Is it possible to disable SSLv3 for all Java applications?

Solution 1

You have not specified the version of Java because below Java 8 there is no way to disallow or disable specific SSL protocol but in Java 8 you can set the enabled protocols like following

Statically:

% java -Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2" MyApp

Dynamically:

java.lang.System.setProperty("jdk.tls.client.protocols", "TLSv1,TLSv1.1,TLSv1.2");

If you are still using java 7 or below try to use work around explained Instructions to disable SSL v3.0 in Oracle JDK and JRE

I just implemented following piece of code to disallow SSLv3 and SSLv2Hello on one of our Java6 application.

if(disabledSSLProtocols != null) {

    String[] protocols = sslEngine.getEnabledProtocols();
    List<String> protocolList = new ArrayList<String>();

    for (String s : protocols) {

        if (disabledSSLProtocols.contains(s)) {

            log4j.info("{} protocol is disabled", s);
            continue;
        }

        log4j.info("{} protocol is enabled", s);
        protocolList.add(s);
    }

    sslEngine.setEnabledProtocols(protocolList.toArray(new String[0]));
}

Where disabledSSLProtocols initialized with SSLv3,SSLv2Hello

Solution 2

Take a look at http://www.oracle.com/technetwork/java/javase/overview/tlsreadme-141115.html

Relevant part:

Renegotiations can be re-enabled for those applications that need it by setting the new system property sun.security.ssl.allowUnsafeRenegotiation to true before the JSSE library is initialized. There are several ways to set this property: Command Line: % java -Dsun.security.ssl.allowUnsafeRenegotiation=true Main Java Control Panel (Java Plug-in / Java Web Start) - Runtime Environment. Within the application: java.lang.System.setProperty("sun.security.ssl.allowUnsafeRenegotiation", true); Note that TLS/SSL renegotiation will not occur unless both client and server have enabled renegotiations.

It explains the issue and the fix.

Author by

Robert

-

Updated on June 09, 2022