0

This question has been asked before, but the suggested answer does not work in the latest Java runtime engine.

How do you enable SSLv3 (to access an old Web site that will never be updated by the manufacturer - specifically, a now-discontinued Dell DRAC 5 card in an older server) in Java? SSLv3 has been disabled since update 31, but in the past could be re-enabled by editing the java.security file.

In update 91, this method does not seem to work any more. Is there a new method to do it, or do I have to downgrade to an earlier version of Java?

Update as requested: the method that has worked since update 31 is to edit the java.security file (in /lib/security). This file contains a line

jdk.tls.disabledAlgorithms=SSLv3 ...

The solution that used to work was to remove SSLv3 from this line (or to comment out that line completely). In Java 8 update 91, removing SSLv3 or completely commenting it out no longer seems to have any effect.

Community
  • 1
  • 1
Kevin Keane
  • 1,506
  • 12
  • 24
  • You're a lot likelier to get help if you show exactly what you _have_ done to enable SSLv3. – Jim Garrison Jun 19 '16 at 06:41
  • Works for me in the WIndows packages (both 32bit and 64bit); my Linuxes are not updated yet. Are you sure you are running the edited JRE and getting specifically `SSLHandshake Exception: Server chose SSLv3, but ... not enabled ...` – dave_thompson_085 Jun 19 '16 at 07:40
  • @dave_thompson_085 Interesting. I had this problem both on Windows and Linux, and downgrading to 8u60, then repeating the procedure, fixed it for me. My symptom is slightly different because the application only reports "SSL socket connection failure" – Kevin Keane Jun 20 '16 at 15:40
  • Your comment on @Siva's answer mentions **JNLP** which your Q didn't. The security model for JNLP/webstart is quite a bit different from 'plain' Java, which is what I tested; moreover they frequently tweak it on updates (minor releases) whereas they only rarely do so for plain. That may be where your problem is, and if so I can't help, sorry. – dave_thompson_085 Jun 21 '16 at 10:53
  • @dave_thompson_085 Actually, that is quite helpful, gives me a new angle to troubleshoot. – Kevin Keane Jun 27 '16 at 08:57

1 Answers1

2

I was able to run this following this post. I defined a property file with just the jdk.tls.disabledAlgorithms entry ensuring it does not have SSLv3 like below

java.sslv3.security

jdk.tls.disabledAlgorithms=RC4, MD5withRSA, DH keySize < 768

Then launching Java as below. Notice the use of = as this will append to the existing java.security file and not completely replace it

java -Djava.security.properties=java.sslv3.security SocketProtocols
Enabled protocols:
SSLv3
TLSv1
TLSv1.1
TLSv1.2
Community
  • 1
  • 1
Siva Umapathy
  • 177
  • 3
  • Thank you very much for that tip! In my case, the application is loaded from a jnlp file embedded in a Web page (and I don't have control over either the Web page, the jnlp file or the server application), but it is good to know this technique. – Kevin Keane Jun 20 '16 at 15:43