id":1763,"date":"2021-10-28T09:02:31","date_gmt":"2021-10-28T07:02:31","guid":{"rendered":"https:\/\/www.netexpertise.eu\/en\/?p=1763"},"modified":"2021-10-30T18:16:02","modified_gmt":"2021-10-30T16:16:02","slug":"ssl-versions-supported-on-my-jvm","status":"publish","type":"post","link":"http:\/\/www.netexpertise.eu\/en\/code\/java\/ssl-versions-supported-on-my-jvm.html","title":{"rendered":"SSL Versions Supported on my JVM"},"content":{"rendered":"\n

SSL or TLS supported on a JVM can change depending on many things. Here are the many factors it depends on, and how to display which SSL versions are available and enabled on your JVM.<\/p>\n\n\n\n


Factors Affecting SSL Support<\/h2>\n\n\n\n

SSL<\/a> support depends first on your JDK version. TLS 1.0 and 1.1 are disabled on more and more JDK distributions by default, while TLS 1.2 is pretty standard. TLS 1.3 is supported on JDK 11 and later and JDK8 builds newer than 8u261.

But you can bypass default settings and disable a TLS algorithm in the Java security property file, just called java.security. SSL \/ TLS versions can be disabled with the jdk.tls.disabledAlgorithms<\/em> setting.
There’s actually no way to enable explicitly a TLS version in Java: it has to be supported by the JDK distribution and not be in the disabled algorithm list.

You can always force the use of a TLS version, and cipher, in the java command parameters. Check last section.<\/p>\n\n\n\n


Check SSL \/ TLS Versions Programmatically<\/h2>\n\n\n\n

Supported and enabled TLS versions can be displayed with a very simple piece of Java code. The getProtocols() method from the SSLContext class will help to display supported SSL versions on your JVM.<\/p>\n\n\n\n

import java.util.*;\nimport javax.net.ssl.SSLContext;\n\npublic class tls\n{\n\n  public static void main (String[] args) throws Exception\n  {\n    SSLContext context = SSLContext.getInstance(\"TLS\");\n    context.init(null, null, null);\n    String[] supportedProtocols = context.getDefaultSSLParameters().getProtocols();\n    System.out.println(Arrays.toString(supportedProtocols));\n  }\n\n}<\/code><\/pre>\n\n\n\n

Execute the following commands to show the JVM version along enabled and supported SSL protocol versions<\/p>\n\n\n\n
java -version\necho \"Supported TLS:\"\njavac tls.java\njava tls<\/code><\/pre>\n\n\n\n

Some TLS versions on some servers of mine:<\/p>\n\n\n\n
Default OpenJDK\nopenjdk version \"1.8.0_302\"\nOpenJDK Runtime Environment (build 1.8.0_302-b08)\nOpenJDK 64-Bit Server VM (build 25.302-b08, mixed mode)\nSupported TLS:\n[TLSv1.2]\n\nIBM OpenJ9\nopenjdk version \"1.8.0_242\"\nOpenJDK Runtime Environment (build 1.8.0_242-b08)\nEclipse OpenJ9 VM (build openj9-0.18.1, JRE 1.8.0 Linux amd64-64-Bit\nCompressed References 20200122_511 (JIT enabled, AOT enabled)\nOpenJ9   - 51a5857d2\nOMR      - 7a1b0239a\nJCL      - 8cf8a30581 based on jdk8u242-b08)\nSupported TLS:\n[TLSv1, TLSv1.1, TLSv1.2]<\/code><\/pre>\n\n\n\n

And TLS versions on a mac:<\/p>\n\n\n\n
\"JVM<\/figure>\n\n\n\n
You have now a list of TLS versions enabled on your JVM that you can fully trust.<\/p>\n\n\n\n

Check SSL Versions and Ciphers with the Debug Mode<\/h2>\n\n\n\n
If you want to go further and see what is actually going on, use the Java debug feature. You will get details on disabled SSL protocols, available ciphers, SSL handshake and so on. It is very verbose, you have been warned! But so useful.
Simply launch your java code with java -Djavax.net.debug=all<\/em>. A simple program that connects to a Mariadb database with JDBC and SSL enabled would be launched with something like:<\/p>\n\n\n\n
java -Djavax.net.debug=all \\\n     -Djavax.net.ssl.trustStore=keystore.jks \\\n     -Djavax.net.ssl.trustStorePassword=changeit \\\n     -cp \"mariadb-java-client-2.7.3.jar:.\" myProgram<\/code><\/pre>\n\n\n\n

This will shows a lot of stuff about SSL protocol and ciphers. Some of the lines below:<\/p>\n\n\n\n
System property jdk.tls.server.cipherSuites is set to 'null'\nIgnoring disabled cipher suite: TLS_DH_anon_WITH_AES_256_CBC_SHA\n[...]\nupdate handshake state: client_hello[1]\nupcoming handshake states: server_hello[2]\n*** ClientHello, TLSv1.2\nCipher Suites: [TLS_DHE_RSA_WITH_AES_128_GCM_SHA256]\n[...]\n%% Initialized:  [Session-1, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256]\n[...]\n0000: 01 00 00 01 0A 49 00 00   02 03 64 65 66 12 69 6E  .....I....def.in\n0010: 66 6F 72 6D 61 74 69 6F   6E 5F 73 63 68 65 6D 61  formation_schema\n0020: 06 54 41 42 4C 45 53 06   54 41 42 4C 45 53 09 54  .TABLES.TABLES.T\n0030: 41 42 4C 45 5F 43 41 54   0C 54 41 42 4C 45 5F 53  ABLE_CAT.TABLE_S\n0040: 43 48 45 4D 41 0C 2D 00   00 01 00 00 FD 01 00 00  CHEMA.-.........\n0050: 00 00 21 00 00 03 03 64   65 66 00 00 00 0B 54 41  ..!....def....TA\n0060: 42 4C 45 5F 53 43 48 45   4D 00 0C 3F 00 00 00 00  BLE_SCHEM..?....\n[...]<\/code><\/pre>\n\n\n\n
jdk.tls.server.cipherSuites<\/em> is set to ‘null’ because it was not overridden.
There’s usually a long list of disabled ciphers since they’re linked to disabled TLS protocols for most of them.
Then you see the client hello that shows the TLS version used for the handshake.
Cipher Suites normally displays a long list of available ciphers on the JVM. There’s just one here because I forced it.
Going further down, we can even see SQL queries sent to the Mariadb server during the connection initialisation.
Oracle provides a good documentation on how to debug SSL\/TLS<\/a> going through these messages.<\/p>\n\n\n\n

Forcing TLS Versions and Ciphers<\/h2>\n\n\n\n
It is possible to force the JVM to use some TLS versions and ciphers on the command line. That’s very handy if you don’t have access to the JVM configuration, or if you’d like special settings for a particular Java program.
This can be done with jdk.tls.client.protocols<\/em> and jdk.tls.client.cipherSuites<\/em> settings.<\/p>\n\n\n\n
java -Djavax.net.debug=all \\\n     -Djavax.net.ssl.trustStore=keystore.jks \\\n     -Djavax.net.ssl.trustStorePassword=changeit \\\n     -Djdk.tls.client.protocols=TLSv1.2 \\\n     -Djdk.tls.server.cipherSuites=\"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\" \\\n     -cp \"mariadb-java-client-2.7.3.jar:.\" myProgram<\/code><\/pre>\n\n\n\n

TLS protocols and ciphers can also be specified on the JDBC connection string if you use encryption for the database connection.<\/p>\n\n\n\n
String url = \"jdbc:mariadb:\/\/my_database_server:3306\/my_database?\"+\n             \"useSSL=true\"+\n             \"&serverTimezone=UTC\"+\n             \"&enabledSslProtocolSuites=TLSv1.2\"+\n             \"&enabledSSLCipherSuites=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA\";<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
SSL or TLS supported on a JVM can change depending on many things. Here are the many factors it depends on, and how to display which SSL versions are available and enabled on your JVM. Factors Affecting SSL Support SSL support depends first on your JDK version. TLS 1.0 and 1.1 are disabled on more […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0},"categories":[450],"tags":[29,31],"yoast_head":"\nNetexpertise - SSL Versions Supported on my JVM<\/title>\n<meta name=\"description\" content=\"Check and display SSL versions supported on your JVM. Enable or disable TLS protocols and ciphers. Debug SSL handshakes on your Java code\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.netexpertise.eu\/en\/code\/java\/ssl-versions-supported-on-my-jvm.html\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Netexpertise - SSL Versions Supported on my JVM\" \/>\n<meta property=\"og:description\" content=\"Check and display SSL versions supported on your JVM. Enable or disable TLS protocols and ciphers. Debug SSL handshakes on your Java code\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.netexpertise.eu\/en\/code\/java\/ssl-versions-supported-on-my-jvm.html\" \/>\n<meta property=\"og:site_name\" content=\"Netexpertise\" \/>\n<meta property=\"article:published_time\" content=\"2021-10-28T07:02:31+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-10-30T16:16:02+00:00\" \/>\n<meta name=\"author\" content=\"dave\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@netexpertise\" \/>\n<meta name=\"twitter:site\" content=\"@netexpertise\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.netexpertise.eu\/en\/code\/java\/ssl-versions-supported-on-my-jvm.html\",\"url\":\"https:\/\/www.netexpertise.eu\/en\/code\/java\/ssl-versions-supported-on-my-jvm.html\",\"name\":\"Netexpertise - SSL Versions Supported on my JVM\",\"isPartOf\":{\"@id\":\"http:\/\/www.netexpertise.eu\/en\/#website\"},\"datePublished\":\"2021-10-28T07:02:31+00:00\",\"dateModified\":\"2021-10-30T16:16:02+00:00\",\"author\":{\"@id\":\"http:\/\/www.netexpertise.eu\/en\/#\/schema\/person\/cb4cd666549d22e9070ec1cfc1a496fa\"},\"description\":\"Check and display SSL versions supported on your JVM. Enable or disable TLS protocols and ciphers. Debug SSL handshakes on your Java code\",\"breadcrumb\":{\"@id\":\"https:\/\/www.netexpertise.eu\/en\/code\/java\/ssl-versions-supported-on-my-jvm.html#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.netexpertise.eu\/en\/code\/java\/ssl-versions-supported-on-my-jvm.html\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.netexpertise.eu\/en\/code\/java\/ssl-versions-supported-on-my-jvm.html#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"http:\/\/www.netexpertise.eu\/en\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"SSL Versions Supported on my JVM\"}]},{\"@type\":\"WebSite\",\"@id\":\"http:\/\/www.netexpertise.eu\/en\/#website\",\"url\":\"http:\/\/www.netexpertise.eu\/en\/\",\"name\":\"Netexpertise\",\"description\":\"Systems \/ Networks \/ DevOps\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"http:\/\/www.netexpertise.eu\/en\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"http:\/\/www.netexpertise.eu\/en\/#\/schema\/person\/cb4cd666549d22e9070ec1cfc1a496fa\",\"name\":\"dave\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"http:\/\/www.netexpertise.eu\/en\/#\/schema\/person\/image\/\",\"url\":\"http:\/\/1.gravatar.com\/avatar\/1129916e1f4955bd632f27f836f64e55?s=96&d=mm&r=g\",\"contentUrl\":\"http:\/\/1.gravatar.com\/avatar\/1129916e1f4955bd632f27f836f64e55?s=96&d=mm&r=g\",\"caption\":\"dave\"},\"sameAs\":[\"http:\/\/www.netexpertise.eu\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Netexpertise - SSL Versions Supported on my JVM","description":"Check and display SSL versions supported on your JVM. Enable or disable TLS protocols and ciphers. Debug SSL handshakes on your Java code","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.netexpertise.eu\/en\/code\/java\/ssl-versions-supported-on-my-jvm.html","og_locale":"en_US","og_type":"article","og_title":"Netexpertise - SSL Versions Supported on my JVM","og_description":"Check and display SSL versions supported on your JVM. Enable or disable TLS protocols and ciphers. Debug SSL handshakes on your Java code","og_url":"https:\/\/www.netexpertise.eu\/en\/code\/java\/ssl-versions-supported-on-my-jvm.html","og_site_name":"Netexpertise","article_published_time":"2021-10-28T07:02:31+00:00","article_modified_time":"2021-10-30T16:16:02+00:00","author":"dave","twitter_card":"summary_large_image","twitter_creator":"@netexpertise","twitter_site":"@netexpertise","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.netexpertise.eu\/en\/code\/java\/ssl-versions-supported-on-my-jvm.html","url":"https:\/\/www.netexpertise.eu\/en\/code\/java\/ssl-versions-supported-on-my-jvm.html","name":"Netexpertise - SSL Versions Supported on my JVM","isPartOf":{"@id":"http:\/\/www.netexpertise.eu\/en\/#website"},"datePublished":"2021-10-28T07:02:31+00:00","dateModified":"2021-10-30T16:16:02+00:00","author":{"@id":"http:\/\/www.netexpertise.eu\/en\/#\/schema\/person\/cb4cd666549d22e9070ec1cfc1a496fa"},"description":"Check and display SSL versions supported on your JVM. Enable or disable TLS protocols and ciphers. Debug SSL handshakes on your Java code","breadcrumb":{"@id":"https:\/\/www.netexpertise.eu\/en\/code\/java\/ssl-versions-supported-on-my-jvm.html#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.netexpertise.eu\/en\/code\/java\/ssl-versions-supported-on-my-jvm.html"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.netexpertise.eu\/en\/code\/java\/ssl-versions-supported-on-my-jvm.html#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"http:\/\/www.netexpertise.eu\/en"},{"@type":"ListItem","position":2,"name":"SSL Versions Supported on my JVM"}]},{"@type":"WebSite","@id":"http:\/\/www.netexpertise.eu\/en\/#website","url":"http:\/\/www.netexpertise.eu\/en\/","name":"Netexpertise","description":"Systems \/ Networks \/ DevOps","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"http:\/\/www.netexpertise.eu\/en\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"http:\/\/www.netexpertise.eu\/en\/#\/schema\/person\/cb4cd666549d22e9070ec1cfc1a496fa","name":"dave","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"http:\/\/www.netexpertise.eu\/en\/#\/schema\/person\/image\/","url":"http:\/\/1.gravatar.com\/avatar\/1129916e1f4955bd632f27f836f64e55?s=96&d=mm&r=g","contentUrl":"http:\/\/1.gravatar.com\/avatar\/1129916e1f4955bd632f27f836f64e55?s=96&d=mm&r=g","caption":"dave"},"sameAs":["http:\/\/www.netexpertise.eu"]}]}},"_links":{"self":[{"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/posts\/1763"}],"collection":[{"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/comments?post=1763"}],"version-history":[{"count":0,"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/posts\/1763\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/media?parent=1763"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/categories?post=1763"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/tags?post=1763"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}