Good ciphers in OpenJDK 10
Posted on December 11, 2018 in Java • 1 min read
Until recently, I didn’t know the list of supported Cipher Suites in OpenJDK is widely different between JDK versions. I used getSupportedCipherSuites() on OpenJDK 10 to get the following list, and check the strength of encryption.
My criteria is:
- At least 128bit.
- No NULL ciphers.
- No anonymous auth ciphers.
Then I got the following. The red ones are supposed to be weak.
| Name | Encryption | Mode |
|---|---|---|
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | 256bit | |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | 128bit | |
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | 256bit | |
| TLS_RSA_WITH_AES_256_GCM_SHA384 | 256bit | |
| TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 | 256bit | |
| TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 | 256bit | |
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | 256bit | |
| TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 | 256bit | |
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | 128bit | |
| TLS_RSA_WITH_AES_128_GCM_SHA256 | 128bit | |
| TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 | 128bit | |
| TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 | 128bit | |
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | 128bit | |
| TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 | 128bit | |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | 256bit | |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | 256bit | |
| TLS_RSA_WITH_AES_256_CBC_SHA256 | 256bit | |
| TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 | 256bit | |
| TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 | 256bit | |
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 | 256bit | |
| TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 | 256bit | |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | 256bit | |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | 256bit | |
| TLS_RSA_WITH_AES_256_CBC_SHA | 256bit | |
| TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA | 256bit | |
| TLS_ECDH_RSA_WITH_AES_256_CBC_SHA | 256bit | |
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA | 256bit | |
| TLS_DHE_DSS_WITH_AES_256_CBC_SHA | 256bit | |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | 128bit | |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | 128bit | |
| TLS_RSA_WITH_AES_128_CBC_SHA256 | 128bit | |
| TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 | 128bit | |
| TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 | 128bit | |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 | 128bit | |
| TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 | 128bit | |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | 128bit | |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | 128bit | |
| TLS_RSA_WITH_AES_128_CBC_SHA | 128bit | |
| TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA | 128bit | |
| TLS_ECDH_RSA_WITH_AES_128_CBC_SHA | 128bit | |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA | 128bit | |
| TLS_DHE_DSS_WITH_AES_128_CBC_SHA | 128bit | |
| TLS_EMPTY_RENEGOTIATION_INFO_SCSV | 0bit | |
| TLS_DH_anon_WITH_AES_256_GCM_SHA384 | 256bit | anon |
| TLS_DH_anon_WITH_AES_128_GCM_SHA256 | 128bit | anon |
| TLS_DH_anon_WITH_AES_256_CBC_SHA256 | 256bit | anon |
| TLS_ECDH_anon_WITH_AES_256_CBC_SHA | 256bit | anon |
| TLS_DH_anon_WITH_AES_256_CBC_SHA | 256bit | anon |
| TLS_DH_anon_WITH_AES_128_CBC_SHA256 | 128bit | anon |
| TLS_ECDH_anon_WITH_AES_128_CBC_SHA | 128bit | anon |
| TLS_DH_anon_WITH_AES_128_CBC_SHA | 128bit | anon |
| SSL_RSA_WITH_DES_CBC_SHA | 56bit | |
| SSL_DHE_RSA_WITH_DES_CBC_SHA | 56bit | |
| SSL_DHE_DSS_WITH_DES_CBC_SHA | 56bit | |
| SSL_DH_anon_WITH_DES_CBC_SHA | 56bit | anon |
| TLS_RSA_WITH_NULL_SHA256 | 0bit | null |
| TLS_ECDHE_ECDSA_WITH_NULL_SHA | 0bit | null |
| TLS_ECDHE_RSA_WITH_NULL_SHA | 0bit | null |
| SSL_RSA_WITH_NULL_SHA | 0bit | null |
| TLS_ECDH_ECDSA_WITH_NULL_SHA | 0bit | null |
| TLS_ECDH_RSA_WITH_NULL_SHA | 0bit | null |
| TLS_ECDH_anon_WITH_NULL_SHA | 0bit | null |
| SSL_RSA_WITH_NULL_MD5 | 0bit | null |
| TLS_KRB5_WITH_DES_CBC_SHA | 56bit | |
| TLS_KRB5_WITH_DES_CBC_MD5 | 56bit |