[Openjdk] [Bug 1314113] Re: TLS 1.1 and 1.2 are disabled by default
Reading the OpenJDK 7 code ; offhand, I can't find a way to do this comprehensively via configuration. The Oracle response to the CVE for Poodle : http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html * They've disabled SSL v3.0 - this is consistent with what I see in my current OpenJDK * They recommend setting the system property "https.protocols" - AFAICT this only affects sockets created using the URL class. * Indeed : "There is no general System or Security property to disable a specific protocol for applications using the javax.net.ssl.SSLSocket and javax.net.ssl.SSLEngine APIs (See below for one exception on the JDK 8 client side.)" * There is a mechanism for doing this globally at the class that determines the enabled protocol set by setting a system property in OpenJDK 8, but not 7 This is a PITA for clients that use e.g. Apache HttpClient and don't use the URL class ; such clients will have to be rewritten to manipulate the socket and call it's .getEnabledProtocols() method. This SO question seems to cover it from the POV of HttpClient 3.x : http://stackoverflow.com/questions/32587141/how-to-force-commons- httpclient-3-1-to-use-tls-1-2-only-for-https The overall best solution to this seems to be : upgrade to OpenJDK8, which has TLSv1.2 enabled by default. -- You received this bug notification because you are a member of OpenJDK, which is subscribed to openjdk-7 in Ubuntu. https://bugs.launchpad.net/bugs/1314113 Title: TLS 1.1 and 1.2 are disabled by default Status in openjdk-7 package in Ubuntu: Confirmed Bug description: OpenJDK-7 disables TLS 1.1 and 1.2 by default. It might be a good idea to enable them. The past interop issues are rarely encountered in 2014. The program below only prints "TLSv1" even though I expected to see "TLSv1", "TLSv1.1" and "TLSv1.2". In fact, the protocols are available - they are just not enabled by default. And "no comment" on why I'm getting "SSLv3" when I asked for "TLS". That will get its own bug report. $ javac ProtocolTest.java && java ProtocolTest Supported Protocols: 5 SSLv2Hello SSLv3 TLSv1 TLSv1.1 TLSv1.2 Enabled Protocols: 2 SSLv3 TLSv1 ** Ubuntu 14.04 (x64), fully patched: $ uname -a Linux ubuntu 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux ** $ java -version java version "1.7.0_51" OpenJDK Runtime Environment (IcedTea 2.4.6) (7u51-2.4.6-1ubuntu4) OpenJDK 64-Bit Server VM (build 24.51-b03, mixed mode) ** SSLContext context = SSLContext.getInstance("TLS"); context.init(null,null,null); SSLSocketFactory factory = (SSLSocketFactory)context.getSocketFactory(); SSLSocket socket = (SSLSocket)factory.createSocket(); String[] protocols = socket.getSupportedProtocols(); System.out.println("Supported Protocols: " + protocols.length); for(int i = 0; i < protocols.length; i++) { System.out.println(" " + protocols[i]); } protocols = socket.getEnabledProtocols(); System.out.println("Enabled Protocols: " + protocols.length); for(int i = 0; i < protocols.length; i++) { System.out.println(" " + protocols[i]); } To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjdk-7/+bug/1314113/+subscriptions ___ Mailing list: https://launchpad.net/~openjdk Post to : openjdk@lists.launchpad.net Unsubscribe : https://launchpad.net/~openjdk More help : https://help.launchpad.net/ListHelp
[Openjdk] [Bug 1314113] Re: TLS 1.1 and 1.2 are disabled by default
The PCI DSS 3.1 spec also requires to disable TLS = 1.1 so having TLS 1.2 enabled by default on Java clients would make everyone's life simpler. https://www.pcisecuritystandards.org/pdfs/15_04_15%20PCI%20DSS%203%201%20Press%20Release.pdf -- You received this bug notification because you are a member of OpenJDK, which is subscribed to openjdk-7 in Ubuntu. https://bugs.launchpad.net/bugs/1314113 Title: TLS 1.1 and 1.2 are disabled by default Status in openjdk-7 package in Ubuntu: Confirmed Bug description: OpenJDK-7 disables TLS 1.1 and 1.2 by default. It might be a good idea to enable them. The past interop issues are rarely encountered in 2014. The program below only prints TLSv1 even though I expected to see TLSv1, TLSv1.1 and TLSv1.2. In fact, the protocols are available - they are just not enabled by default. And no comment on why I'm getting SSLv3 when I asked for TLS. That will get its own bug report. $ javac ProtocolTest.java java ProtocolTest Supported Protocols: 5 SSLv2Hello SSLv3 TLSv1 TLSv1.1 TLSv1.2 Enabled Protocols: 2 SSLv3 TLSv1 ** Ubuntu 14.04 (x64), fully patched: $ uname -a Linux ubuntu 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux ** $ java -version java version 1.7.0_51 OpenJDK Runtime Environment (IcedTea 2.4.6) (7u51-2.4.6-1ubuntu4) OpenJDK 64-Bit Server VM (build 24.51-b03, mixed mode) ** SSLContext context = SSLContext.getInstance(TLS); context.init(null,null,null); SSLSocketFactory factory = (SSLSocketFactory)context.getSocketFactory(); SSLSocket socket = (SSLSocket)factory.createSocket(); String[] protocols = socket.getSupportedProtocols(); System.out.println(Supported Protocols: + protocols.length); for(int i = 0; i protocols.length; i++) { System.out.println( + protocols[i]); } protocols = socket.getEnabledProtocols(); System.out.println(Enabled Protocols: + protocols.length); for(int i = 0; i protocols.length; i++) { System.out.println( + protocols[i]); } To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjdk-7/+bug/1314113/+subscriptions ___ Mailing list: https://launchpad.net/~openjdk Post to : openjdk@lists.launchpad.net Unsubscribe : https://launchpad.net/~openjdk More help : https://help.launchpad.net/ListHelp
[Openjdk] [Bug 1314113] Re: TLS 1.1 and 1.2 are disabled by default
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: openjdk-7 (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of OpenJDK, which is subscribed to openjdk-7 in Ubuntu. https://bugs.launchpad.net/bugs/1314113 Title: TLS 1.1 and 1.2 are disabled by default Status in “openjdk-7” package in Ubuntu: Confirmed Bug description: OpenJDK-7 disables TLS 1.1 and 1.2 by default. It might be a good idea to enable them. The past interop issues are rarely encountered in 2014. The program below only prints TLSv1 even though I expected to see TLSv1, TLSv1.1 and TLSv1.2. In fact, the protocols are available - they are just not enabled by default. And no comment on why I'm getting SSLv3 when I asked for TLS. That will get its own bug report. $ javac ProtocolTest.java java ProtocolTest Supported Protocols: 5 SSLv2Hello SSLv3 TLSv1 TLSv1.1 TLSv1.2 Enabled Protocols: 2 SSLv3 TLSv1 ** Ubuntu 14.04 (x64), fully patched: $ uname -a Linux ubuntu 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux ** $ java -version java version 1.7.0_51 OpenJDK Runtime Environment (IcedTea 2.4.6) (7u51-2.4.6-1ubuntu4) OpenJDK 64-Bit Server VM (build 24.51-b03, mixed mode) ** SSLContext context = SSLContext.getInstance(TLS); context.init(null,null,null); SSLSocketFactory factory = (SSLSocketFactory)context.getSocketFactory(); SSLSocket socket = (SSLSocket)factory.createSocket(); String[] protocols = socket.getSupportedProtocols(); System.out.println(Supported Protocols: + protocols.length); for(int i = 0; i protocols.length; i++) { System.out.println( + protocols[i]); } protocols = socket.getEnabledProtocols(); System.out.println(Enabled Protocols: + protocols.length); for(int i = 0; i protocols.length; i++) { System.out.println( + protocols[i]); } To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjdk-7/+bug/1314113/+subscriptions ___ Mailing list: https://launchpad.net/~openjdk Post to : openjdk@lists.launchpad.net Unsubscribe : https://launchpad.net/~openjdk More help : https://help.launchpad.net/ListHelp
[Openjdk] [Bug 1314113] Re: TLS 1.1 and 1.2 are disabled by default
For completeness, the Java Cryptography Architecture Oracle Providers Documentation (http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html) documents the behavior: Although SunJSSE in the Java SE 7 release supports TLS 1.1 and TLS 1.2, neither version is enabled by default for client connections. Some servers do not implement forward compatibility correctly and refuse to talk to TLS 1.1 or TLS 1.2 clients. For interoperability, SunJSSE does not enable TLS 1.1 or TLS 1.2 by default for client connections. However, in 2014, its no longer a valid reason. -- You received this bug notification because you are a member of OpenJDK, which is subscribed to openjdk-7 in Ubuntu. https://bugs.launchpad.net/bugs/1314113 Title: TLS 1.1 and 1.2 are disabled by default Status in “openjdk-7” package in Ubuntu: New Bug description: OpenJDK-7 disables TLS 1.1 and 1.2 by default. It might be a good idea to enable them. The past interop issues are rarely encountered in 2014. The program below only prints TLSv1 even though I expected to see TLSv1, TLSv1.1 and TLSv1.2. In fact, the protocols are available - they are just not enabled by default. And no comment on why I'm getting SSLv3 when I asked for TLS. That will get its own bug report. $ javac ProtocolTest.java java ProtocolTest Supported Protocols: 5 SSLv2Hello SSLv3 TLSv1 TLSv1.1 TLSv1.2 Enabled Protocols: 2 SSLv3 TLSv1 ** Ubuntu 14.04 (x64), fully patched: $ uname -a Linux ubuntu 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux ** $ java -version java version 1.7.0_51 OpenJDK Runtime Environment (IcedTea 2.4.6) (7u51-2.4.6-1ubuntu4) OpenJDK 64-Bit Server VM (build 24.51-b03, mixed mode) ** SSLContext context = SSLContext.getInstance(TLS); context.init(null,null,null); SSLSocketFactory factory = (SSLSocketFactory)context.getSocketFactory(); SSLSocket socket = (SSLSocket)factory.createSocket(); String[] protocols = socket.getSupportedProtocols(); System.out.println(Supported Protocols: + protocols.length); for(int i = 0; i protocols.length; i++) { System.out.println( + protocols[i]); } protocols = socket.getEnabledProtocols(); System.out.println(Enabled Protocols: + protocols.length); for(int i = 0; i protocols.length; i++) { System.out.println( + protocols[i]); } To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjdk-7/+bug/1314113/+subscriptions ___ Mailing list: https://launchpad.net/~openjdk Post to : openjdk@lists.launchpad.net Unsubscribe : https://launchpad.net/~openjdk More help : https://help.launchpad.net/ListHelp
[Openjdk] [Bug 1314113] Re: TLS 1.1 and 1.2 are disabled by default
Here are the results from Java 8 on Mac OS X. Java 8 was released in March 2014 and has the following output. Notice TLS 1.1 and 1.2 are enabled by default. riemann$ javac ProtocolTest.java java ProtocolTest Supported Protocols: 5 SSLv2Hello SSLv3 TLSv1 TLSv1.1 TLSv1.2 Enabled Protocols: 4 SSLv3 TLSv1 TLSv1.1 TLSv1.2 riemann::~$ java -version java version 1.8.0_05 Java(TM) SE Runtime Environment (build 1.8.0_05-b13) Java HotSpot(TM) 64-Bit Server VM (build 25.5-b02, mixed mode) -- You received this bug notification because you are a member of OpenJDK, which is subscribed to openjdk-7 in Ubuntu. https://bugs.launchpad.net/bugs/1314113 Title: TLS 1.1 and 1.2 are disabled by default Status in “openjdk-7” package in Ubuntu: New Bug description: OpenJDK-7 disables TLS 1.1 and 1.2 by default. It might be a good idea to enable them. The past interop issues are rarely encountered in 2014. The program below only prints TLSv1 even though I expected to see TLSv1, TLSv1.1 and TLSv1.2. In fact, the protocols are available - they are just not enabled by default. And no comment on why I'm getting SSLv3 when I asked for TLS. That will get its own bug report. $ javac ProtocolTest.java java ProtocolTest Supported Protocols: 5 SSLv2Hello SSLv3 TLSv1 TLSv1.1 TLSv1.2 Enabled Protocols: 2 SSLv3 TLSv1 ** Ubuntu 14.04 (x64), fully patched: $ uname -a Linux ubuntu 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux ** $ java -version java version 1.7.0_51 OpenJDK Runtime Environment (IcedTea 2.4.6) (7u51-2.4.6-1ubuntu4) OpenJDK 64-Bit Server VM (build 24.51-b03, mixed mode) ** SSLContext context = SSLContext.getInstance(TLS); context.init(null,null,null); SSLSocketFactory factory = (SSLSocketFactory)context.getSocketFactory(); SSLSocket socket = (SSLSocket)factory.createSocket(); String[] protocols = socket.getSupportedProtocols(); System.out.println(Supported Protocols: + protocols.length); for(int i = 0; i protocols.length; i++) { System.out.println( + protocols[i]); } protocols = socket.getEnabledProtocols(); System.out.println(Enabled Protocols: + protocols.length); for(int i = 0; i protocols.length; i++) { System.out.println( + protocols[i]); } To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjdk-7/+bug/1314113/+subscriptions ___ Mailing list: https://launchpad.net/~openjdk Post to : openjdk@lists.launchpad.net Unsubscribe : https://launchpad.net/~openjdk More help : https://help.launchpad.net/ListHelp