Reputation: 955
Fixing POODLE Issue, need help on SSLContext.getInstance("TLS")
All,
Iam in process of fixing a security vulnerability issue(see below link) in code. http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
At places we have used the below ssl context to make secure communications
SSLContext.getInstance("TLS")(package: javax.net.ssl).
I know getInstance takes a protocol string value, but question is what does "TLS" means by value, i.e., is it same as TLS1.0? Similarly what does "SSL" means by value, is it same as "SSLv3"?
Is there a way to mention "TLS_FALLBACK_SCSV" while creating the context to fix this vulnerability? One way we are thinking is to disable ssl and use only TLS1.2, but to make it back ward compatible, is there a way to specify fall back option as mentioned in article, this option if any can be passed to api calls while creating ssl context?
Thanks! Santhosh
Upvotes: 0
Views: 1329
Answers (1)
Reputation: 11
I've been working on the same issue. In short, SSLContext.getInstance("TLS") does not exclude SSLv3 from the list of supported protocols. You must use the setEnabledProtocols() method on SSLServerSocket or SSLSocket (whichever is appropriate to your usecase).
Upvotes: 1
Related Questions
- Unrecognized SSL message, plaintext connection? Exception
- NoSuchAlgorithmException in SSLContext.getInstance
- SSLContext.getInstance("TLS") vulnerability
- Need help in identifying and fixing SSLPeerUnverifiedException
- NoSuchAlgorithmException : TLSv1.2 unknown protocol
- How to enable SSL 3 in Java
- SSL Error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number error when disabling ssl and enabling TLS
- Which SSL Ciphers Should I Remove in Tomcat for the Poodle (SSL3) Vulnerability
- Glassfish 2.0 Poodle vulnerability - How to disable SSL and allow TLS only
- Java/SSL - Unhandle exception:java.security.NoSuchAlgorithmException