Grade Encryption Ciphers in Java 6

Below is a list of SSL/TLS Encryption Ciphers available in Java 6, based off my installation of a 1.6.0_45 jvm (and as of May 2012). Cipher names that are bolded are default ciphers for the jvm while non-bolded cipher names are included but not part of the default cipher set. Java 6 contains 38 ciphers, 19 of which are available by default.

Cipher names in Green are considered strong enough for general encryption use while cipher names in red should be avoided. Cipher names in amber deserve special consideration in that they might not be considered safe for reasons like FIPS compliance or they are not considered safe when paired with a particular protocol.

Cipher Default Notes
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA Y 40 bit encryption
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA Y CBC ciphers are not considered safe if using sslv3 or tlsv1
SSL_DHE_DSS_WITH_DES_CBC_SHA Y 56 bit encryption
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA Y 40 bit encryption
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA Y CBC ciphers are not considered safe if using sslv3 or tlsv1
SSL_DHE_RSA_WITH_DES_CBC_SHA Y 56 bit encryption
SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA 40 bit encryption. Anonymous auth.
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 40 bit encryption. Anonymous auth. MD5 key
SSL_DH_anon_WITH_3DES_EDE_CBC_SHA Anonymous auth
SSL_DH_anon_WITH_DES_CBC_SHA 56 bit encryption. Anonymous auth
SSL_DH_anon_WITH_RC4_128_MD5 MD5 key. Anonymous auth.
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA Y 40 bit encryption
SSL_RSA_EXPORT_WITH_RC4_40_MD5 Y 40 bit encryption. MD5 key.
SSL_RSA_WITH_3DES_EDE_CBC_SHA Y CBC ciphers are not considered safe if using sslv3 or tlsv1
SSL_RSA_WITH_DES_CBC_SHA Y 56 bit encryption
SSL_RSA_WITH_NULL_MD5 No encryption. MD5 key.
SSL_RSA_WITH_NULL_SHA No encryption
SSL_RSA_WITH_RC4_128_MD5 Y MD5 key.
SSL_RSA_WITH_RC4_128_SHA Y Prioritize first for BEAST but not FIPS compliant. May no longer be considered strong encryption.
TLS_DHE_DSS_WITH_AES_128_CBC_SHA Y CBC ciphers are not considered safe if using sslv3 or tlsv1
TLS_DHE_DSS_WITH_AES_256_CBC_SHA Y CBC ciphers are not considered safe if using sslv3 or tlsv1
TLS_DHE_RSA_WITH_AES_128_CBC_SHA Y CBC ciphers are not considered safe if using sslv3 or tlsv1
TLS_DHE_RSA_WITH_AES_256_CBC_SHA Y CBC ciphers are not considered safe if using sslv3 or tlsv1
TLS_DH_anon_WITH_AES_128_CBC_SHA Anonymous auth
TLS_DH_anon_WITH_AES_256_CBC_SHA Anonymous auth
TLS_EMPTY_RENEGOTIATION_INFO_SCSV* Y Not a negotiable cipher
TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 40 bit encryption. MD5 key.
TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA 40 bit encryption.
TLS_KRB5_EXPORT_WITH_RC4_40_MD5 40 bit encryption. MD5 key.
TLS_KRB5_EXPORT_WITH_RC4_40_SHA 40 bit encryption
TLS_KRB5_WITH_3DES_EDE_CBC_MD5 MD5 key.
TLS_KRB5_WITH_3DES_EDE_CBC_SHA CBC ciphers are not considered safe if using sslv3 or tlsv1
TLS_KRB5_WITH_DES_CBC_MD5 MD5 key. Only 56 bit encryption
TLS_KRB5_WITH_DES_CBC_SHA MD5 key. Only 56 bit encryption
TLS_KRB5_WITH_RC4_128_MD5 MD5 key.
TLS_KRB5_WITH_RC4_128_SHA Not enabled by default so might not be widely available by clients or servers
TLS_RSA_WITH_AES_128_CBC_SHA Y CBC ciphers are not considered safe if using sslv3 or tlsv1
TLS_RSA_WITH_AES_256_CBC_SHA Y CBC ciphers are not considered safe if using sslv3 or tlsv1

Note the absence of any green ciphers. Hopefully this table can be updated some time in the near future as older protocols are phased out in favor of newer protocols like tls1.2.


Creative Commons Attribution-ShareAlike 3.0 Unported