openjdk team mailing list archive
-
openjdk team
-
Mailing list archive
-
Message #11096
[Bug 1482924] Re: Regressions due to USN-2696-1
Here's a small test class and the results from a few different JVMs I
have access to:
--- cut here ---
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
public class TLSVersions
{
public static void main( String[] args )
{
String vendor = System.getProperty( "java.vendor" );
String version = System.getProperty( "java.version" );
System.out.println( String.format( "java.vendor\tjava.version\tproto\tenabledProtocols" ) );
for ( String protocol : new String[]{ "TLSv1.2", "TLSv1.1", "TLSv1", "TLS", "SSL" } )
{
try
{
SSLContext context = SSLContext.getInstance( protocol );
context.init( null, null, null );
SSLSocket socket = ( SSLSocket ) context.getSocketFactory().createSocket();
String enabledProtocols = join( socket.getEnabledProtocols() );
System.out.println( String.format( "%s\t%s\t%s\t%s", vendor, version, protocol, enabledProtocols ) );
}
catch ( Exception e )
{
System.out.println( String.format( "%s\t%s\t%s\t%s", vendor, version, protocol, e.toString() ) );
}
}
}
private static String join( String[] array )
{
if ( array.length == 0 )
{
return "";
}
StringBuilder sb = new StringBuilder( array[ 0 ] );
for ( int i = 1; i < array.length; i++ )
{
sb.append( ',' ).append( array[ i ] );
}
return sb.toString();
}
}
--- cut here ---
java.vendor or dpkg java.version proto enabledProtocols
Apple Inc. 1.6.0_37 TLSv1.2 java.security.NoSuchAlgorithmException: TLSv1.2 SSLContext not available
Apple Inc. 1.6.0_37 TLSv1.1 java.security.NoSuchAlgorithmException: TLSv1.1 SSLContext not available
Apple Inc. 1.6.0_37 TLSv1 SSLv2Hello,SSLv3,TLSv1
Apple Inc. 1.6.0_37 TLS SSLv2Hello,SSLv3,TLSv1
Apple Inc. 1.6.0_37 SSL SSLv2Hello,SSLv3,TLSv1
Oracle Corporation 1.7.0_80 TLSv1.2 TLSv1,TLSv1.1,TLSv1.2
Oracle Corporation 1.7.0_80 TLSv1.1 TLSv1,TLSv1.1
Oracle Corporation 1.7.0_80 TLSv1 TLSv1
Oracle Corporation 1.7.0_80 TLS TLSv1
Oracle Corporation 1.7.0_80 SSL TLSv1
Oracle Corporation 1.8.0_60 TLSv1.2 TLSv1,TLSv1.1,TLSv1.2
Oracle Corporation 1.8.0_60 TLSv1.1 TLSv1,TLSv1.1
Oracle Corporation 1.8.0_60 TLSv1 TLSv1
Oracle Corporation 1.8.0_60 TLS TLSv1,TLSv1.1,TLSv1.2
Oracle Corporation 1.8.0_60 SSL TLSv1,TLSv1.1,TLSv1.2
6b36-1.13.8-0ubuntu1 1.6.0_36 TLSv1.2 java.security.NoSuchAlgorithmException: TLSv1.2 SSLContext not available
6b36-1.13.8-0ubuntu1 1.6.0_36 TLSv1.1 SSLv3,TLSv1,TLSv1.1
6b36-1.13.8-0ubuntu1 1.6.0_36 TLSv1 SSLv3,TLSv1
6b36-1.13.8-0ubuntu1 1.6.0_36 TLS SSLv3,TLSv1
6b36-1.13.8-0ubuntu1 1.6.0_36 SSL SSLv3,TLSv1
7u79-2.5.6-0ubuntu1 1.7.0_79 TLSv1.2 TLSv1,TLSv1.1,TLSv1.2
7u79-2.5.6-0ubuntu1 1.7.0_79 TLSv1.1 TLSv1,TLSv1.1
7u79-2.5.6-0ubuntu1 1.7.0_79 TLSv1 TLSv1
7u79-2.5.6-0ubuntu1 1.7.0_79 TLS TLSv1
7u79-2.5.6-0ubuntu1 1.7.0_79 SSL TLSv1
6b36-1.13.8-0ubuntu2~ppa2 1.6.0_36 TLSv1.2 java.security.NoSuchAlgorithmException: TLSv1.2 SSLContext not available
6b36-1.13.8-0ubuntu2~ppa2 1.6.0_36 TLSv1.1 SSLv3,TLSv1,TLSv1.1
6b36-1.13.8-0ubuntu2~ppa2 1.6.0_36 TLSv1 SSLv3,TLSv1
6b36-1.13.8-0ubuntu2~ppa2 1.6.0_36 TLS SSLv3,TLSv1
6b36-1.13.8-0ubuntu2~ppa2 1.6.0_36 SSL SSLv3,TLSv1
TL;DR: in 1.8.0_60, which to be clear is the current (binary-only)
Oracle release downloaded from java.sun.com for the OS X platform, the
default configuration of a SSLSocket created with the generic
SSLContext.getInstance("TLS") or SSLContext.getInstance("SSL") includes
v1.2 by default. This is not the case in any of the other examples
--
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-7 in Ubuntu.
https://bugs.launchpad.net/bugs/1482924
Title:
Regressions due to USN-2696-1
Status in openjdk-6 package in Ubuntu:
New
Status in openjdk-7 package in Ubuntu:
New
Bug description:
Due to [CBCATT], some server administrators (including the webservices
gateway for a major airline reservations provider) choose to disable
CBC ciphersuites unless the protocol level is TLSv1.1 or later;
[TLS1.1] introduced an explicit CBC IV to guard against such attacks.
(See [TLS1.1] section 1.1) On such servers, disabling all CBC
ciphersuites may leave only RC4 as a trusted cipher.
JDK7 introduced support for TLSv1.2, but chose not to enable it by
default, due to a policy of not changing such defaults in minor
revisions. JDK8 enables TLSv1.2 by default.
On Ubuntu, due to USN-2696-1, starting with the openjdk-7-jre-7u79-2.5.6-0ubuntu1.12.04.1 package, RC4 is disabled by default but the protocol default remains TLSv1.0. This can leave no remaining trusted ciphers, and
negotiation can fail.
Workaround: on OpenJDK7, it is possible to either use
SSLContext.getInstance("TLSv1.2") or re-enable RC4 via
SSLSocket.setEnabledCipherSuites(), but neither workaround is viable
if one doesn't have access to 3rd-party source code.
References:
[TLS1.1] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.1", RFC 4346, April 2006.
https://www.ietf.org/rfc/rfc4346.txt
[CBCATT] Moeller, B., "Security of CBC Ciphersuites in SSL/TLS:
Problems and Countermeasures",
http://www.openssl.org/~bodo/tls-cbc.txt.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjdk-6/+bug/1482924/+subscriptions
References
