Java Test HTTPS TLS Supported Versions and Cipher Suites
Introduction
It would fail to call HTTPS API if we migrated infrastructure/JDK, there would be many different reasons. But don’t forget to check the TLS and certificate. There are several tools that can test the TLS versions and cipher suites.
Test Tools We can Use
curl
curl can try use one protocal and cipher to connect:
$ curl -k -v https://www.pkslow.com
* Trying 119.23.215.59:443...
* Connected to www.pkslow.com (119.23.215.59) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN: server accepted http/1.1
* Server certificate:
* subject: CN=pkslow.com
* start date: Feb 1 11:09:56 2024 GMT
* expire date: May 1 11:09:55 2024 GMT
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
* using HTTP/1.1
> GET / HTTP/1.1
> Host: www.pkslow.com
> User-Agent: curl/8.4.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.14.1
< Date: Fri, 15 Mar 2024 07:45:35 GMT
< Content-Type: text/html
< Content-Length: 94562
< Connection: keep-alive
< Content-Language: en-US
We can also set the max TLS version:
curl -k -v --tls-max 1.2 https://www.pkslow.com
kali sslscan
Kali provides sslscan to determine the ciphers that are supported. Install on Mac:
brew install sslscan
Test:
$ sslscan www.pkslow.com:443
Version: 2.0.6-static
OpenSSL 1.1.1g 21 Apr 2020
Connected to 119.23.215.59
Testing SSL server www.pkslow.com on port 443 using SNI name www.pkslow.com
SSL/TLS Protocols:
SSLv2 disabled
SSLv3 disabled
TLSv1.0 enabled
TLSv1.1 enabled
TLSv1.2 enabled
TLSv1.3 disabled
TLS Fallback SCSV:
Server supports TLS Fallback SCSV
TLS renegotiation:
Secure session renegotiation supported
TLS Compression:
Compression disabled
Heartbleed:
TLSv1.2 not vulnerable to heartbleed
TLSv1.1 not vulnerable to heartbleed
TLSv1.0 not vulnerable to heartbleed
Supported Server Cipher(s):
Preferred TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve 25519 DHE 253
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve 25519 DHE 253
Accepted TLSv1.2 256 bits ECDHE-RSA-CHACHA20-POLY1305 Curve 25519 DHE 253
Accepted TLSv1.2 256 bits ECDHE-ARIA256-GCM-SHA384 Curve 25519 DHE 253
Accepted TLSv1.2 128 bits ECDHE-ARIA128-GCM-SHA256 Curve 25519 DHE 253
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve 25519 DHE 253
Accepted TLSv1.2 256 bits ECDHE-RSA-CAMELLIA256-SHA384 Curve 25519 DHE 253
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve 25519 DHE 253
Accepted TLSv1.2 128 bits ECDHE-RSA-CAMELLIA128-SHA256 Curve 25519 DHE 253
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253
Accepted TLSv1.2 112 bits ECDHE-RSA-DES-CBC3-SHA Curve 25519 DHE 253
Accepted TLSv1.2 256 bits AES256-GCM-SHA384
Accepted TLSv1.2 256 bits AES256-CCM8
Accepted TLSv1.2 256 bits AES256-CCM
Accepted TLSv1.2 128 bits AES128-GCM-SHA256
Accepted TLSv1.2 128 bits AES128-CCM8
Accepted TLSv1.2 128 bits AES128-CCM
Accepted TLSv1.2 256 bits AES256-SHA256
Accepted TLSv1.2 128 bits AES128-SHA256
Accepted TLSv1.2 256 bits AES256-SHA
Accepted TLSv1.2 128 bits AES128-SHA
Accepted TLSv1.2 256 bits ARIA256-GCM-SHA384
Accepted TLSv1.2 128 bits ARIA128-GCM-SHA256
Accepted TLSv1.2 256 bits CAMELLIA256-SHA256
Accepted TLSv1.2 128 bits CAMELLIA128-SHA256
Accepted TLSv1.2 256 bits CAMELLIA256-SHA
Accepted TLSv1.2 128 bits CAMELLIA128-SHA
Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253
Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253
Accepted TLSv1.1 112 bits ECDHE-RSA-DES-CBC3-SHA Curve 25519 DHE 253
Accepted TLSv1.1 256 bits AES256-SHA
Accepted TLSv1.1 128 bits AES128-SHA
Accepted TLSv1.1 256 bits CAMELLIA256-SHA
Accepted TLSv1.1 128 bits CAMELLIA128-SHA
Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253
Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253
Accepted TLSv1.0 112 bits ECDHE-RSA-DES-CBC3-SHA Curve 25519 DHE 253
Accepted TLSv1.0 256 bits AES256-SHA
Accepted TLSv1.0 128 bits AES128-SHA
Accepted TLSv1.0 256 bits CAMELLIA256-SHA
Accepted TLSv1.0 128 bits CAMELLIA128-SHA
Server Key Exchange Group(s):
TLSv1.2 128 bits secp256r1 (NIST P-256)
TLSv1.2 192 bits secp384r1 (NIST P-384)
TLSv1.2 260 bits secp521r1 (NIST P-521)
TLSv1.2 128 bits x25519
TLSv1.2 224 bits x448
Server Signature Algorithm(s):
TLSv1.2 rsa_pkcs1_sha1
TLSv1.2 rsa_pkcs1_sha224
TLSv1.2 rsa_pkcs1_sha256
TLSv1.2 rsa_pkcs1_sha384
TLSv1.2 rsa_pkcs1_sha512
TLSv1.2 rsa_pss_rsae_sha256
TLSv1.2 rsa_pss_rsae_sha384
TLSv1.2 rsa_pss_rsae_sha512
SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength: 2048
Subject: pkslow.com
Altnames: DNS:pkslow.com, DNS:www.pkslow.com
Issuer: R3
Not valid before: Feb 1 11:09:56 2024 GMT
Not valid after: May 1 11:09:55 2024 GMT
nmap
Nmap is a Network Mapper tool as a free security scanner.
$ nmap -Pn --script ssl-enum-ciphers -p 443 www.pkslow.com
Starting Nmap 7.70 ( https://nmap.org ) at 2024-03-15 19:14 CST
Nmap scan report for www.pkslow.com (119.23.215.59)
Host is up (0.0031s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (ecdh_x25519) - C
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (ecdh_x25519) - C
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (ecdh_x25519) - C
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CCM_8 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CCM_8 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_ARIA_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_ARIA_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
|_ least strength: C
Nmap done: 1 IP address (1 host up) scanned in 2.95 seconds
Java ssltest
We can write code to do the testing in Java.
Host [www.pkslow.com] resolves to address [119.23.215.59]
Auto-detected client-supported protocols: [DTLSv1.0, DTLSv1.2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3]
Testing server www.pkslow.com:443
Supported Protocol Cipher
Accepted TLSv1 TLS_RSA_WITH_AES_256_CBC_SHA
Accepted TLSv1 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Accepted TLSv1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Accepted TLSv1 TLS_RSA_WITH_AES_128_CBC_SHA
Accepted TLSv1 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Accepted TLSv1.1 TLS_RSA_WITH_AES_256_CBC_SHA
Accepted TLSv1.1 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Accepted TLSv1.1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Accepted TLSv1.1 TLS_RSA_WITH_AES_128_CBC_SHA
Accepted TLSv1.1 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Accepted TLSv1.2 TLS_RSA_WITH_AES_256_CBC_SHA
Accepted TLSv1.2 TLS_RSA_WITH_AES_256_CBC_SHA256
Accepted TLSv1.2 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Accepted TLSv1.2 TLS_RSA_WITH_AES_128_CBC_SHA256
Accepted TLSv1.2 TLS_RSA_WITH_AES_128_GCM_SHA256
Accepted TLSv1.2 TLS_RSA_WITH_AES_256_GCM_SHA384
Accepted TLSv1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Accepted TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Accepted TLSv1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Accepted TLSv1.2 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
Accepted TLSv1.2 TLS_RSA_WITH_AES_128_CBC_SHA
Accepted TLSv1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Accepted TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Accepted TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Given this client's capabilities ([DTLSv1.0, DTLSv1.2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3]), the server prefers protocol=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Code
Please check the code in GitHub.