java ssl - ghdrako/doc_snipets GitHub Wiki

-Djava.net.debug=SSL,handshake

-Djavax.net.debug=all

Java 8,9,10 didn't implement TLS1.3 at all

Java 11,12

• keytool ciphers by default with DSA for backwards compatibility, unless -keyalg is provided
• Since Java 11, TLS1.3 is the new default encryption scheme for SSL sockets in JSSE, when it can be negotiated.
• DSA is not supported anymore in TLS1.3

It is therefore recommended to always generate certificates with explicit -keyalg RSA (or any other supported TLS1.3 algorithm) to avoid surprises.

RSA is the keytool's new default algorithm in OpenJDK 14

-Djdk.tls.client.protocols="TLSv1.3"

Disable TLS 1.3 using the following JVM property:
 -Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2"

force to use a RSA cipher only

-Djdk.tls.client.cipherSuites="TLS_RSA_WITH_AES_128_GCM_SHA256" -Djdk.tls.disabledAlgorithms=TLSv1.3

Conscrypt

• https://github.com/google/conscrypt
• https://github.com/google/conscrypt/issues/984 It implements parts of the Java Cryptography Extension (JCE) and Java Secure Socket Extension (JSSE).