Monday, July 25, 2016

which Cipher Suites your JVM supports

"SunJSSE supports a large number of ciphersuites" http://docs.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider
1) WLS 11g (WLS 10.3.6) uses JSSE and runs on Java SE 6
2) JSSE java 6  http://docs.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider
3) WLS 10.3.6 ciphers: http://docs.oracle.com/cd/E28280_01/web.1111/e13707/ssl.htm#BABBDACC

The classification of the different bits (TLS_DHE_RSA_WITH_AES_128_CBC_SHA) is as follows:
TLS vs SSL
RSA vs ECDH vs ECDHE vs DHE vs KRB5
ECDSA vs RSA
RC4 vs 3DES vs DES vs AES
EDE vs CBC
SHA vs MD5

Set "-Dssl.debug=true -Djavax.net.debug=ssl -Dweblogic.log.StdoutSeverity=Debug" then search for the statement
SSLEngine.setEnabledCipherSuites
to see which Ciphers are actually ENABLED (not only supported).
See also http://stackoverflow.com/questions/10487962/java-cipher-suites
There is a property https.cipherSuites , and a SSLSocket.setEnabledCipherSuites()/SSLEngine.setEnabledCipherSuites() method.
See also MOS document "How to Verify the Sun JSSE Cipher Suites Available to WebLogic Server (11g/12c) (Doc ID 2052237.1)"
suggesting to enable these flags
 -Dweblogic.debug.DebugSecuritySSL=true
 -Djavax.net.SSL=true
 -Djava.debug=SSL
 -Djavax.net.debug=all
 -Dssl.debug=true
 -Dweblogic.StdoutDebugEnabled=true
 -Dweblogic.log.LogSeverity=Debug
 -Dweblogic.log.LoggerSeverity=Debug


No comments: