How to disable weak cipher suits in java application server for ssl

Question

I have a custom Java application server running. I am seeing that there are some weak cipher suits supported by the server for example some 112 bit ciphers. I want to disable those. Where can I don that. Also I want to enable TLSv1.2. The following is the code to initialize the socket.

        KeyStore ks = KeyStore.getInstance("JKS");
        ks.load(new FileInputStream(sslstore), sslstorepass.toCharArray());
        KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
        kmf.init(ks, sslcertpass.toCharArray());

        SSLContext sc = SSLContext.getInstance("TLS");
        sc.init(kmf.getKeyManagers(), null, new SecureRandom());
        SSLServerSocketFactory ssf = sc.getServerSocketFactory();
        serverSocket = ssf.createServerSocket(port);

        System.out.println("Socket initialized");

Answer 1

JAVA allows cipher suites to be removed/excluded from use in the security policy file called java.security that’s located in your JRE: $PATH/[JRE]/lib/security The jdk.tls.disabledAlgorithms property in the policy file controls TLS cipher selection. The jdk.certpath.disabledAlgorithms controls the algorithms you will come across in SSL certificates. Oracle has more information about this here

In the security policy file, if you entered the following: jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 4096 It would make it, so that MD5, SHA1, DSA are never allowed, and RSA is allowed only if the key is at least 4096 bits.

To solve the tls version issue. Just have to put SSLContext sc = SSLContext.getInstance("TLSv1.2"); It will support all the versions.