Because of the Poodle attack it is now recommended to disable SSLv3 for client and server applications and only allow TLS 1.0 -TLS 1.2 connections.
Is there a way to disable SSLv3 for all Java based applications (server and client) on a computer without having to modify every Java program?
May be there is a possibility to change the configuration of the JRE or using a special environment variable.
Does anybody know such a way?
You have not specified the version of Java because below Java 8 there is no way to disallow or disable specific SSL protocol but in Java 8 you can set the enabled protocols like following
Statically:
% java -Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2" MyApp
Dynamically:
java.lang.System.setProperty("jdk.tls.client.protocols", "TLSv1,TLSv1.1,TLSv1.2");
If you are still using java 7 or below try to use work around explained Instructions to disable SSL v3.0 in Oracle JDK and JRE
I just implemented following piece of code to disallow SSLv3 and SSLv2Hello on one of our Java6 application.
if(disabledSSLProtocols != null) {
String[] protocols = sslEngine.getEnabledProtocols();
List<String> protocolList = new ArrayList<String>();
for (String s : protocols) {
if (disabledSSLProtocols.contains(s)) {
log4j.info("{} protocol is disabled", s);
continue;
}
log4j.info("{} protocol is enabled", s);
protocolList.add(s);
}
sslEngine.setEnabledProtocols(protocolList.toArray(new String[0]));
}
Where disabledSSLProtocols initialized with SSLv3,SSLv2Hello
Take a look at http://www.oracle.com/technetwork/java/javase/overview/tlsreadme-141115.html
Relevant part:
Renegotiations can be re-enabled for those applications that need it by setting the new system property sun.security.ssl.allowUnsafeRenegotiation to true before the JSSE library is initialized. There are several ways to set this property:
Command Line:
% java -Dsun.security.ssl.allowUnsafeRenegotiation=true Main
Java Control Panel (Java Plug-in / Java Web Start) - Runtime Environment.
Within the application:
java.lang.System.setProperty("sun.security.ssl.allowUnsafeRenegotiation", true);
Note that TLS/SSL renegotiation will not occur unless both client and server have enabled renegotiations.
It explains the issue and the fix.
For https-connections using the java.net-package you could try using the environment-variable _JAVA_OPTIONS to set the system-property https.protocols:
_JAVA_OPTIONS=-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2
should enable only the mentioned protocols. Note that before Java 7 the maximum supported version was TLSv1.
This solution will not affect any other SSL-connections or http-connections using e.g. the apache-http-connector.
You can patch Oracle Java now.
http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html
Related
I'm currently migrating some server software from Java 8 to Java 11. Everything works fine except for the fact that TLS connections are refused when my server runs on Java 11 (and only 11). I.e., everything works when running on up to and including Java 10. As soon as I switch to Java 11 (with absolutely no code changes inbetween, of course) I get a TLS decrypt error. My application works fine otherwise when I disable SSL/TLS or when I use IE/Edge to connect to my server (via TLS). When using Chrome 70 or Firefox 62 I get ERR_SSL_PROTOCOL_ERROR or SEC_ERROR_BAD_SIGNATURE, respectively.
I tried to analyze this using WireShark (see my dump). My conclusion is that Java 11 and Chrome/Firefox negotiate a bad cipher suite (rsa_pss_rsae_sha256), which somehow doesn't work with Java 11. Java 8 and IE/Edge seem to negotiate a different cipher suite (rsa_pkcs1_sha256), which works.
Does someone know how to fix this problem or at least work around it for the moment (other than disabling SSL/TLS or using IE/Edge, of course)? Thanks in advance.
This is likely to be a compatibility failure with the new PSS algorithms in TLS 1.3. You can read a good explanation for the reasoning behind the introduction of PSS here.
Until it's fixed you can prevent your server from negotiating TLS 1.3 by editing lib/security/java.security and adding TLSv1.3 to the jdk.tls.disabledAlgorithms property.
Setting up the context:
In java 8 (precisely 8b98), in order to deal with Client-Initiated Renegotiation causing vulnerability to Denial of Service attack, an un-documented flag was rolled out named jdk.tls.rejectClientInitiatedRenegotiation as a part of Transport Layer Security which could disable client initiated renegotiations.
jdk.tls.rejectClientInitiatedRenegotiation = true
Server which i'm using is JBoss 7.1.1 which supports 7. However java 8 supporting servers are JBoss EAP & Wildfly. I'm reluctant to switch to these new server.
Now My challenge is to implement this property somehow in Java 7. Any sort of guidance will be highly appreciated.
Indeed Java 7 doesn't support this option. Maybe an acceptable behavior could be the Interoperable mode as in Description of Phase 2 Fix of the JSSE 7, which means enabling renegotiation for "good" clients ?
My exact answer is to switch to OpenSSL implementation, particularly the one with the hard-coded renegotiation denial, then you get rid of the JSSE implementation which doesn't support your hard-to-find option.
First, you need OpenSSL 0.9.8l which just denies all client renegotiations.
After that enable the Native Connectors on JBOSS 7.1 and configure as said in this documentation.
web archive links :
http://web.archive.org/web/20201019212829/https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html
http://web.archive.org/web/20201027040002/https://www.openssl.org/news/secadv/20091111.txt
http://web.archive.org/web/20201123225554/https://docs.jboss.org/author/display/AS71/Admin%20Guide.html
I use IBM JDK J9 on AIX OS.
I want to know what I need to change in the java.security file to enable the SSLv3 Secure Socket Layer protocol. Or is there another file that needs to be changed to enable this protocol?
Delete or comment out the following line "jdk.tls.disabledAlgorithms=SSLv3"
JDK 1.8 seems to be providing the following option to explicitly set Hostname for connecting to SNI enabled sites,
SNIHostName serverName = new SNIHostName("www.example.com");
List<SNIServerName> serverNames = new ArrayList<>(1);
serverNames.add(serverName);
sslParameters.setServerNames(serverNames);
Is there any similar way to do in JDK 1.7. I have already set jsse.enableSNIExtension=true.
I need to explicitly set hostname. Any help is much appreciated.
There is no way to set SNIHostName in Java 7. We can set using Java 8 only.
You can refer to below URL for more details.
http://javabreaks.blogspot.com/2015/12/java-ssl-handshake-with-server-name.html
My java version is 1.6 and connect to a server over ssl using axis 2 stub; all used to work fine. It seems like they did some upgrade (apache2.4) and the ssl handshake doesn't happen anymore. I receive javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake error. Just for testing purpose, I locally installed jdk 8 and tested it works fine. Is there any way to make this work using jdk1.6? It is not possible to upgrade jdk now.
It is hard to tell without more details but I guess that the server either requires a TLS version unsupported by JDK 6 (e.g. TLS 1.1 or TLS 1.2) or uses ciphers which are not supported by JDK 6 yet. Another option might be that the server needs SNI (server name indication) which is not supported by JDK 6. If the problem is any of these things you are unfortunately out of luck with JDK 6.
I suggest you check with SSLLabs to get more details about the problem. They show also compatibility information regarding various JDK versions.
You could try using a 3rd party JCE provider, Bouncy Castle comes into mind:
https://www.bouncycastle.org