Reading the OpenJDK 7 code ; offhand, I can't find a way to do this comprehensively via configuration.
The Oracle response to the CVE for Poodle : http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html * They've disabled SSL v3.0 - this is consistent with what I see in my current OpenJDK * They recommend setting the system property "https.protocols" - AFAICT this only affects sockets created using the URL class. * Indeed : "There is no general System or Security property to disable a specific protocol for applications using the javax.net.ssl.SSLSocket and javax.net.ssl.SSLEngine APIs (See below for one exception on the JDK 8 client side.)" * There is a mechanism for doing this globally at the class that determines the enabled protocol set by setting a system property in OpenJDK 8, but not 7 This is a PITA for clients that use e.g. Apache HttpClient and don't use the URL class ; such clients will have to be rewritten to manipulate the socket and call it's .getEnabledProtocols() method. This SO question seems to cover it from the POV of HttpClient 3.x : http://stackoverflow.com/questions/32587141/how-to-force-commons- httpclient-3-1-to-use-tls-1-2-only-for-https The overall best solution to this seems to be : upgrade to OpenJDK8, which has TLSv1.2 enabled by default. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1314113 Title: TLS 1.1 and 1.2 are disabled by default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjdk-7/+bug/1314113/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
