[Openjdk] [Bug 1314113] Re: TLS 1.1 and 1.2 are disabled by default
Reading the OpenJDK 7 code ; offhand, I can't find a way to do this
comprehensively via configuration.
The Oracle response to the CVE for Poodle :
http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html
* They've disabled SSL v3.0 - this is consistent with what I see in my current
OpenJDK
* They recommend setting the system property "https.protocols" - AFAICT this
only affects sockets created using the URL class.
* Indeed : "There is no general System or Security property to disable a
specific protocol for applications using the javax.net.ssl.SSLSocket and
javax.net.ssl.SSLEngine APIs (See below for one exception on the JDK 8 client
side.)"
* There is a mechanism for doing this globally at the class that determines the
enabled protocol set by setting a system property in OpenJDK 8, but not 7
This is a PITA for clients that use e.g. Apache HttpClient and don't use
the URL class ; such clients will have to be rewritten to manipulate the
socket and call it's .getEnabledProtocols() method.
This SO question seems to cover it from the POV of HttpClient 3.x :
http://stackoverflow.com/questions/32587141/how-to-force-commons-
httpclient-3-1-to-use-tls-1-2-only-for-https
The overall best solution to this seems to be : upgrade to OpenJDK8,
which has TLSv1.2 enabled by default.
--
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-7 in Ubuntu.
https://bugs.launchpad.net/bugs/1314113
Title:
TLS 1.1 and 1.2 are disabled by default
Status in openjdk-7 package in Ubuntu:
Confirmed
Bug description:
OpenJDK-7 disables TLS 1.1 and 1.2 by default. It might be a good idea
to enable them. The past interop issues are rarely encountered in
2014.
The program below only prints "TLSv1" even though I expected to see
"TLSv1", "TLSv1.1" and "TLSv1.2". In fact, the protocols are available
- they are just not enabled by default.
And "no comment" on why I'm getting "SSLv3" when I asked for "TLS".
That will get its own bug report.
$ javac ProtocolTest.java && java ProtocolTest
Supported Protocols: 5
SSLv2Hello
SSLv3
TLSv1
TLSv1.1
TLSv1.2
Enabled Protocols: 2
SSLv3
TLSv1
**
Ubuntu 14.04 (x64), fully patched:
$ uname -a
Linux ubuntu 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014
x86_64 x86_64 x86_64 GNU/Linux
**
$ java -version
java version "1.7.0_51"
OpenJDK Runtime Environment (IcedTea 2.4.6) (7u51-2.4.6-1ubuntu4)
OpenJDK 64-Bit Server VM (build 24.51-b03, mixed mode)
**
SSLContext context = SSLContext.getInstance("TLS");
context.init(null,null,null);
SSLSocketFactory factory = (SSLSocketFactory)context.getSocketFactory();
SSLSocket socket = (SSLSocket)factory.createSocket();
String[] protocols = socket.getSupportedProtocols();
System.out.println("Supported Protocols: " + protocols.length);
for(int i = 0; i < protocols.length; i++)
{
System.out.println(" " + protocols[i]);
}
protocols = socket.getEnabledProtocols();
System.out.println("Enabled Protocols: " + protocols.length);
for(int i = 0; i < protocols.length; i++)
{
System.out.println(" " + protocols[i]);
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjdk-7/+bug/1314113/+subscriptions
___
Mailing list: https://launchpad.net/~openjdk
Post to : openjdk@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openjdk
More help : https://help.launchpad.net/ListHelp
[Openjdk] [Bug 1314113] Re: TLS 1.1 and 1.2 are disabled by default
The PCI DSS 3.1 spec also requires to disable TLS = 1.1 so having TLS
1.2 enabled by default on Java clients would make everyone's life
simpler.
https://www.pcisecuritystandards.org/pdfs/15_04_15%20PCI%20DSS%203%201%20Press%20Release.pdf
--
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-7 in Ubuntu.
https://bugs.launchpad.net/bugs/1314113
Title:
TLS 1.1 and 1.2 are disabled by default
Status in openjdk-7 package in Ubuntu:
Confirmed
Bug description:
OpenJDK-7 disables TLS 1.1 and 1.2 by default. It might be a good idea
to enable them. The past interop issues are rarely encountered in
2014.
The program below only prints TLSv1 even though I expected to see
TLSv1, TLSv1.1 and TLSv1.2. In fact, the protocols are available
- they are just not enabled by default.
And no comment on why I'm getting SSLv3 when I asked for TLS.
That will get its own bug report.
$ javac ProtocolTest.java java ProtocolTest
Supported Protocols: 5
SSLv2Hello
SSLv3
TLSv1
TLSv1.1
TLSv1.2
Enabled Protocols: 2
SSLv3
TLSv1
**
Ubuntu 14.04 (x64), fully patched:
$ uname -a
Linux ubuntu 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014
x86_64 x86_64 x86_64 GNU/Linux
**
$ java -version
java version 1.7.0_51
OpenJDK Runtime Environment (IcedTea 2.4.6) (7u51-2.4.6-1ubuntu4)
OpenJDK 64-Bit Server VM (build 24.51-b03, mixed mode)
**
SSLContext context = SSLContext.getInstance(TLS);
context.init(null,null,null);
SSLSocketFactory factory = (SSLSocketFactory)context.getSocketFactory();
SSLSocket socket = (SSLSocket)factory.createSocket();
String[] protocols = socket.getSupportedProtocols();
System.out.println(Supported Protocols: + protocols.length);
for(int i = 0; i protocols.length; i++)
{
System.out.println( + protocols[i]);
}
protocols = socket.getEnabledProtocols();
System.out.println(Enabled Protocols: + protocols.length);
for(int i = 0; i protocols.length; i++)
{
System.out.println( + protocols[i]);
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjdk-7/+bug/1314113/+subscriptions
___
Mailing list: https://launchpad.net/~openjdk
Post to : openjdk@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openjdk
More help : https://help.launchpad.net/ListHelp
[Openjdk] [Bug 1314113] Re: TLS 1.1 and 1.2 are disabled by default
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: openjdk-7 (Ubuntu)
Status: New = Confirmed
--
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-7 in Ubuntu.
https://bugs.launchpad.net/bugs/1314113
Title:
TLS 1.1 and 1.2 are disabled by default
Status in “openjdk-7” package in Ubuntu:
Confirmed
Bug description:
OpenJDK-7 disables TLS 1.1 and 1.2 by default. It might be a good idea
to enable them. The past interop issues are rarely encountered in
2014.
The program below only prints TLSv1 even though I expected to see
TLSv1, TLSv1.1 and TLSv1.2. In fact, the protocols are available
- they are just not enabled by default.
And no comment on why I'm getting SSLv3 when I asked for TLS.
That will get its own bug report.
$ javac ProtocolTest.java java ProtocolTest
Supported Protocols: 5
SSLv2Hello
SSLv3
TLSv1
TLSv1.1
TLSv1.2
Enabled Protocols: 2
SSLv3
TLSv1
**
Ubuntu 14.04 (x64), fully patched:
$ uname -a
Linux ubuntu 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014
x86_64 x86_64 x86_64 GNU/Linux
**
$ java -version
java version 1.7.0_51
OpenJDK Runtime Environment (IcedTea 2.4.6) (7u51-2.4.6-1ubuntu4)
OpenJDK 64-Bit Server VM (build 24.51-b03, mixed mode)
**
SSLContext context = SSLContext.getInstance(TLS);
context.init(null,null,null);
SSLSocketFactory factory = (SSLSocketFactory)context.getSocketFactory();
SSLSocket socket = (SSLSocket)factory.createSocket();
String[] protocols = socket.getSupportedProtocols();
System.out.println(Supported Protocols: + protocols.length);
for(int i = 0; i protocols.length; i++)
{
System.out.println( + protocols[i]);
}
protocols = socket.getEnabledProtocols();
System.out.println(Enabled Protocols: + protocols.length);
for(int i = 0; i protocols.length; i++)
{
System.out.println( + protocols[i]);
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjdk-7/+bug/1314113/+subscriptions
___
Mailing list: https://launchpad.net/~openjdk
Post to : openjdk@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openjdk
More help : https://help.launchpad.net/ListHelp
[Openjdk] [Bug 1314113] Re: TLS 1.1 and 1.2 are disabled by default
For completeness, the Java Cryptography Architecture Oracle Providers
Documentation
(http://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html)
documents the behavior:
Although SunJSSE in the Java SE 7 release supports
TLS 1.1 and TLS 1.2, neither version is enabled by
default for client connections. Some servers do not
implement forward compatibility correctly and refuse
to talk to TLS 1.1 or TLS 1.2 clients. For interoperability,
SunJSSE does not enable TLS 1.1 or TLS 1.2 by default
for client connections.
However, in 2014, its no longer a valid reason.
--
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-7 in Ubuntu.
https://bugs.launchpad.net/bugs/1314113
Title:
TLS 1.1 and 1.2 are disabled by default
Status in “openjdk-7” package in Ubuntu:
New
Bug description:
OpenJDK-7 disables TLS 1.1 and 1.2 by default. It might be a good idea
to enable them. The past interop issues are rarely encountered in
2014.
The program below only prints TLSv1 even though I expected to see
TLSv1, TLSv1.1 and TLSv1.2. In fact, the protocols are available
- they are just not enabled by default.
And no comment on why I'm getting SSLv3 when I asked for TLS.
That will get its own bug report.
$ javac ProtocolTest.java java ProtocolTest
Supported Protocols: 5
SSLv2Hello
SSLv3
TLSv1
TLSv1.1
TLSv1.2
Enabled Protocols: 2
SSLv3
TLSv1
**
Ubuntu 14.04 (x64), fully patched:
$ uname -a
Linux ubuntu 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014
x86_64 x86_64 x86_64 GNU/Linux
**
$ java -version
java version 1.7.0_51
OpenJDK Runtime Environment (IcedTea 2.4.6) (7u51-2.4.6-1ubuntu4)
OpenJDK 64-Bit Server VM (build 24.51-b03, mixed mode)
**
SSLContext context = SSLContext.getInstance(TLS);
context.init(null,null,null);
SSLSocketFactory factory = (SSLSocketFactory)context.getSocketFactory();
SSLSocket socket = (SSLSocket)factory.createSocket();
String[] protocols = socket.getSupportedProtocols();
System.out.println(Supported Protocols: + protocols.length);
for(int i = 0; i protocols.length; i++)
{
System.out.println( + protocols[i]);
}
protocols = socket.getEnabledProtocols();
System.out.println(Enabled Protocols: + protocols.length);
for(int i = 0; i protocols.length; i++)
{
System.out.println( + protocols[i]);
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjdk-7/+bug/1314113/+subscriptions
___
Mailing list: https://launchpad.net/~openjdk
Post to : openjdk@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openjdk
More help : https://help.launchpad.net/ListHelp
[Openjdk] [Bug 1314113] Re: TLS 1.1 and 1.2 are disabled by default
Here are the results from Java 8 on Mac OS X. Java 8 was released in
March 2014 and has the following output. Notice TLS 1.1 and 1.2 are
enabled by default.
riemann$ javac ProtocolTest.java java ProtocolTest
Supported Protocols: 5
SSLv2Hello
SSLv3
TLSv1
TLSv1.1
TLSv1.2
Enabled Protocols: 4
SSLv3
TLSv1
TLSv1.1
TLSv1.2
riemann::~$ java -version
java version 1.8.0_05
Java(TM) SE Runtime Environment (build 1.8.0_05-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.5-b02, mixed mode)
--
You received this bug notification because you are a member of OpenJDK,
which is subscribed to openjdk-7 in Ubuntu.
https://bugs.launchpad.net/bugs/1314113
Title:
TLS 1.1 and 1.2 are disabled by default
Status in “openjdk-7” package in Ubuntu:
New
Bug description:
OpenJDK-7 disables TLS 1.1 and 1.2 by default. It might be a good idea
to enable them. The past interop issues are rarely encountered in
2014.
The program below only prints TLSv1 even though I expected to see
TLSv1, TLSv1.1 and TLSv1.2. In fact, the protocols are available
- they are just not enabled by default.
And no comment on why I'm getting SSLv3 when I asked for TLS.
That will get its own bug report.
$ javac ProtocolTest.java java ProtocolTest
Supported Protocols: 5
SSLv2Hello
SSLv3
TLSv1
TLSv1.1
TLSv1.2
Enabled Protocols: 2
SSLv3
TLSv1
**
Ubuntu 14.04 (x64), fully patched:
$ uname -a
Linux ubuntu 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:11:08 UTC 2014
x86_64 x86_64 x86_64 GNU/Linux
**
$ java -version
java version 1.7.0_51
OpenJDK Runtime Environment (IcedTea 2.4.6) (7u51-2.4.6-1ubuntu4)
OpenJDK 64-Bit Server VM (build 24.51-b03, mixed mode)
**
SSLContext context = SSLContext.getInstance(TLS);
context.init(null,null,null);
SSLSocketFactory factory = (SSLSocketFactory)context.getSocketFactory();
SSLSocket socket = (SSLSocket)factory.createSocket();
String[] protocols = socket.getSupportedProtocols();
System.out.println(Supported Protocols: + protocols.length);
for(int i = 0; i protocols.length; i++)
{
System.out.println( + protocols[i]);
}
protocols = socket.getEnabledProtocols();
System.out.println(Enabled Protocols: + protocols.length);
for(int i = 0; i protocols.length; i++)
{
System.out.println( + protocols[i]);
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjdk-7/+bug/1314113/+subscriptions
___
Mailing list: https://launchpad.net/~openjdk
Post to : openjdk@lists.launchpad.net
Unsubscribe : https://launchpad.net/~openjdk
More help : https://help.launchpad.net/ListHelp
