FYI: ssl ciphers (howsmyssl.com)

Bernd Eckenfels bernd-2014 at eckenfels.net
Sat Feb 15 14:31:37 PST 2014


Hello,

I run Oracle 1.8.0 b129 with default SSL Socket Factory (win7 x64)
against howsmyssl.com and here is the API response:

Howsmyssl Test: 1.8.0-b129/25.0-b69 Java HotSpot(TM) 64-Bit Server VM
HTTP/1.1 200 OK
Content-Length: 1578
Connection: close
Content-Type: application/json
Date: Sat, 15 Feb 2014 22:08:07 GMT
Strict-Transport-Security: max-age=631138519; includeSubdomains

{"given_cipher_suites":[
  "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
  "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
  "TLS_RSA_WITH_AES_128_CBC_SHA256",
  "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
  "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
  "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
  "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
  "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
  "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
  "TLS_RSA_WITH_AES_128_CBC_SHA",
  "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
  "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
  "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
  "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
  "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
  "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
  "TLS_RSA_WITH_RC4_128_SHA",
  "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
  "TLS_ECDH_RSA_WITH_RC4_128_SHA",
  "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
  "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
  "TLS_RSA_WITH_AES_128_GCM_SHA256",
  "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
  "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
  "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", 
  "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
  "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
  "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
  "TLS_RSA_WITH_3DES_EDE_CBC_SHA",
  "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
  "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
  "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
  "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
  "TLS_RSA_WITH_RC4_128_MD5",
  "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"],
"ephemeral_keys_supported":true,
"session_ticket_supported":false,
"tls_compression_supported":false,
"unknown_cipher_suite_supported":false,
"beast_vuln":false,
"able_to_detect_n_minus_one_splitting":false,
"insecure_cipher_suites":{},
"tls_version":"TLS 1.2",

"rating":"Improvable"}

Not sure what contributes to improvable, I guess the absence of session
ticket support is the major point here.

We talked about the sequence of ciphers before. Anyway, as I
read here:
https://blogs.oracle.com/java-platform-group/entry/java_8_will_use_tls
"PFS is not enabled by default", but the cipher list looks otherwise?
(which I think is good), 

But, I am not sure why TLS_RSA_WITH_AES_128_CBC_SHA256 is higher
prioritized than TLS_DHE_RSA_WITH_AES_128_CBC_SHA256?

Greetings
Bernd

PS:
https://github.com/ecki/JavaCryptoTest/blob/master/src/main/java/net/eckenfels/test/howsmyssl/Client.java


More information about the security-dev mailing list