Is it possible to disable SSLv3 for all Java applications?

Asked 22/10, 2014 at 9:46 Answered 28/1, 2015 at 1:9

Because of the Poodle attack it is now recommended to disable SSLv3 for client and server applications and only allow TLS 1.0 -TLS 1.2 connections.

Is there a way to disable SSLv3 for all Java based applications (server and client) on a computer without having to modify every Java program?

May be there is a possibility to change the configuration of the JRE or using a special environment variable.

Does anybody know such a way?

Cuman answered 22/10, 2014 at 9:46 Comment(1)

possible duplicate of Java http clients and POODLE – Rigsdaler 8/12, 2014 at 14:4

You have not specified the version of Java because below Java 8 there is no way to disallow or disable specific SSL protocol but in Java 8 you can set the enabled protocols like following

Statically:

% java -Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2" MyApp

Dynamically:

java.lang.System.setProperty("jdk.tls.client.protocols", "TLSv1,TLSv1.1,TLSv1.2");

If you are still using java 7 or below try to use work around explained Instructions to disable SSL v3.0 in Oracle JDK and JRE

I just implemented following piece of code to disallow SSLv3 and SSLv2Hello on one of our Java6 application.

if(disabledSSLProtocols != null) {

    String[] protocols = sslEngine.getEnabledProtocols();
    List<String> protocolList = new ArrayList<String>();

    for (String s : protocols) {

        if (disabledSSLProtocols.contains(s)) {

            log4j.info("{} protocol is disabled", s);
            continue;
        }

        log4j.info("{} protocol is enabled", s);
        protocolList.add(s);
    }

    sslEngine.setEnabledProtocols(protocolList.toArray(new String[0]));
}

Where disabledSSLProtocols initialized with SSLv3,SSLv2Hello

Firefly answered 27/1, 2015 at 2:30 Comment(1)

This will only affect Java clients. Check here – Architectonics 6/11, 2017 at 14:37

Take a look at http://www.oracle.com/technetwork/java/javase/overview/tlsreadme-141115.html

Relevant part:

Renegotiations can be re-enabled for those applications that need it by setting the new system property sun.security.ssl.allowUnsafeRenegotiation to true before the JSSE library is initialized. There are several ways to set this property: Command Line: % java -Dsun.security.ssl.allowUnsafeRenegotiation=true Main Java Control Panel (Java Plug-in / Java Web Start) - Runtime Environment. Within the application: java.lang.System.setProperty("sun.security.ssl.allowUnsafeRenegotiation", true); Note that TLS/SSL renegotiation will not occur unless both client and server have enabled renegotiations.

It explains the issue and the fix.

Starks answered 22/10, 2014 at 9:54 Comment(3)

Are you sure that the unsafe-renegotiation is relevant for the poodle-attck? – Cuman 22/10, 2014 at 11:8

Yes, very much so. The attack works because it can force a lower protocol (SSL3 instead of TLS). By disabling renegotiation, you disable the attack, – Starks 22/10, 2014 at 11:9

Fall back mechanism and renegotiation are different. Fall back will try to create a connection using the most recent protocol and try a less recent if it fails. Renegotiation is changing the ssl connection after the connection is successfully established. – Brucite 22/10, 2014 at 12:5

For https-connections using the java.net-package you could try using the environment-variable _JAVA_OPTIONS to set the system-property https.protocols:

_JAVA_OPTIONS=-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2

should enable only the mentioned protocols. Note that before Java 7 the maximum supported version was TLSv1.

This solution will not affect any other SSL-connections or http-connections using e.g. the apache-http-connector.

Tibetan answered 22/10, 2014 at 11:9 Comment(1)

This will only affect Java clients. Check here – Architectonics 6/11, 2017 at 14:37

You can patch Oracle Java now. http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html

Strobotron answered 28/1, 2015 at 1:9 Comment(0)

Recommended topics

Hot tags