Good ciphers in OpenJDK

Posted on December 11, 2018 in Java • 1 min read

Until recently, I didn't know the list of supported Cipher Suites in OpenJDK is widely different between JDK versions. I used getSupportedCipherSuites() on OpenJDK 10 to get the following list, and check the strength of encryption.

My criteria is:

  1. at least 128bit.
  2. No NULL ciphers.
  3. No anonymous auth ciphers.

Thne I got the following. Red ones are supposed to be weak.

Name Encryption Mode
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 256bit
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 128bit
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 256bit
TLS_RSA_WITH_AES_256_GCM_SHA384 256bit
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 256bit
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 256bit
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 256bit
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 256bit
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 128bit
TLS_RSA_WITH_AES_128_GCM_SHA256 128bit
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 128bit
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 128bit
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 128bit
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 128bit
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 256bit
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 256bit
TLS_RSA_WITH_AES_256_CBC_SHA256 256bit
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 256bit
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 256bit
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 256bit
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 256bit
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 256bit
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 256bit
TLS_RSA_WITH_AES_256_CBC_SHA 256bit
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 256bit
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 256bit
TLS_DHE_RSA_WITH_AES_256_CBC_SHA 256bit
TLS_DHE_DSS_WITH_AES_256_CBC_SHA 256bit
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 128bit
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 128bit
TLS_RSA_WITH_AES_128_CBC_SHA256 128bit
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 128bit
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 128bit
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 128bit
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 128bit
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 128bit
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 128bit
TLS_RSA_WITH_AES_128_CBC_SHA 128bit
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 128bit
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 128bit
TLS_DHE_RSA_WITH_AES_128_CBC_SHA 128bit
TLS_DHE_DSS_WITH_AES_128_CBC_SHA 128bit
TLS_EMPTY_RENEGOTIATION_INFO_SCSV 0bit
TLS_DH_anon_WITH_AES_256_GCM_SHA384 256bit anon
TLS_DH_anon_WITH_AES_128_GCM_SHA256 128bit anon
TLS_DH_anon_WITH_AES_256_CBC_SHA256 256bit anon
TLS_ECDH_anon_WITH_AES_256_CBC_SHA 256bit anon
TLS_DH_anon_WITH_AES_256_CBC_SHA 256bit anon
TLS_DH_anon_WITH_AES_128_CBC_SHA256 128bit anon
TLS_ECDH_anon_WITH_AES_128_CBC_SHA 128bit anon
TLS_DH_anon_WITH_AES_128_CBC_SHA 128bit anon
SSL_RSA_WITH_DES_CBC_SHA 56bit
SSL_DHE_RSA_WITH_DES_CBC_SHA 56bit
SSL_DHE_DSS_WITH_DES_CBC_SHA 56bit
SSL_DH_anon_WITH_DES_CBC_SHA 56bit anon
TLS_RSA_WITH_NULL_SHA256 0bit null
TLS_ECDHE_ECDSA_WITH_NULL_SHA 0bit null
TLS_ECDHE_RSA_WITH_NULL_SHA 0bit null
SSL_RSA_WITH_NULL_SHA 0bit null
TLS_ECDH_ECDSA_WITH_NULL_SHA 0bit null
TLS_ECDH_RSA_WITH_NULL_SHA 0bit null
TLS_ECDH_anon_WITH_NULL_SHA 0bit null
SSL_RSA_WITH_NULL_MD5 0bit null
TLS_KRB5_WITH_DES_CBC_SHA 56bit
TLS_KRB5_WITH_DES_CBC_MD5 56bit