Good list of weak cipher suites for Java

Question

I'm running a server that requires a blacklist of weak cipher suites.

So which of the following are weak? http://java.sun.com/javase/6/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider

Answer 1

Versions after 7.0.2 of Jetty now include a whitelist feature for cipher suites. Just add a section to your etc/jetty-ssl.xml like the following:

  <Call name="addConnector">
    <Arg>
      <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
        <Arg><Ref id="sslContextFactory" /></Arg>
        <Set name="Port">8443</Set>
        <Set name="maxIdleTime">30000</Set>
        <Set name="Acceptors">2</Set>
        <Set name="AcceptQueueSize">100</Set>

        <!--you can enable cipher suites in the following section. -->
        <Set name="IncludeCipherSuites">
          <Array type="java.lang.String">
            <Item>TLS_DHE_RSA_WITH_AES_128_CBC_SHA</Item>
            <Item>SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA</Item>
            <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>
            <Item>SSL_RSA_WITH_3DES_EDE_CBC_SHA</Item>

            <Item>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</Item>
            <Item>SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA</Item>
          </Array>
        </Set>
      </New>
    </Arg>
  </Call>

Doing so will automatically blacklist any cipher suites that aren't listed in this section.

Answer 2

Pretty sure Jetty is blacklist.

• http://docs.codehaus.org/display/JETTY/SSL+Cipher+Suites
• http://jira.codehaus.org/browse/JETTY-1164 <-- I'm using slightly older version lol

Anyways my issue is solved. Thanks

Answer 3

Why do you need to exclude the bad ones? Why not only include the good ones?

For starters, I'd follow the NSA Suite B guidelines, specifically RFC 5430