Good ciphers in OpenJDK
Posted on December 11, 2018 in Java • 1 min read
Until recently, I didn't know the list of supported Cipher Suites in OpenJDK is widely different between JDK versions. I used getSupportedCipherSuites() on OpenJDK 10 to get the following list, and check the strength of encryption.
My criteria is:
- at least 128bit.
- No NULL ciphers.
- No anonymous auth ciphers.
Thne I got the following. Red ones are supposed to be weak.
Name | Encryption | Mode |
---|---|---|
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | 256bit | |
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | 128bit | |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | 256bit | |
TLS_RSA_WITH_AES_256_GCM_SHA384 | 256bit | |
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 | 256bit | |
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 | 256bit | |
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | 256bit | |
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 | 256bit | |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | 128bit | |
TLS_RSA_WITH_AES_128_GCM_SHA256 | 128bit | |
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 | 128bit | |
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 | 128bit | |
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | 128bit | |
TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 | 128bit | |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | 256bit | |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | 256bit | |
TLS_RSA_WITH_AES_256_CBC_SHA256 | 256bit | |
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 | 256bit | |
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 | 256bit | |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 | 256bit | |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 | 256bit | |
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | 256bit | |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | 256bit | |
TLS_RSA_WITH_AES_256_CBC_SHA | 256bit | |
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA | 256bit | |
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA | 256bit | |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA | 256bit | |
TLS_DHE_DSS_WITH_AES_256_CBC_SHA | 256bit | |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | 128bit | |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | 128bit | |
TLS_RSA_WITH_AES_128_CBC_SHA256 | 128bit | |
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 | 128bit | |
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 | 128bit | |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 | 128bit | |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 | 128bit | |
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | 128bit | |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | 128bit | |
TLS_RSA_WITH_AES_128_CBC_SHA | 128bit | |
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA | 128bit | |
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA | 128bit | |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA | 128bit | |
TLS_DHE_DSS_WITH_AES_128_CBC_SHA | 128bit | |
TLS_EMPTY_RENEGOTIATION_INFO_SCSV | 0bit | |
TLS_DH_anon_WITH_AES_256_GCM_SHA384 | 256bit | anon |
TLS_DH_anon_WITH_AES_128_GCM_SHA256 | 128bit | anon |
TLS_DH_anon_WITH_AES_256_CBC_SHA256 | 256bit | anon |
TLS_ECDH_anon_WITH_AES_256_CBC_SHA | 256bit | anon |
TLS_DH_anon_WITH_AES_256_CBC_SHA | 256bit | anon |
TLS_DH_anon_WITH_AES_128_CBC_SHA256 | 128bit | anon |
TLS_ECDH_anon_WITH_AES_128_CBC_SHA | 128bit | anon |
TLS_DH_anon_WITH_AES_128_CBC_SHA | 128bit | anon |
SSL_RSA_WITH_DES_CBC_SHA | 56bit | |
SSL_DHE_RSA_WITH_DES_CBC_SHA | 56bit | |
SSL_DHE_DSS_WITH_DES_CBC_SHA | 56bit | |
SSL_DH_anon_WITH_DES_CBC_SHA | 56bit | anon |
TLS_RSA_WITH_NULL_SHA256 | 0bit | null |
TLS_ECDHE_ECDSA_WITH_NULL_SHA | 0bit | null |
TLS_ECDHE_RSA_WITH_NULL_SHA | 0bit | null |
SSL_RSA_WITH_NULL_SHA | 0bit | null |
TLS_ECDH_ECDSA_WITH_NULL_SHA | 0bit | null |
TLS_ECDH_RSA_WITH_NULL_SHA | 0bit | null |
TLS_ECDH_anon_WITH_NULL_SHA | 0bit | null |
SSL_RSA_WITH_NULL_MD5 | 0bit | null |
TLS_KRB5_WITH_DES_CBC_SHA | 56bit | |
TLS_KRB5_WITH_DES_CBC_MD5 | 56bit |