TLS : Java Glossary



TLS (Transport Layer Security) is a protocol used communicate over an encrypted connection and to authenticate none, one or both of the participants. It is the successor to SSL (Secure Sockets Layer). The actual strength (number of bits is the key) of the encryption is decided by the site itself not by the browser as in SSL.

IETF (Internet Engineering Task Force) manages SSL and has renamed it TLS. People still usually refer to it as SSL. Properly TLS refers to the newer versions of the protocol and SSL to the older.

Java supports both TLS 1.1 RFC 5246 and RFC 6066 and TLS 1.2 RFC 5746. Java does not yet support TLS 1.3 RFC 5246. All you need to do is put https:// on the front of a URL (Uniform Resource Locator).

Starting in JDK (Java Development Kit) 1.8, Java by default uses TLS 1.8 described in RFC 5246 in appendix E.

In Java version 1.7, the Diffie-Hellman part of the exchange is hard-coded to 768 bits for unlimited strength and 512 bits for the default export version. In Java version 1.8, Diffie-Hellman part of the exchange is set to 1024 bits by default, however, it’s possible to increase the strength to 2048 bits with the


system property.

In the Java Control Panel, make sure you have TLS 1.2 support turned on.

Frustrating TLS

The problem with TLS is it is not really a standard. It is a higgledy piggledy collection of algorithms from which you might cobble a connection. It needs to be pruned down to core set of algorithms and key sizes that guaranteed everyone supports. There should be no need for the programmer to provide any hints on exactly which ones to use, other than perhaps the desired speed/security tradeoff in the form of a desirability ranking for the variants to override the default desirability order. A typical program connects to many sites. It makes no sense to require programmers to specifically tweak parameters for each one.

There are 9+ different key exchange algorithms used to kick off the session and 12+ different algorithms used once the exchange has started and 6+ different digest algorithms. It is a wonder any two parties each implementing some subset of these ever manage to communicate.

I have wasted days trying to figure out why Java refuses to connect to Chrome tells me the site is using AES (Advanced Encryption Standard) 128-GCM for the connection and ECDHE-RSA for the key exchange. The webmaster tells me his certificate is 2048 bits, a Comodo Positive SSL CA 2 expires 2014-11-08. I have installed unlimited strength encryption. I have tried the


system property. I installed the root certificate for the Positive SSL CA 2 certificate in my cacerts files, all without success. It always says: : Could not generate DH keypair from
Java Diffie Hellman has a restriction that will block you from connecting with many sites of the net. The DH prime size must be multiple of 64, and can only range from 512 to 1024. I have not yet discovered how you extend the range. If you find out, please let me know.


book cover recommend book⇒SSL and TLS: Theory and Practiceto book home
by Rolf Oppliger 978-1-59693-447-4 hardcover
birth 1965-11-02 age:50
publisher Artech House
published 2009-08-30
This is one of the few recent books on the topic. Nearly all of them were written around 2000. He is a computer science professor at the University of Zurich in Switzerland. Curriculum vitae.
Australian flag abe books anz abe UK flag
German flag abe UK flag
German flag abe Canadian flag
Spanish flag Canadian flag
Spanish flag Chapters Indigo Canadian flag
French flag abe abe American flag
French flag American flag
Italian flag abe Barnes & Noble American flag
Italian flag Nook at Barnes & Noble American flag
India flag Kobo American flag
UN flag other stores Google play American flag
O’Reilly Safari American flag
Powells American flag
Greyed out stores probably do not have the item in stock. Try looking for it with a bookfinder.

Learning More

Oracle’s Technote Guide on SSL/TLS reference guide : available:

This page is posted
on the web at:

Optional Replicator mirror
on local hard disk J:

Please the feedback from other visitors, or your own feedback about the site.
Contact Roedy. Please feel free to link to this page without explicit permission.

Your face IP:[]
You are visitor number