7

Because of the Poodle attack it is now recommended to disable SSLv3 for client and server applications and only allow TLS 1.0 -TLS 1.2 connections.

Is there a way to disable SSLv3 for all Java based applications (server and client) on a computer without having to modify every Java program?

May be there is a possibility to change the configuration of the JRE or using a special environment variable.

Does anybody know such a way?

Robert
  • 39,162
  • 17
  • 99
  • 152
  • possible duplicate of [Java http clients and POODLE](http://stackoverflow.com/questions/26429751/java-http-clients-and-poodle) – Yves Martin Dec 08 '14 at 14:04

4 Answers4

3

You have not specified the version of Java because below Java 8 there is no way to disallow or disable specific SSL protocol but in Java 8 you can set the enabled protocols like following

Statically:

% java -Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2" MyApp

Dynamically:

java.lang.System.setProperty("jdk.tls.client.protocols", "TLSv1,TLSv1.1,TLSv1.2");

If you are still using java 7 or below try to use work around explained Instructions to disable SSL v3.0 in Oracle JDK and JRE

I just implemented following piece of code to disallow SSLv3 and SSLv2Hello on one of our Java6 application. 

if(disabledSSLProtocols != null) {

    String[] protocols = sslEngine.getEnabledProtocols();
    List<String> protocolList = new ArrayList<String>();

    for (String s : protocols) {

        if (disabledSSLProtocols.contains(s)) {

            log4j.info("{} protocol is disabled", s);
            continue;
        }

        log4j.info("{} protocol is enabled", s);
        protocolList.add(s);
    }

    sslEngine.setEnabledProtocols(protocolList.toArray(new String[0]));
}

Where disabledSSLProtocols initialized with SSLv3,SSLv2Hello

Mubashar
  • 12,300
  • 11
  • 66
  • 95
  • This will only affect Java **clients**. Check [here](https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https) – Evandro Pomatti Nov 06 '17 at 14:37
1

Take a look at http://www.oracle.com/technetwork/java/javase/overview/tlsreadme-141115.html

Relevant part:

Renegotiations can be re-enabled for those applications that need it by setting the new system property sun.security.ssl.allowUnsafeRenegotiation to true before the JSSE library is initialized. There are several ways to set this property: Command Line: % java -Dsun.security.ssl.allowUnsafeRenegotiation=true Main Java Control Panel (Java Plug-in / Java Web Start) - Runtime Environment. Within the application: java.lang.System.setProperty("sun.security.ssl.allowUnsafeRenegotiation", true); Note that TLS/SSL renegotiation will not occur unless both client and server have enabled renegotiations.

It explains the issue and the fix.

Davio
  • 4,609
  • 2
  • 31
  • 58
  • Are you sure that the unsafe-renegotiation is relevant for the poodle-attck? – Robert Oct 22 '14 at 11:08
  • Yes, very much so. The attack works because it can force a lower protocol (SSL3 instead of TLS). By disabling renegotiation, you disable the attack, – Davio Oct 22 '14 at 11:09
  • 1
    Fall back mechanism and renegotiation are different. Fall back will try to create a connection using the most recent protocol and try a less recent if it fails. Renegotiation is changing the ssl connection after the connection is successfully established. – Kazaag Oct 22 '14 at 12:05
0

For https-connections using the java.net-package you could try using the environment-variable _JAVA_OPTIONS to set the system-property https.protocols:

_JAVA_OPTIONS=-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2

should enable only the mentioned protocols. Note that before Java 7 the maximum supported version was TLSv1.

This solution will not affect any other SSL-connections or http-connections using e.g. the apache-http-connector.

piet.t
  • 11,718
  • 21
  • 43
  • 52
  • This will only affect Java **clients**. Check [here](https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https) – Evandro Pomatti Nov 06 '17 at 14:37
0

You can patch Oracle Java now. http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html

dliu
  • 168
  • 2
  • 7