Grade Encryption Ciphers in Java 6
Below is a list of SSL/TLS Encryption Ciphers available in Java 6, based off my installation of a 1.6.0_45 jvm (and as of May 2012). Cipher names that are bolded are default ciphers for the jvm while non-bolded cipher names are included but not part of the default cipher set. Java 6 contains 38 ciphers, 19 of which are available by default.
Cipher names in Green are considered strong enough for general encryption use while cipher names in red should be avoided. Cipher names in amber deserve special consideration in that they might not be considered safe for reasons like FIPS compliance or they are not considered safe when paired with a particular protocol.
| Cipher | Default | Notes | |
|---|---|---|---|
| SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA | Y | 40 bit encryption | |
| SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA | Y | CBC ciphers are not considered safe if using sslv3 or tlsv1 | |
| SSL_DHE_DSS_WITH_DES_CBC_SHA | Y | 56 bit encryption | |
| SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA | Y | 40 bit encryption | |
| SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA | Y | CBC ciphers are not considered safe if using sslv3 or tlsv1 | |
| SSL_DHE_RSA_WITH_DES_CBC_SHA | Y | 56 bit encryption | |
| SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA | 40 bit encryption. Anonymous auth. | ||
| SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 | 40 bit encryption. Anonymous auth. MD5 key | ||
| SSL_DH_anon_WITH_3DES_EDE_CBC_SHA | Anonymous auth | ||
| SSL_DH_anon_WITH_DES_CBC_SHA | 56 bit encryption. Anonymous auth | ||
| SSL_DH_anon_WITH_RC4_128_MD5 | MD5 key. Anonymous auth. | ||
| SSL_RSA_EXPORT_WITH_DES40_CBC_SHA | Y | 40 bit encryption | |
| SSL_RSA_EXPORT_WITH_RC4_40_MD5 | Y | 40 bit encryption. MD5 key. | |
| SSL_RSA_WITH_3DES_EDE_CBC_SHA | Y | CBC ciphers are not considered safe if using sslv3 or tlsv1 | |
| SSL_RSA_WITH_DES_CBC_SHA | Y | 56 bit encryption | |
| SSL_RSA_WITH_NULL_MD5 | No encryption. MD5 key. | ||
| SSL_RSA_WITH_NULL_SHA | No encryption | ||
| SSL_RSA_WITH_RC4_128_MD5 | Y | MD5 key. | |
| SSL_RSA_WITH_RC4_128_SHA | Y | Prioritize first for BEAST but not FIPS compliant. May no longer be considered strong encryption. | |
| TLS_DHE_DSS_WITH_AES_128_CBC_SHA | Y | CBC ciphers are not considered safe if using sslv3 or tlsv1 | |
| TLS_DHE_DSS_WITH_AES_256_CBC_SHA | Y | CBC ciphers are not considered safe if using sslv3 or tlsv1 | |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA | Y | CBC ciphers are not considered safe if using sslv3 or tlsv1 | |
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA | Y | CBC ciphers are not considered safe if using sslv3 or tlsv1 | |
| TLS_DH_anon_WITH_AES_128_CBC_SHA | Anonymous auth | ||
| TLS_DH_anon_WITH_AES_256_CBC_SHA | Anonymous auth | ||
| TLS_EMPTY_RENEGOTIATION_INFO_SCSV* | Y | Not a negotiable cipher | |
| TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 | 40 bit encryption. MD5 key. | ||
| TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA | 40 bit encryption. | ||
| TLS_KRB5_EXPORT_WITH_RC4_40_MD5 | 40 bit encryption. MD5 key. | ||
| TLS_KRB5_EXPORT_WITH_RC4_40_SHA | 40 bit encryption | ||
| TLS_KRB5_WITH_3DES_EDE_CBC_MD5 | MD5 key. | ||
| TLS_KRB5_WITH_3DES_EDE_CBC_SHA | CBC ciphers are not considered safe if using sslv3 or tlsv1 | ||
| TLS_KRB5_WITH_DES_CBC_MD5 | MD5 key. Only 56 bit encryption | ||
| TLS_KRB5_WITH_DES_CBC_SHA | MD5 key. Only 56 bit encryption | ||
| TLS_KRB5_WITH_RC4_128_MD5 | MD5 key. | ||
| TLS_KRB5_WITH_RC4_128_SHA | Not enabled by default so might not be widely available by clients or servers | ||
| TLS_RSA_WITH_AES_128_CBC_SHA | Y | CBC ciphers are not considered safe if using sslv3 or tlsv1 | |
| TLS_RSA_WITH_AES_256_CBC_SHA | Y | CBC ciphers are not considered safe if using sslv3 or tlsv1 |
Note the absence of any green ciphers. Hopefully this table can be updated some time in the near future as older protocols are phased out in favor of newer protocols like tls1.2.
