Nathan, my apologies for the delay. I have generated new packages for Precise for both OpenJDK 6 and 7. Please note that I have not backported TLS v1.2 support for OpenJDK 6, I only enabled TLS v1.1 by default (see bellow).
I have found and corrected the SSLv3 issue. It was caused when my backport "reverted" a few changes from the "8061210 Issues in TLS" fix. On OpenJDK 8 this and a few other changes were applied after "7093640: Enable client-side TLS 1.2 by default", but on OpenJDK 7 and 6 those changes were applied without "7093640". I'm not backporting TLS v1.2 to OpenJDK 6 at this time due to 2 reasons: 1. OpenJDK 6 state is worse of then 7, lots of JDK 8 and 7 fixes were backported to it without TLS v1.2 ever been applied, thus there a lot of conflicts to go through and then each of those backports would have to be reviewed (I know because I tried). This spans a lot of classes and requires a very good knowledge of the affected classes and of each fix. 2. The only opinion I got when I asked on jdk6-dev about backporting TLS v1.2 to OpenJDK 6 was against the backport and no one else tipped in, so it OpenJDK 6 devs do not seem to be interested in it at all. [1] I will keep an eye out to check how this goes, for now TLS v1.1 is still acceptable [2]. Eventually if someone from OpenJDK 6 agrees to help we can try backporting TLS v1.2 there again. [1] http://mail.openjdk.java.net/pipermail/jdk6-dev/2015-August/003541.html [2] "... minimum of TLS v1.1, although entities are strongly encouraged to consider TLS v1.2. Note that not all implementations of TLS v1.1 are considered secure – refer to NIST SP 800-52 rev 1 for guidance on secure TLS configurations" https://www.pcisecuritystandards.org/documents/Migrating_from_SSL_Early_TLS_Information_Supplement_v1.pdf -- You received this bug notification because you are a member of OpenJDK, which is subscribed to openjdk-7 in Ubuntu. https://bugs.launchpad.net/bugs/1482924 Title: Regressions due to USN-2696-1 Status in openjdk-6 package in Ubuntu: New Status in openjdk-7 package in Ubuntu: New Bug description: Due to [CBCATT], some server administrators (including the webservices gateway for a major airline reservations provider) choose to disable CBC ciphersuites unless the protocol level is TLSv1.1 or later; [TLS1.1] introduced an explicit CBC IV to guard against such attacks. (See [TLS1.1] section 1.1) On such servers, disabling all CBC ciphersuites may leave only RC4 as a trusted cipher. JDK7 introduced support for TLSv1.2, but chose not to enable it by default, due to a policy of not changing such defaults in minor revisions. JDK8 enables TLSv1.2 by default. On Ubuntu, due to USN-2696-1, starting with the openjdk-7-jre-7u79-2.5.6-0ubuntu1.12.04.1 package, RC4 is disabled by default but the protocol default remains TLSv1.0. This can leave no remaining trusted ciphers, and negotiation can fail. Workaround: on OpenJDK7, it is possible to either use SSLContext.getInstance("TLSv1.2") or re-enable RC4 via SSLSocket.setEnabledCipherSuites(), but neither workaround is viable if one doesn't have access to 3rd-party source code. References: [TLS1.1] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.1", RFC 4346, April 2006. https://www.ietf.org/rfc/rfc4346.txt [CBCATT] Moeller, B., "Security of CBC Ciphersuites in SSL/TLS: Problems and Countermeasures", http://www.openssl.org/~bodo/tls-cbc.txt. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjdk-6/+bug/1482924/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~openjdk Post to : [email protected] Unsubscribe : https://launchpad.net/~openjdk More help : https://help.launchpad.net/ListHelp
