4

I have Java client which connects to certain web services using https. One of the requirement of the client is that, we should be able to select from the list of supported cipher suites and then force the client to use them.

From the following page

  • https.cipherSuites system property. This contains a comma-separated list of cipher suite names specifying which cipher suites to enable for use on this HttpsURLConnection. See the SSLSocket setEnabledCipherSuites(String[]) method.

But when I set this JVM attribute and list the default ciphers. I get the standard enabled Cipher list which is same as when not using this property.

Code I am using to list the enabled ciphers:

SSLSocketFactory factory = HttpsURLConnection.getDefaultSSLSocketFactory();
SSLSocket socket = (SSLSocket) factory.createSocket();

String[] enabledCiphers = socket.getEnabledCipherSuites();

for (String enabledCipher : enabledCiphers) {
    System.out.println("Enabled Ciphers: " + enabledCipher);
}

Setting the property using:

-Dhttps.cipherSuites=SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,SSL_DHE_DSS_WITH_DES_CBC_SHA

Any suggestions?

Salman A. Kagzi
  • 3,833
  • 13
  • 45
  • 64

1 Answers1

5

This system property only affects the default https client code; not the overall list of ciphers, i.e. anything that uses an HttpsURLConnection would be controlled by the https.cipherSuites value.

It's not particularly well documented - it's in the source of sun.net.www.protocol.https, and it's explicitly called out in the jsse reference guide:

https.cipherSuites system property. This contains a comma-separated list of cipher suite names specifying which cipher suites to enable for use on this HttpsURLConnection.

If you want to override the socket factory in it's entirety, you could create a class to do the same - this answer makes a reasonable attempt.

Community
  • 1
  • 1
Anya Shenanigans
  • 91,618
  • 3
  • 107
  • 122