Can SSLv3 be disabled for all Java applications?

Question

Can SSLv3 be disabled for all Java applications?

Because of the Poodle attack, it is now recommended to disable SSLv3 for client and server applications and only allow TLS 1.0 -TLS 1.2 connections.

Is there a way to disable SSLv3 for all Java-based applications (server and client) on the computer without having to change every Java program?

It may be possible to change the configuration of the JRE or use a special environment variable.

Does anyone know this way?

+7

java poodle-attack

Robert Oct 22 '14 at 9:46

source share

4 answers

Mubashar ahmad · Answer 1 · 2015-01-27T02:30:11+0000

You did not specify the Java version, because below Java 8 there is no way to prohibit or disable a specific SSL protocol, but in Java 8 you can set the allowed protocols, for example, the following

Statically:

% java -Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2" MyApp

Dynamically:

 java.lang.System.setProperty("jdk.tls.client.protocols", "TLSv1,TLSv1.1,TLSv1.2");

If you are still using java 7 or lower, try using the described work Instructions for disabling SSL v3.0 in Oracle JDK and JRE

I just implemented the following code snippet to disable SSLv3 and SSLv2Hello in one of our Java6 applications.

 if(disabledSSLProtocols != null) { String[] protocols = sslEngine.getEnabledProtocols(); List<String> protocolList = new ArrayList<String>(); for (String s : protocols) { if (disabledSSLProtocols.contains(s)) { log4j.info("{} protocol is disabled", s); continue; } log4j.info("{} protocol is enabled", s); protocolList.add(s); } sslEngine.setEnabledProtocols(protocolList.toArray(new String[0])); }

Where disabledSSLProtocols initialized with SSLv3,SSLv2Hello

Davio · Answer 2 · 2014-10-22T09:54:01+0000

Take a look at http://www.oracle.com/technetwork/java/javase/overview/tlsreadme-141115.html

Relevant Part:

Repeated discussions can be re-enabled for those applications that need it by setting the new system property sun.security.ssl.allowUnsafeRenegotiation to true before initializing the JSSE library. There are several ways to set this property: Command line:% java -Dsun.security.ssl.allowUnsafeRenegotiation = true Main Java Control Panel (Java Plug-in / Java Web Start) - runtime. In the application: java.lang.System.setProperty ("sun.security.ssl.allowUnsafeRenegotiation", true); Note that TLS / SSL renegotiation will not occur unless the client and server have allowed renegotiations.

This explains the problem and the fix.

piet.t · Answer 3 · 2014-10-22T11:09:28+0000

For https connections using the java.net package, you can try using the _JAVA_OPTIONS environment _JAVA_OPTIONS to set the https.protocols system property:

 _JAVA_OPTIONS=-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2

should include only specified protocols. Note that prior to Java 7, the maximum supported version was TLSv1.

This solution will not affect other SSL connections or http connections using, for example, apache-http-connector.

dliu · Answer 4 · 2015-01-28T01:09:40+0000

Now you can fix Oracle Java. http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html

Can SSLv3 be disabled for all Java applications?

More articles: