← Back to team overview

openjdk team mailing list archive

[Bug 1314113] Re: TLS 1.1 and 1.2 are disabled by default

 

Reading the OpenJDK 7 code ; offhand, I can't find a way to do this
comprehensively via configuration.

The Oracle response to the CVE for Poodle  :

http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html

* They've disabled SSL v3.0 - this is consistent with what I see in my current OpenJDK
* They recommend setting the system property "https.protocols" - AFAICT this only affects sockets created using the URL class.
    * Indeed : "There is no general System or Security property to disable a specific protocol for applications using the javax.net.ssl.SSLSocket and javax.net.ssl.SSLEngine APIs (See below for one exception on the JDK 8 client side.)"
* There is a mechanism for doing this globally at the class that determines the enabled protocol set by setting a system property in OpenJDK 8, but not 7

This is a PITA for clients that use e.g. Apache HttpClient and don't use
the URL class ; such clients will have to be rewritten to manipulate the
socket and call it's .getEnabledProtocols() method.

This SO question seems to cover it from the POV of HttpClient 3.x :

http://stackoverflow.com/questions/32587141/how-to-force-commons-
httpclient-3-1-to-use-tls-1-2-only-for-https

The overall best solution to this seems to be : upgrade to OpenJDK8,
which has TLSv1.2 enabled by default.

-- 
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-7 in Ubuntu.
https://bugs.launchpad.net/bugs/1314113

Title:
  TLS 1.1 and 1.2 are disabled by default

Status in openjdk-7 package in Ubuntu:
  Confirmed

Bug description:
  OpenJDK-7 disables TLS 1.1 and 1.2 by default. It might be a good idea
  to enable them. The past interop issues are rarely encountered in
  2014.

  The program below only prints "TLSv1" even though I expected to see
  "TLSv1", "TLSv1.1" and "TLSv1.2". In fact, the protocols are available
  - they are just not enabled by default.

  And "no comment" on why I'm getting "SSLv3" when I asked for "TLS".
  That will get its own bug report.

  $ javac ProtocolTest.java && java ProtocolTest
  Supported Protocols: 5
    SSLv2Hello
    SSLv3
    TLSv1
    TLSv1.1
    TLSv1.2
  Enabled Protocols: 2
    SSLv3
    TLSv1

  **********

  Ubuntu 14.04 (x64), fully patched:

  $ uname -a
  Linux ubuntu 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

  **********

  $ java -version
  java version "1.7.0_51"
  OpenJDK Runtime Environment (IcedTea 2.4.6) (7u51-2.4.6-1ubuntu4)
  OpenJDK 64-Bit Server VM (build 24.51-b03, mixed mode)

  **********

  SSLContext context = SSLContext.getInstance("TLS");
  context.init(null,null,null);

  SSLSocketFactory factory = (SSLSocketFactory)context.getSocketFactory();
  SSLSocket socket = (SSLSocket)factory.createSocket();

  String[] protocols = socket.getSupportedProtocols();

  System.out.println("Supported Protocols: " + protocols.length);
  for(int i = 0; i < protocols.length; i++)
  {
       System.out.println("  " + protocols[i]);
  }

  protocols = socket.getEnabledProtocols();

  System.out.println("Enabled Protocols: " + protocols.length);
  for(int i = 0; i < protocols.length; i++)
  {
       System.out.println("  " + protocols[i]);
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjdk-7/+bug/1314113/+subscriptions


References