Comparative study of TLS Cipher Suite supported by Java 8

Regarding the TLS Cipher Suite supported by Java8, I investigated whether there is a difference between OracleJDK / AdoptOpenJDK / OpenJDK provided by Linux.

Get a list of supported TLS Cipher Suite

I created the following command line tool and got the list.

About OpenJDK8 to be compared

I got a list of the following OpenJDK 8 with the above tool.

The details of the version are as follows.

OracleJDK8 for Win64:

> java -version
java version "1.8.0_192"
Java(TM) SE Runtime Environment (build 1.8.0_192-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.192-b12, mixed mode)

AdoptOpenJDK8 for Win64:

> java -version
openjdk version "1.8.0_192"
OpenJDK Runtime Environment (AdoptOpenJDK)(build 1.8.0_192-b12)
OpenJDK 64-Bit Server VM (AdoptOpenJDK)(build 25.192-b12, mixed mode)

CentOS7(64bit):

$ sudo yum install java-1.8.0-openjdk.x86_64
-> java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64 has been installed.

$ java -version
openjdk version "1.8.0_191"
OpenJDK Runtime Environment (build 1.8.0_191-b12)
OpenJDK 64-Bit Server VM (build 25.191-b12, mixed mode)

Amazon Linux 2(64bit):

$ sudo yum install java-1.8.0-openjdk.x86_64
-> java-1.8.0-openjdk-1.8.0.191.b12-0.amzn2.x86_64 has been installed.

$ java -version
openjdk version "1.8.0_191"
OpenJDK Runtime Environment (build 1.8.0_191-b12)
OpenJDK 64-Bit Server VM (build 25.191-b12, mixed mode)

Ubuntu 18.04 Bionic(64bit):

$ sudo apt update
$ sudo apt-get install openjdk-8-jdk
-> openjdk-8-jdk, 8u191-b12-0ubuntu0.18.04.1 has been installed.

$ java -version
openjdk version "1.8.0_191"
OpenJDK Runtime Environment (build 1.8.0_191-8u191-b12-0ubuntu0.18.04.1-b12)
OpenJDK 64-Bit Server VM (build 25.191-b12, mixed mode)

Survey results

The following command results were redirected to a text file and saved in each environment.

java -jar java-jsse-cipher-suites-dump-demo-v201901.1.jar
java -Djava.security.properties=java.security.crypto.policy-limited -jar java-jsse-cipher-suites-dump-demo-v201901.1.jar
java -Djava.security.properties=java.security.crypto.policy-unlimited -jar java-jsse-cipher-suites-dump-demo-v201901.1.jar

https://github.com/msakamoto-sf/java-jsse-cipher-suites-dump-demo/tree/v201901.1/2019-01-14_result

Looking at the diffs for each, I got the following results:

  1. The result of ʻunlimited is the same as the default state without customization of crypto.policy`.
  2. Furthermore, the above results were the same in all the environments surveyed.
  3. The result of limited was also the same in all the environments surveyed.

Therefore, it seems that the following can be confirmed.

  1. In the latest JDK8, the default is crypto.policy = unlimited and it is in a secure state.
  2. The same Cipher Suite can be used for all JDKs built by Oracle / Adopt OpenJDK / Linux distributors based on OpenJDK.

Naturally, it goes without saying that JSSE was originally implemented in 100% Pure Java, and the source is managed by OpenJDK. Therefore, the same Cipher Suite can be used with any build binary as long as it is built from OpenJDK without modifying the source.

The existence of "Cipher Suite that can be used only with Oracle JDK" is possible, but in these days when interoperability and security are important, it is difficult to say whether such existence is allowed in the Java ecosystem. Seem. (It may be a special extension that can only be used by paid users of the Oracle JDK, but it is out of scope if the OpenJDK ecosystem is assumed.)

I've been worried about that for a while, "Really? It's true ... ??", so when I tried it briefly this time, I could confirm that there was no difference. It was. For more rigorous verification, it is necessary to actually prepare a server socket with a combination of each protocol version x single cipher suite and check whether the connection actually succeeds, but this time it is not so much. ... So, I decided to verify the difference within the range that can be seen from the SSLContext.

For the time being, with regard to SSL / TLS Cipher Suite, I was relieved because I was able to confirm that "Cipher Suite that can be used with binaries from any vendor is the same for OpenJDK-based builds".

Recommended Posts

Comparative study of TLS Cipher Suite supported by Java 8
Summary of [Java silver study] package
[Java] Output by FormatStyle of DateTimeFormatter
Summary of in-house newcomer study session [Java]
9 strongest sites for learning Java by self study
[Note] Java: Speed of List processing by purpose
Two-dimensional array by just starting to study Java