Log displays TLSv1 instead of SSLv3

Question

I have enabled logs in my application using -Djavax.net.debug=all option. Code that have written is supposed to use SSLv3 protocol, but in logs when I am checking it is displaying as ::

*** ClientHello, TLSv1

*** ServerHello, TLSv1

As far as I understand from reading is, Client and Server using TLSv1 for handshake, but as I have used SSLv3 in my code while initiating socket, ideally it should print SSLv3 instead TLSv1.

Below is the code snippet I have used :

SSLContextBuilder builder = new SSLContextBuilder();
builder.useProtocol("SSLv3");

SSLContext sslContext = builder.build();

Can someone please clarify the reason for the same, or is there something else I have missed out. Just to add on I am on Java 7.

Why? Just let Java choose the highest supported version. No reason to use a deliberately obsoleted protocol. — user207421, May 11 '18 at 08:31
@EJP If Java choose highest supported version, then isnt it should print 1.2 instead of 1, since TLSv1.2 is supported on java7 ? I mean I am not that sure of but if I have to use SSLv3 somewhere and it is also supported by java, then why in logs TLSv1 got printed. My question was, isnt the same should throw error message ? — Bhaskar, May 11 '18 at 08:37
The version in _message-related_ log entries during handshake may be wrong; see https://stackoverflow.com/questions/49748108/java-7-with-tlsv1-2-connect-to-ldaps-handshake-failure . `READ:` and `WRITE:` should show the correct record version, or look at the actual messages dumped in hex. Note the record version in ClientHello does not control the protocol used; that depends on the version in the _body_ of ClientHello and the _body_ of ServerHello. (And for 1.3, it will depend on _extensions_ as well. But j7 doesn't do 1.3.) — dave_thompson_085, May 11 '18 at 11:01

Anton Malyshev · Accepted Answer · 2018-05-11T08:34:38.483

Most probably SSLv3 is just not supported by server (which is recommended configuration nowadays because of security), so the lib uses least supported TLS version.

UPD: seems that hello format says nothing about what protocol will be used in fact. There's something from Java docs:

Currently, the SSLv3, TLSv1, and TLSv1.1 protocols allow you to send SSLv3, TLSv1, and TLSv1.1 hellos encapsulated in an SSLv2 format hello. For more details on the reasons for allowing this compatibility in these protocols, see Appendix E in the appropriate RFCs (previously listed).

Note that some SSL/TLS servers do not support the v2 hello format and require that client hellos conform to the SSLv3 or TLSv1 client hello formats.

The SSLv2Hello option controls the SSLv2 encapsulation. If SSLv2Hello is disabled on the client, then all outgoing messages will conform to the SSLv3/TLSv1 client hello format. If SSLv2Hello is disabled on the server, then all incoming messages must conform to the SSLv3/TLSv1 client hello format.

if SSLv3 is not supported at either side, then there should be no handshake, and should result in some error message, right ? If I understand correctly. — Bhaskar, May 11 '18 at 08:29
I've checked the implementation of the method and docs and it seems that nothing simple here, please check updated answer — Anton Malyshev, May 11 '18 at 08:35

Log displays TLSv1 instead of SSLv3

1 Answers1