Summary

Add a new keytool -showinfo -tls command to display TLS configuration information.

Problem

TLS configuration information (including the enabled cipher suites, their order, and the enabled protocols, etc) is very useful to both users and administrators and can vary depending on what JDK release or update is installed on the system and if any changes have been made to the java.security file to restrict cipher suites or protocols. Previously we had been documenting the enabled suites and protocols in the JSSE security guide, but that has been proven to be a moving target and difficult to keep up-to-date as additional weak cipher suites have been restricted, often in update releases. Thus, showing the information in keytool seems to be the best solution.

While keytool has been historically a tool managing keys and certificates, we think it can also be a home for this new function because (1) TLS is very close to key/cert and users of TLS and keytool are mostly the same, (2) it's the only security-related tool in java.base and we think it's not worth creating a separate new tool for the new function.

Solution

Add a new keytool command -showinfo to display security-related information of the current JDK. Use an option to decide what kind of information to print out. The first such an option is -tls which will display the TLS configuration.

Specification

keytool -help will show a new command:

-showinfo      Displays security-related information

and keytool -help -showinfo will show its available options:

keytool -showinfo [OPTION]...

Displays security-related information

Options:

 -tls     Displays TLS configuration information
 -v       verbose output

The exact output format of keytool -showinfo -tls is not specified here and could evolve in future releases.