Skip to content

Documentation, _Remove weaker ciphers from the HIGH cipher list in Liberty_ #8186

New issue
New issue
Open
Open
Documentation, _Remove weaker ciphers from the HIGH cipher list in Liberty_#8186
Assignees
jantley-ibmramkumar-k-9286
@jacobwdv

Description

@jacobwdv
jacobwdv
opened on Feb 5, 2026

This issue is being created early to provide an early heads up that documentation changes will be needed for this feature.

Feature epic details

Operating systems

Does the documentation apply to all operating systems?

  • Yes
  • No; specify operating systems: ______

Summary

We will remove 'securityLevel' from our ssl configuration. This UFO has yet to be updated and is pending a POC vote.

in place of securityLevel we do two things

  1. Use the JDK tls default cipher suites
  2. add a new attribute that will allow users to easily add or remove cipher suites from that default. The WIP name for this is jdkCipherOverrides. This will use a syntax that expects a + or - character in front of a space seperated list of ciphers. All the + will be added to the tls handshake and - will be removed. - will be processed first, then plus, so that users can remove all cipher suites and then subsequently add some back in.

Configuration

new property jdkCipherOverrides
remote property securityLevel

Previous configuration (no longer applicable):

<ssl id="defaultSSL" securityLevel="HIGH"/>
<ssl id="defaultSSL" securityLevel="CUSTOM"
     enabledCiphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ..."/>

Updated configuration:

<ssl id="defaultSSL" jdkCipherOverrides="-TLS_RSA*"/>
<ssl id="defaultSSL"
     enabledCiphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ..."/>

Updates to existing topics

https://openliberty.io/docs/latest/reference/config/ssl.html
Remove:
Image

Add:
jdkCipherOverrides with description

Specifies a list of TLS ciphers to add to or remove from the JDK’s default cipher suite list. Separate each cipher in the list with a space.

To add a cipher, prefix its full suite name with +.
To remove a cipher, prefix its full suite name with -.

You may also use the * wildcard to remove multiple cipher suites with '-'. When used, * must appear only at the end of the list item, and all cipher suites matching the prefix before the * will be removed. The wildcard cannot be used when adding cipher suites.

Create a new topic

To create a topic, specify a first draft of the topic that you want added and the section in the navigation where the topic should go.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions