Customization
JSSE includes a standard implementation that can be customized by plugging in different implementations or specifying the default keystore, and so on. The following tables summarize which aspects can be customized, what the defaults are, and which mechanisms are used to provide customization.
Some of the customizations are done by setting system property or security property values. Sections following the table explain how to set such property values.
The following table shows items that are customized by setting a
java.security.Security
property:
Security Property | Customized Item | Default Value | Notes |
---|---|---|---|
JCE encryption algorithms used by the IBMJSSE2 provider |
Give alternative JCE algorithm providers a higher preference order than the IBMJCE provider; see Customizing the Encryption Algorithm Providers. | IBMJCE implementations | None |
jdk.certpath.disabledAlgorithms 1 |
Disabled certificate verification cryptographic algorithm (see Disabled and restricted cryptographic algorithms) | MD2,
RSA keySize < 1024,
2 |
None |
jdk.tls.disabledAlgorithms 1 |
Disabled and restricted cryptographic algorithms | SSLv3,
2 |
Disables specific algorithms (protocols versions, cipher suites, key exchange mechanisms,
etc.) that will not be negotiated for Transport Layer Security (TLS) connections, even if they are
enabled explicitly in an application. Note: If you are using the IBMJCEFIPS provider
for TLS, add
RSASSA-PSS, RSAPSS to this system property in the
java.security
file. |
![]() jdk.tls.keyLimits 1![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() jdk.tls.legacyAlgorithms 1![]() |
![]() ![]() |
![]() K_NULL, C_NULL, M_NULL, DH_anon, ECDH_anon, RC4_128, RC4_40, DES_CBC, DES40_CBC,
3DES_EDE_CBC 2![]() |
![]() ![]() |
![]() jdk.tls.maxCertificateChainLength 1![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() jdk.tls.maxHandshakeMessageSize 1![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
jdk.tls.rejectClientInitiatedRenegotiation 1 |
Rejects client-initiated renegotiation on the server side. If this system property is
true , then the server will not accept client initiated renegotiation and will fail
with a fatal handshake_failure alert. |
false |
None |
![]() jdk.tls.server.defaultDHEParameters 1![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
ocsp.enable 1 |
Determine X.509 certificate revocation status with OCSP | false |
Enables client-driven Online Certificate Status Protocol (OCSP). You must also enable revocation checking; see Setting up a Java Client to use Client-Driven OCSP. |
security.provider.n |
Cryptographic service provider; see Customizing the Provider Implementation and Customizing the Encryption Algorithm Providers | Differs per platform; check the java.security security properties file. | Specify the provider in the security.provider.n= line in
the security properties file, where n is an integer whose value is equal or
greater than 1. |
ssl.KeyManagerFactory.algorithm |
Default key manager factory algorithm name (see Customizing the Default Key and Trust Managers) | IbmX509 |
None |
ssl.ServerSocketFactory.provider 1 |
Default SSLServerSocketFactory implementation |
SSLServerSocketFactory implementation from IBM: com.ibm.jsse2.SSLServerSocketFactoryImpl | None |
ssl.SocketFactory.provider 1 |
Default SSLSocketFactory implementation |
SSLSocketFactory implementation from IBM: com.ibm.jsse2.SSLSocketFactoryImpl | None |
ssl.TrustManagerFactory.algorithm |
Default trust manager factory algorithm name (see Customizing the Default Key and Trust Managers) | PKIX |
None |
1 There is no guarantee the property will continue to exist or be of the same type (system or security) in future releases.
2 The list of restricted, disabled, and legacy algorithms
specified in these security properties might change; see the java.security
file in
your SDK installation for the latest values.
java.lang.System
property.
System Property | Customized Item | Default | Notes |
---|---|---|---|
![]() com.ibm.jsse2.allowLegacyHelloMessages ![]() |
![]() ![]() |
![]() true ![]() |
![]() true , then allow the peer to handshake without requiring the proper RFC
5746 messages.![]() |
![]() com.ibm.jsse2.allowUnsafeRenegotiation ![]() |
![]() ![]() |
![]() false ![]() |
![]() true , then permit full (unsafe) legacy negotiation.![]() |
com.ibm.jsse2.checkRevocation 1 |
Revocation checking | false |
You must enable revocation checking to enable client-driven OCSP; see Determine X.509 certificate revocation status with OCSP. |
com.ibm.jsse2.disableSSLv3 1 |
Padding Oracle On Downgraded Legacy Encryption (POODLE) security vulnerability | true |
Disables use of the SSL V3.0 protocol, which is the default. Setting this value to
false enables SSL V3.0 and exposes an application to this vulnerability. |
![]() com.ibm.jsse2.sslEngineCloseNotifyReceive ![]() |
![]() ![]() |
![]() true ![]() |
![]() When the value of the property is Set this property to ![]() |
![]() com.ibm.jsse2.overrideDefaultCSName ![]() |
![]() ![]() |
![]() false ![]() |
![]() Set this property to Set this property to ![]() |
com.ibm.jsse2.sp800-131 1 |
SP800-131A Compliance | off |
Set this property to transition to specify that SP800-131a transition
compliance is requested. Set the property to strict to allow only strict adherence
to the SP800-131a recommendation. The default value specifies not SP800-131a compliant. |
![]() com.ibm.jsse2.strictServerSigCheck
1![]() |
![]() ![]() |
![]() false ![]() |
![]() Set this property to Set this property to ![]() |
com.ibm.jsse2.suiteB 1 |
Suite B compliance, see Suite B Profile for Transport Layer Security (TLS) | false |
Set this property to 128 to specify the 128-bit minimum level of security,
or 192 to specify the 192-bit minimum level of security. The default value
specifies not Suite B compliant. |
com.ibm.jsse2.usefipsprovider 1 |
Run IBMJSSE2 in FIPS mode | false |
Set this property to true to run IBMJSSE2 in FIPS mode. |
Customize via port field in the HTTPS URL1 |
Default HTTPS port | 443 |
None |
https.cipherSuites 1 |
Default cipher suites for HTTPS connections | Determined by the socket factory. | This contains a comma-separated list of cipher suite names specifying which cipher suites to
enable for use on this HttpsURLConnection. See the SSLSocket
setEnabledCipherSuites(String[]) method. Note that this method sets the preference order
of the ClientHello cipher suites directly from the String array passed to
it. |
https.protocols 1 |
Default handshaking protocols for HTTPS connections.![]() ![]() |
Determined by the socket factory. | This contains a comma-separated list of protocol suite names specifying which protocol suites
to enable on this HttpsURLConnection. See the SSLSocket
setEnabledProtocols(String[]) method. |
https.proxyHost 1 |
Default proxy host | None | None |
https.proxyPort 1 |
Default proxy port | 80 |
None |
java.protocol.handler.pkgs |
Specifying an Alternative HTTPS Protocol Implementation | Implementation from IBM com.ibm.net.ssl.www2.protocol |
None |
javax.net.ssl.keyStore 1 |
Default keystore; see Customizing the Default Key and Trust Stores, Store Types, and Store Passwords | If no system property, then jssecacerts is the default. Otherwise,
cacerts is the default. |
The value NONE may be specified. This setting is appropriate if the keystore
is not file-based (for example, it resides in a hardware token) |
javax.net.ssl.keyStorePassword 1 |
Default keystore password; see Customizing the Default Key and Trust Stores, Store Types, and Store Passwords | changeit |
It is inadvisable to specify the password in a way that exposes it to discovery by other users. For example, specifying the password on the command line. To keep the password secure, have the application prompt for the password, or specify the password in a properly protected option file. |
javax.net.ssl.keyStoreProvider 1 |
Default keystore provider; see Customizing the Default Key and Trust Stores, Store Types, and Store Passwords | None | None |
javax.net.ssl.keyStoreType 1 |
Default keystore type; see Customizing the Default Key and Trust Stores, Store Types, and Store Passwords | KeyStore.getDefaultType() |
None |
javax.net.ssl.sessionCacheSize |
Default value for the maximum number of entries in the SSL session cache | 100 |
The session cache size can be set by calling the
SSLSessionContext.setSessionCacheSize method or by setting the
javax.net.ssl.sessionCachSize system property. If the cache size is not set, the
default value is used. |
javax.net.ssl.trustStore 1 |
Default truststore; see Customizing the Default Key and Trust Stores, Store Types, and Store Passwords | jssecacerts , if it exists; otherwise, cacerts |
None |
javax.net.ssl.trustStorePassword 1 |
Default truststore password; see Customizing the Default Key and Trust Stores, Store Types, and Store Passwords | None | It is inadvisable to specify the password in a way that exposes it to discovery by other users. For example, specifying the password on the command line. To keep the password secure, have the application prompt for the password, or specify the password in a properly protected option file. |
javax.net.ssl.trustStoreProvider 1 |
Default truststore provider; see Customizing the Default Key and Trust Stores, Store Types, and Store Passwords | None | None |
javax.net.ssl.trustStoreType 1 |
Default truststore type; see Customizing the Default Key and Trust Stores, Store Types, and Store Passwords | KeyStore.getDefaultType() |
The value NONE may be specified. This setting is appropriate if the
truststore is not file-based (for example, it resides in a hardware token). |
![]() jdk.tls.acknowledgeCloseNotify 1
![]() |
![]() ![]() |
![]() false ![]() |
![]() true , then when the client or server
receives a close_notify alert, it sends a corresponding close_notify alert and the connection is
duplex-closed.![]() |
![]() jdk.tls.client.cipherSuites 1![]() |
![]() ![]() |
![]() ![]() |
![]() Attention: These system properties can be used to configure weak cipher suites, or the
configured cipher suites might be weak in the future. It is not recommended that you use these
system properties without understanding the risks.
![]() |
![]() jdk.tls.client.enableCAExtension ![]() |
![]() ![]() |
![]() false ![]() |
![]() true . Notes:
![]() |
![]() jdk.tls.client.enableStatusRequestExtension 1![]() |
![]() ![]() |
![]() false ![]() |
![]() true , then the status_request and status_request_v2 extensions are
enabled, and processing for CertificateStatus messages sent by the server is
enabled.![]() |
![]() jdk.tls.client.disableExtensions 1![]() |
![]() ![]() |
![]() None ![]() |
![]() ![]() |
jdk.tls.client.protocols 1 |
Default handshaking protocols for TLS clients. See Protocols![]() ![]() |
none |
To enable specific IBMJSSE2 protocols on the client, specify them in a
comma-separated list within quotation marks; all other supported protocols are not enabled on the
client. For example, if jdk.tls.client.protocols="TLSv1,TLSv1.1" , the default
protocol settings on the client for TLSv1 and TLSv1.1 are enabled, while SSLv3, TLSv1.2, and TLSv1.3 are not enabled. |
![]() jdk.tls.client.SignatureSchemes 1![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
jdk.tls.ephemeralDHKeySize 1 |
Customizing the size of Ephemeral Diffie-Hellman Keys | bits |
None |
![]() jdk.tls.namedGroups 1![]() |
![]() ![]() |
![]() ![]() |
![]() jdk.tls.namedGroups="secp521r1,secp256r1 ![]() |
![]() jdk.tls.server.cipherSuites 1![]() |
![]() ![]() |
![]() ![]() |
![]() Attention: These system properties can be used to configure weak cipher suites, or the
configured cipher suites may be weak in the future. It is not recommended that you use these system
properties without understanding the risks.
![]() |
![]() jdk.tls.server.enableStatusRequestExtension 1![]() |
![]() ![]() |
![]() false ![]() |
![]() true , then server-side support for OCSP stapling is enabled![]() |
![]() jdk.tls.server.disableExtensions 1![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
![]() jdk.tls.server.protocols 1![]() |
![]() ![]() |
![]() none ![]() |
![]() IBMJSSE2 provider, specify the protocols in a comma-separated list within quotation
marks. The protocols in this list are standard SSL protocol names as described in Appendix A: Standard Names. Note that this system property impacts only the default
protocol suite (SSLContext of the algorithms SSL and TLS). If an application uses
a version-specific SSLContext (SSLv3, TLSv1, TLSv1.1, TLSv1.2, or TLSv1.3), or
sets the enabled protocol version explicitly, this system property has no impact.![]() |
![]() jdk.tls.server.SignatureSchemes 1![]() |
![]() ![]() |
![]() ![]() |
![]() ![]() |
jsse.enableCBCProtection 1 |
Adds randomness to prevent CBC attacks. For more information, see Browser Exploit Against SSL/TLS (BEAST) security vulnerability. |
|
Set this property to true to specify that CBC protection is enabled. |
![]() jsse.enableFFDHE ![]() |
![]() ![]() |
![]() true ![]() |
![]() false to disable the FFDHE extension.![]() |
![]() jsse.enableMFLNExtension 1![]() |
![]() ![]() |
![]() false ![]() |
![]() ![]() |
jsse.enableSNIExtension 1 |
Server Name Indication option | true |
Server Name Indication (SNI) is a TLS extension, defined in RFC 6066. It enables TLS connections to virtual servers, in
which multiple servers for different network names are hosted at a single underlying network
address. Some very old TLS vendors might not be able handle TLS extensions. In this case, set this
property to false to disable the SNI extension |
jsse.SSLEngine.acceptLargeFragments 1 |
Default sizing buffers for large TLS packets | None | Setting this system property to true, SSLSession will size buffers to handle
large data packets by default (see the note in SSLSession and ExtendedSSLSession Interfaces). This might cause
applications to allocate unnecessarily large SSLEngine buffers. Instead,
applications should dynamically check for buffer overflow conditions and resize buffers as
appropriate (see Status of Operations). |
1 There is no guarantee the property will continue to exist or be of the same type (system or security) in future releases.