Specifying default enabled cipher suites
You can specify the default enabled cipher suites in your application or with the system
properties jdk.tls.client.cipherSuites
and
jdk.tls.server.cipherSuites
.
The set of cipher suites to enable by default is determined by one of the following ways in this order of preference:
- Explicitly set by application
- Specified by system property
- Specified by JSSE provider defaults
For example, explicitly setting the default enabled cipher suites in your application overrides
settings specified in jdk.tls.client.cipherSuites
or
jdk.tls.server.cipherSuites
as well as JSSE provider defaults.
Explicitly Set by Application
- SSLSocket.setEnabledCipherSuites(String[])
- SSLEngine.setEnabledCipherSuites(String[])
- SSLServerSocket.setEnabledCipherSuites(String[])
- SSLParameters(String[] cipherSuites)
- SSLParameters(String[] cipherSuites, String[] protocols)
- SSLParameters.setCipherSuites(String[])
https.cipherSuites
system property for HttpsURLConnection
Specified by System Property
The system property jdk.tls.client.cipherSuites
specifies the default enabled
cipher suites on the client side; jdk.tls.server.cipherSuites
specifies those on
the server side.
The syntax of the value of these two system properties is a comma-separated list of supported cipher suite names. Unrecognized or unsupported cipher suite names that are specified in these properties are ignored. See Java Cryptography Extension API Specification and Reference Appendix A: Standard Names for standard JSSE cipher suite names.
Specified by JSSE Provider Defaults
Each JSSE provider has its own default enabled cipher suites. See Cipher suites for the cipher suite names that are supported by the IBMJSSE2
provider and which
ones are enabled by default.