Recommended cipher

Hi

I want to set the http and transport protocol to TLSv1.2. I want to know the recommended ciphers that I can use with TLSv1.2. for now I have enabled,

"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_CBC_SHA256",
"TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_128_CBC_SHA"

Do I have to download (JCE) Unlimited Strength Jurisdiction Policy Files* for 256-bit AES encryption to use the above cipher?.

All I am trying to achieve here is to use TLSv1.2 and remove all week ciphers.

What Java version are you running on and what is your reasoning for changing the default enabled ciphers? Did you encounter an error or are you trying to be compliant with a security policy?

Thank you for your reply, I am using Java 11 and yes I want to change the cipher to comply with security policy. I am trying to enable only stronger cipher. It is bit confusing as on

" If TLSv1.3 is not available, the TLSv1.3 ciphers TLS_AES_256_GCM_SHA384 and TLS_AES_128_GCM_SHA256 are not included in the default list. If 256-bit AES is unavailable, ciphers with AES_256 in their names are not included in the default list"

Is all the default cipher are recommended ???

The default ciphers for Elasticsearch have no connection to your (or your organization's) security policy .

Do I have to download (JCE) Unlimited Strength Jurisdiction Policy Files* for 256-bit AES encryption to use the above cipher?.

No, Java 11 doesn't require this.

What exactly is confusing you ? TLS_AES_256_GCM_SHA384 and TLS_AES_128_GCM_SHA256 are only available in TLS1.3 so if you want to use TLS1.2, you can't use them.

Also

" If TLSv1.3 is not available, the TLSv1.3 ciphers TLS_AES_256_GCM_SHA384 and TLS_AES_128_GCM_SHA256 are not included in the default list. If 256-bit AES is unavailable, ciphers with AES_256 in their names are not included in the default list"

talks about default values and you are explicitly setting your ciphers so you shouldn't need to care about the default values.

https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html#jsse-cipher-suite-names contains a list of all ciphers, which version of TLS they were introduced in and whether or not they are deprecated.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.