Reading the OpenJDK 7 code ; offhand, I can't find a way to do this comprehensively via configuration.
The Oracle response to the CVE for Poodle : http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html * They've disabled SSL v3.0 - this is consistent with what I see in my current OpenJDK * They recommend setting the system property "https.protocols" - AFAICT this only affects sockets created using the URL class. * Indeed : "There is no general System or Security property to disable a specific protocol for applications using the javax.net.ssl.SSLSocket and javax.net.ssl.SSLEngine APIs (See below for one exception on the JDK 8 client side.)" * There is a mechanism for doing this globally at the class that determines the enabled protocol set by setting a system property in OpenJDK 8, but not 7 This is a PITA for clients that use e.g. Apache HttpClient and don't use the URL class ; such clients will have to be rewritten to manipulate the socket and call it's .getEnabledProtocols() method. This SO question seems to cover it from the POV of HttpClient 3.x : http://stackoverflow.com/questions/32587141/how-to-force-commons- httpclient-3-1-to-use-tls-1-2-only-for-https The overall best solution to this seems to be : upgrade to OpenJDK8, which has TLSv1.2 enabled by default. -- You received this bug notification because you are a member of OpenJDK, which is subscribed to openjdk-7 in Ubuntu. https://bugs.launchpad.net/bugs/1314113 Title: TLS 1.1 and 1.2 are disabled by default Status in openjdk-7 package in Ubuntu: Confirmed Bug description: OpenJDK-7 disables TLS 1.1 and 1.2 by default. It might be a good idea to enable them. The past interop issues are rarely encountered in 2014. The program below only prints "TLSv1" even though I expected to see "TLSv1", "TLSv1.1" and "TLSv1.2". In fact, the protocols are available - they are just not enabled by default. And "no comment" on why I'm getting "SSLv3" when I asked for "TLS". That will get its own bug report. $ javac ProtocolTest.java && java ProtocolTest Supported Protocols: 5 SSLv2Hello SSLv3 TLSv1 TLSv1.1 TLSv1.2 Enabled Protocols: 2 SSLv3 TLSv1 ********** Ubuntu 14.04 (x64), fully patched: $ uname -a Linux ubuntu 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux ********** $ java -version java version "1.7.0_51" OpenJDK Runtime Environment (IcedTea 2.4.6) (7u51-2.4.6-1ubuntu4) OpenJDK 64-Bit Server VM (build 24.51-b03, mixed mode) ********** SSLContext context = SSLContext.getInstance("TLS"); context.init(null,null,null); SSLSocketFactory factory = (SSLSocketFactory)context.getSocketFactory(); SSLSocket socket = (SSLSocket)factory.createSocket(); String[] protocols = socket.getSupportedProtocols(); System.out.println("Supported Protocols: " + protocols.length); for(int i = 0; i < protocols.length; i++) { System.out.println(" " + protocols[i]); } protocols = socket.getEnabledProtocols(); System.out.println("Enabled Protocols: " + protocols.length); for(int i = 0; i < protocols.length; i++) { System.out.println(" " + protocols[i]); } To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjdk-7/+bug/1314113/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~openjdk Post to : openjdk@lists.launchpad.net Unsubscribe : https://launchpad.net/~openjdk More help : https://help.launchpad.net/ListHelp