Java 8 with TLS 1.1 and TLS 1.2

Due to a recent audit finding, one of our customers requested that only TLS 1.2 be allowed and the cipher security level set to “high” (AES256-SHA256 DHE-RSA-ASE256-SHA256) on their Cisco ASA firewall. The AES256-SHA256 security ciphers are not proposed by Java 8 natively. In order to add the security ciphers, you must perform the steps below.

Directions to setup Java Cryptography Encryption (JCE) Unlimited Strength Jurisdiction Policy:

 

  • On your PC, browse to C:\Program Files (x86)\Java\jre1.8.XXX\lib\security
  • Rename files
    • Rename local_policy.jar to local_policy.jar.OLD
    • Rename US_export_policy.jar to US_export_policy.jar.OLD
  • Go to http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html for the following files:
    • Copy local_policy.jar to C:\Program Files (x86)\Java\jre1.8.XXX\lib\security
    • Copy US_export_policy.jar from to C:\Program Files (x86)\Java\jre1.8.XXX\lib\securit
  • Launch ASDM again and the ASA will negotiate to the DHE-RSA-AES256-SHA256 security cipher

 

Networking Java TLS