Reputation: 9111
java : How to know the actual security properties in use?
What I've tried so far, I'm able to dump both system properties and "security properties" but clearly the security properties don't take my overriding system properties into account, it looks like it just reads "java.security" (see code below). I'd like to know what are the actual security properties in use.
For example, in "Security properties" I see this :
jdk.tls.disabledAlgorithms : SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, include jdk.disabled.namedCurves
and in "System properties", I see this :
jdk.tls.disabledAlgorithms:SSLv3
But I have no way to know which one is the active property (the system property should override the property from java.security file though).
In my test trying to reach a legacy server using TLSv1.1, I get :
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
When I try to debug with -Djava.security.debug=properties, I get :
properties: reading security properties file: /opt/java/svr_openjdk11-11.0.16/conf/security/java.security
properties: {(...) jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, include jdk.disabled.namedCurves (...)}
properties: java.security.disableSystemPropertiesFile=false
properties: security.useSystemPropertiesFile=false
properties: System security property support disabled by user.
properties: WARNING: FIPS mode support can not be enabled without system security properties being enabled.
So it looks like the property known by java is the one from java.security and not the one passed in command line as system property.
System.out.println("=== System properties ===");
Properties properties = System.getProperties();
properties.forEach((k, v) -> System.out.println(k + ":" + v));
System.out.println("=== Security properties ===");
Field f = null;
try {
f = Security.class.getDeclaredField("props");
f.setAccessible(true);
Properties allProps = (Properties) f.get(null);
@SuppressWarnings("unchecked")
Enumeration<String> propertyNames = (Enumeration<String>) allProps.propertyNames();
while (propertyNames.hasMoreElements()) {
String propertyName = propertyNames.nextElement();
System.out.println(propertyName + " : " + allProps.getProperty(propertyName));
}
} catch (NoSuchFieldException | SecurityException | IllegalArgumentException | IllegalAccessException e) {
e.printStackTrace();
}
UPDATE : I've just added :
Security.setProperty("jdk.tls.disabledAlgorithms", "SSLv3");
before the display of security properties, and it looks like it's just ignored, the "jdk.tls.disabledAlgorithms" property still displays the value from java.security file.
Upvotes: 1
Views: 2437
Answers (1)
Reputation: 9111
Looks like SO is dead these days.
So I've found the answer : the security properties displayed by the code above are the right ones and no they don't take into account system properties and Security.setProperty(...).
To override a security property, u need to put it in a file (my-new-security-props.security) and add this system property :
-Djava.security.properties=/full/path/to/my-new-security-props.security
Upvotes: 1
Related Questions
- How to find what SSL/TLS version is used in Java
- Find current state of all properties in java.security.Security
- How to retrieve the KeyManager, TrustManager, and SecureRandom object being used by the SSL Client?
- How to check whether a server supports SSL with Java?
- How can I check if an SSL configuration for an HTTPS connection is valid?
- Java SSL Safety
- Check whether the certificate is valid or not
- How can I find verify the encryption strength of my JDK security Providers?
- Query on jvm truststore and jssecacerts file?
- SSL System Properties - Security Risk?