disabled SSL3 not reflected in "supported protocols"

Bernd ecki at zusammenkunft.net
Tue Jan 27 17:50:24 UTC 2015


Hello,

with the Java 7u76 update the default security setting is, that SSL3 is
banned.

At first I thought, this would reflect in enabled and supported protocols,
however the list of supported protocols still contain SSL3 and I can also
enable SSL3 and this is reflected on the getEnabledProtocols():

1.7.0_76 Oracle Corporation jdk.tls.disabledAlgorithms=SSLv3
Default Protocols, enabled: [TLSv1] supported: [SSLv2Hello, SSLv3, TLSv1,
TLSv1.1, TLSv1.2]
Set SSL3+TLSv1, enabled: [SSLv3, TLSv1]
Set SSL3, enabled: [SSLv3]
Now handshaking...
Exception in thread "main" javax.net.ssl.SSLHandshakeException: No
appropriate protocol (protocol is disabled or cipher suites are
inappropriate)

Only at handshake time it looks, like the disabled check is done.

I wonder would it be cleaner to remove it from the supported set and not
keep it in the enabled set (but accept the setEnabled for backward
compatibility).

Gruss
Bernd

PS: testcode:
        //Security.setProperty("jdk.tls.disabledAlgorithms", "");
        System.out.printf("%s %s jdk.tls.disabledAlgorithms=%s%n",
System.getProperty("java.version", "?"), System.getProperty("java.vendor",
"?"), Security.getProperty("jdk.tls.disabledAlgorithms"));
        SSLSocket s =
(SSLSocket)SSLSocketFactory.getDefault().createSocket("www.google.com",
443);
        System.out.printf("Default Protocols, enabled: %s supported: %s%n",
Arrays.toString(s.getEnabledProtocols()),
Arrays.toString(s.getSupportedProtocols()));
        s.setEnabledProtocols(new String[]{ "SSLv3", "TLSv1"});
        System.out.printf("Set SSL3+TLSv1, enabled: %s%n",
Arrays.toString(s.getEnabledProtocols()));
        s.setEnabledProtocols(new String[]{ "SSLv3"});
        System.out.printf("Set SSL3, enabled: %s%nNow handshaking...%n",
Arrays.toString(s.getEnabledProtocols()));
        s.startHandshake();
        System.out.println("Ciper " + s.getSession().getCipherSuite() + "
(" + s.getSession().getProtocol() + ")");
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/security-dev/attachments/20150127/cac6544e/attachment.html>


More information about the security-dev mailing list