Java Reference
In-Depth Information
and exchanging the public keys. Even over a fast network, it can take a few seconds to
establish a connection. Consequently, you may not want to serve all your content over
HTTPS, only the content that really needs to be private and isn't latency sensitive.
Choosing the Cipher Suites
Different implementations of the JSSE support different combinations of authentication
and encryption algorithms. For instance, the implementation that Oracle bundles with
Java 7 only supports 128-bit AES encryption, whereas IAIK's
iSaSiLk
supports 256-bit
AES encryption.
The stock JSSE bundled with the JDK actually does have code for
stronger 256-bit encryption, but it's disabled unless you install the
JCE
Unlimited Strength Jurisdiction Policy Files
.
I don't even want to be‐
gin trying to explain the legal briar patch that makes this necessary.
The
getSupportedCipherSuites()
method in
SSLSocketFactory
tells you which com‐
bination of algorithms is available on a given socket:
public
abstract
String
[]
getSupportedCipherSuites
()
However, not all cipher suites that are understood are necessarily allowed on the con‐
nection. Some may be too weak and consequently disabled. The
getEnabledCipher
Suites()
method of
SSLSocketFactory
tells you which suites this socket is willing to
use:
public
abstract
String
[]
getEnabledCipherSuites
()
The actual suite used is negotiated between the client and server at connection time. It's
possible that the client and the server won't agree on any suite. It's also possible that
although a suite is enabled on both client and server, one or the other or both won't have
the keys and certificates needed to use the suite. In either case, the
createSocket()
method will throw an
SSLException
, a subclass of
IOException
. You can change the
suites the client attempts to use via the
setEnabledCipherSuites()
method:
public
abstract
void
setEnabledCipherSuites
(
String
[]
suites
)
The argument to this method should be a list of the suites you want to use. Each name
must be one of the suites listed by
getSupportedCipherSuites()
. Otherwise, an
Ille
galArgumentException
will be thrown. Oracle's JDK 1.7 supports these cipher suites:
• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_RSA_WITH_AES_128_CBC_SHA256