0

Java disabled SSLv3 due to vulnerability.But in java mail API using an SMTP server over SSL works?. Why is that so?

some IT dood
  • 78
  • 7

2 Answers2

2

Email over SSL is uses the SSL / TLS protocol family as implemented by SSLSocketImpl and related classes in the Java runtime library.

Depending on which version of Java you are using, SSLSocketImpl will negotiate an acceptable version of the SSL / TLS protocols with the remote server. Java can support up to TLSv1.3 (in Java 11). Support for TLSv1.0 was added to Java 6 in update 1111

In fact, an update to Java 6 and later was made in January 2015 to disable SSLv3 support in Java 6 and later by default. You would have to set a system property in order to enable SSLv3.

1 - Java 6 update 111 is not publicly available. If you are using the last public release of Java 6, you are stuck with using the insecure SSLv3 or older. Most SMTP servers won't accept that. This is just one more reason to upgrade to a supported version of Java; i.e. Java 8, 11, or later.

But in java mail API using an SMTP server over SSL works?. Why is that so?

Because it is not using SSLv3 (or earlier); see above.

Stephen C
  • 698,415
  • 94
  • 811
  • 1,216
  • 1
    I'll add that [publicly-available updates for Java 6 ended in April 2013](https://en.wikipedia.org/wiki/Java_version_history), so without an Oracle support contract, any Java 6 running won't have those updates (along with a lot of others...) and is almost certainly horribly and out-of-date and completely insecure. And even paid support for Java ended in December 2018. – Andrew Henle Aug 08 '19 at 09:54
1

Here is a link to another stack overflow question that I thinks answers this as well. stackoverflow

As stated here in this link:

the protocol can be reactivated by removing “SSLv3” from the jdk.tls.disableAlgorithms property in the java.security file or dynamically by setting this property to “true”.

Elliott Weeks
  • 83
  • 1
  • 5