How to configure TLS connections to protect them from freak attack (CVE 2015-0204)?

Asked 5/3, 2015 at 9:30 Answered 1/4, 2015 at 20:45

For the vulnerabilty see https://freakattack.com/.

Mozilla wiki has a page with recommendations for ciphersuites: https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations

How would I apply those or similar recommendations in the Java context (SSLContext, provider configuration, Tomcat connectors etc.)?

Hertzfeld answered 5/3, 2015 at 9:30 Comment(3)

Remove all the RSA export ciphers from the enabled cipher suites. – Mateo 5/3, 2015 at 11:37

@EJP, can you show a snippet of where to start? – Bunting 11/3, 2015 at 10:55

Ah.. as shown here, POODLE(SSLv3) and FREAK(export-grade) are no problem in java7, because of policy setting. docs.oracle.com/javase/8/docs/technotes/guides/security/… – Bunting 11/3, 2015 at 13:15

From Java 7 onwards cipher suites can be excluded from use via a security policy file called java.security that’s located under Java Runtime Environment in the /lib/security directory.

The policy file defines the jdk.tls.disabledAlgorithms property to control TLS cipher selection. There is also a complementary property jdk.certpath.disabledAlgorithms to control algorithms encountered in SSL certificates. You can find the documentation for this property on the Oracle website: JSSE Reference Guide

By default, as of Java 7 the following policy applies: jdk.tls.disabledAlgorithms=MD5, SHA1, DSA, RSA keySize < 2048 This means: no MD5, no SHA1, no DSA. RSA is allowed only if the key is at least 2048 bits long. You can use this property to further tailor a site deployment to specific needs. All the cipher suites enabled by default in Java are found here under section Ciphers (unless the default SunJSSE crypto provider has been explicitly overridden and is not used).

As you can see all EXPORT cipher suites are disabled by default, so there is no need to configure something for the FREAK attack.

Edit because of above comment of Houtman on question:
About POODLE: You have to think about this both in java 7 and 8. Because the SSLv3 protocol has only been disabled by default from JDK 8u31 (see section Protocols here).

Disused answered 11/3, 2015 at 12:29 Comment(2)

If I want to disable TLS v 1.1, what should I put? The link you put, and from the sources I have found, I cannot see any reference. Like what is put in java.security, we have jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, so I suppose I can put it like TLSv1.1? – Midpoint 19/10, 2016 at 9:54

Indeed. e.g. to enable only TLS1.2 do: jdk.tls.disabledAlgorithms= SSLv2Hello, SSLv3, TLSv1, TLSv1.1 – Disused 14/3, 2017 at 16:3

You can enable a list of cipher suites you want to use, refer setEnabledCipherSuites method in SSLSocket API and can exclude EXPORT cipher suites from this list

Scorn answered 11/3, 2015 at 12:14 Comment(0)

Add these to your SSL connector

server="Unspecified" xpoweredBy="false" secure="true" sslProtocol="TLS" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"

Exit answered 1/4, 2015 at 20:45 Comment(0)

Recommended topics

Hot tags