When connecting to a server with JavaMail, what is the supported version of SSL?

Question

I have an application that uses JavaMail to connect to a POP3 server via SSL and I'm getting questions from our security auditor about what level of SSL it supports (version, ciphers, etc). Does anyone know? Is there a way to exclude certain versions or ciphers?

Answer 1

After reading EJP's answer and searching for the JSSE Reference Guide I found this. http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html

Which led me to the answer that it is SSL 3.0.

Then I found that you can do this to get the default cipher suite:

((SSLSocketFactory) SSLSocketFactory.getDefault()).getDefaultCipherSuites()

Which on my machine gives the following output:

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_RC4_128_SHA
TLS_ECDH_ECDSA_WITH_RC4_128_SHA
TLS_ECDH_RSA_WITH_RC4_128_SHA
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_RC4_128_MD5
TLS_EMPTY_RENEGOTIATION_INFO_SCSV

Answer 2

It's the same as what Java supports. See the JSSE Reference Guide for all those details.