# Java Test HTTPS TLS Supported Versions and Cipher Suites
# Introduction
It would fail to call HTTPS API if we migrated infrastructure/JDK, there would be many different reasons. But don't forget to check the TLS and certificate. There are several tools that can test the TLS versions and cipher suites.
# Test Tools We can Use
# curl
curl can try use one protocal and cipher to connect:
$ curl -k -v https://www.pkslow.com
* Trying 119.23.215.59:443...
* Connected to www.pkslow.com (119.23.215.59) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN: server accepted http/1.1
* Server certificate:
* subject: CN=pkslow.com
* start date: Feb 1 11:09:56 2024 GMT
* expire date: May 1 11:09:55 2024 GMT
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
* using HTTP/1.1
> GET / HTTP/1.1
> Host: www.pkslow.com
> User-Agent: curl/8.4.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx/1.14.1
< Date: Fri, 15 Mar 2024 07:45:35 GMT
< Content-Type: text/html
< Content-Length: 94562
< Connection: keep-alive
< Content-Language: en-US
We can also set the max TLS version:
curl -k -v --tls-max 1.2 https://www.pkslow.com
# kali sslscan
Kali provides sslscan (opens new window) to determine the ciphers that are supported. Install on Mac:
brew install sslscan
Test:
$ sslscan www.pkslow.com:443
Version: 2.0.6-static
OpenSSL 1.1.1g 21 Apr 2020
Connected to 119.23.215.59
Testing SSL server www.pkslow.com on port 443 using SNI name www.pkslow.com
SSL/TLS Protocols:
SSLv2 disabled
SSLv3 disabled
TLSv1.0 enabled
TLSv1.1 enabled
TLSv1.2 enabled
TLSv1.3 disabled
TLS Fallback SCSV:
Server supports TLS Fallback SCSV
TLS renegotiation:
Secure session renegotiation supported
TLS Compression:
Compression disabled
Heartbleed:
TLSv1.2 not vulnerable to heartbleed
TLSv1.1 not vulnerable to heartbleed
TLSv1.0 not vulnerable to heartbleed
Supported Server Cipher(s):
Preferred TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve 25519 DHE 253
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve 25519 DHE 253
Accepted TLSv1.2 256 bits ECDHE-RSA-CHACHA20-POLY1305 Curve 25519 DHE 253
Accepted TLSv1.2 256 bits ECDHE-ARIA256-GCM-SHA384 Curve 25519 DHE 253
Accepted TLSv1.2 128 bits ECDHE-ARIA128-GCM-SHA256 Curve 25519 DHE 253
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384 Curve 25519 DHE 253
Accepted TLSv1.2 256 bits ECDHE-RSA-CAMELLIA256-SHA384 Curve 25519 DHE 253
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve 25519 DHE 253
Accepted TLSv1.2 128 bits ECDHE-RSA-CAMELLIA128-SHA256 Curve 25519 DHE 253
Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253
Accepted TLSv1.2 112 bits ECDHE-RSA-DES-CBC3-SHA Curve 25519 DHE 253
Accepted TLSv1.2 256 bits AES256-GCM-SHA384
Accepted TLSv1.2 256 bits AES256-CCM8
Accepted TLSv1.2 256 bits AES256-CCM
Accepted TLSv1.2 128 bits AES128-GCM-SHA256
Accepted TLSv1.2 128 bits AES128-CCM8
Accepted TLSv1.2 128 bits AES128-CCM
Accepted TLSv1.2 256 bits AES256-SHA256
Accepted TLSv1.2 128 bits AES128-SHA256
Accepted TLSv1.2 256 bits AES256-SHA
Accepted TLSv1.2 128 bits AES128-SHA
Accepted TLSv1.2 256 bits ARIA256-GCM-SHA384
Accepted TLSv1.2 128 bits ARIA128-GCM-SHA256
Accepted TLSv1.2 256 bits CAMELLIA256-SHA256
Accepted TLSv1.2 128 bits CAMELLIA128-SHA256
Accepted TLSv1.2 256 bits CAMELLIA256-SHA
Accepted TLSv1.2 128 bits CAMELLIA128-SHA
Preferred TLSv1.1 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253
Accepted TLSv1.1 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253
Accepted TLSv1.1 112 bits ECDHE-RSA-DES-CBC3-SHA Curve 25519 DHE 253
Accepted TLSv1.1 256 bits AES256-SHA
Accepted TLSv1.1 128 bits AES128-SHA
Accepted TLSv1.1 256 bits CAMELLIA256-SHA
Accepted TLSv1.1 128 bits CAMELLIA128-SHA
Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve 25519 DHE 253
Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve 25519 DHE 253
Accepted TLSv1.0 112 bits ECDHE-RSA-DES-CBC3-SHA Curve 25519 DHE 253
Accepted TLSv1.0 256 bits AES256-SHA
Accepted TLSv1.0 128 bits AES128-SHA
Accepted TLSv1.0 256 bits CAMELLIA256-SHA
Accepted TLSv1.0 128 bits CAMELLIA128-SHA
Server Key Exchange Group(s):
TLSv1.2 128 bits secp256r1 (NIST P-256)
TLSv1.2 192 bits secp384r1 (NIST P-384)
TLSv1.2 260 bits secp521r1 (NIST P-521)
TLSv1.2 128 bits x25519
TLSv1.2 224 bits x448
Server Signature Algorithm(s):
TLSv1.2 rsa_pkcs1_sha1
TLSv1.2 rsa_pkcs1_sha224
TLSv1.2 rsa_pkcs1_sha256
TLSv1.2 rsa_pkcs1_sha384
TLSv1.2 rsa_pkcs1_sha512
TLSv1.2 rsa_pss_rsae_sha256
TLSv1.2 rsa_pss_rsae_sha384
TLSv1.2 rsa_pss_rsae_sha512
SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength: 2048
Subject: pkslow.com
Altnames: DNS:pkslow.com, DNS:www.pkslow.com
Issuer: R3
Not valid before: Feb 1 11:09:56 2024 GMT
Not valid after: May 1 11:09:55 2024 GMT
# nmap
Nmap (opens new window) is a Network Mapper tool as a free security scanner.
$ nmap -Pn --script ssl-enum-ciphers -p 443 www.pkslow.com
Starting Nmap 7.70 ( https://nmap.org ) at 2024-03-15 19:14 CST
Nmap scan report for www.pkslow.com (119.23.215.59)
Host is up (0.0031s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (ecdh_x25519) - C
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| TLSv1.1:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (ecdh_x25519) - C
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (ecdh_x25519) - C
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CCM_8 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CCM_8 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_ARIA_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_ARIA_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
|_ least strength: C
Nmap done: 1 IP address (1 host up) scanned in 2.95 seconds
# Java ssltest
We can write code to do the testing in Java.
Host [www.pkslow.com] resolves to address [119.23.215.59]
Auto-detected client-supported protocols: [DTLSv1.0, DTLSv1.2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3]
Testing server www.pkslow.com:443
Supported Protocol Cipher
Accepted TLSv1 TLS_RSA_WITH_AES_256_CBC_SHA
Accepted TLSv1 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Accepted TLSv1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Accepted TLSv1 TLS_RSA_WITH_AES_128_CBC_SHA
Accepted TLSv1 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Accepted TLSv1.1 TLS_RSA_WITH_AES_256_CBC_SHA
Accepted TLSv1.1 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Accepted TLSv1.1 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Accepted TLSv1.1 TLS_RSA_WITH_AES_128_CBC_SHA
Accepted TLSv1.1 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Accepted TLSv1.2 TLS_RSA_WITH_AES_256_CBC_SHA
Accepted TLSv1.2 TLS_RSA_WITH_AES_256_CBC_SHA256
Accepted TLSv1.2 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
Accepted TLSv1.2 TLS_RSA_WITH_AES_128_CBC_SHA256
Accepted TLSv1.2 TLS_RSA_WITH_AES_128_GCM_SHA256
Accepted TLSv1.2 TLS_RSA_WITH_AES_256_GCM_SHA384
Accepted TLSv1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Accepted TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Accepted TLSv1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Accepted TLSv1.2 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
Accepted TLSv1.2 TLS_RSA_WITH_AES_128_CBC_SHA
Accepted TLSv1.2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Accepted TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Accepted TLSv1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Given this client's capabilities ([DTLSv1.0, DTLSv1.2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3]), the server prefers protocol=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
# Code
Please check the code in GitHub (opens new window).