发表新帖
发表新帖

Java http clients and POODLE

后端 未结
关注
4 1745
闹比i
闹比i 2020-12-05 11:31

Regarding the POODLE vulnerability, if I understand it correctly, it requires a client that automatically downgrades TLS protocol to SSLv3 when failing to establish a secure

相关标签:
4条回答
  • 悲哀的现实
    2020-12-05 11:40

    After spending considerable time trying to figure out why TLSv1.2 was being used despite setting -Dhttps.protocols="TLSv1" we finally found this post. The magic flag is indeed -Djdk.tls.client.protocols="TLSv1" and our Apache Axis 1.4 client works again. So in case you move from Java 7 to Java 8 you may need to add this flag as pre JAVA 8 used TLSv1 as default whereas JAVA 8 uses TLSv1.2

    Thanks!

    0 讨论(0)
  • 野性不改
    2020-12-05 11:42

    Apache HttpClient 4.3.6 disables SSLv3 by default.

    Here's an excerpt from Apache HC 4.3.6 release notes

    Release 4.3.6

    HttpClient 4.3.6 (GA) is a maintenance release that fixes several problems with HttpClient OSGi bundle as well as some other issues reported since release 4.3.5.

    Please note that as of this release HttpClient disables all versions of SSL (including SSLv3) in favor of the TLS protocol by default. Those users who wish to continue using SSLv3 need to explicitly enable support for it.

    Users of all HttpClient versions are advised to upgrade.

    Changelog:

    • SSLv3 protocol is disabled by default Contributed by Oleg Kalnichevski

    Update: If you are running on JVM having version >= Java 1.8 Update 31 SSLv3 is disabled by default.Check out the release notes

    0 讨论(0)
  • 清歌不尽
    2020-12-05 12:03

    Apache HttpClient does not implement any of the TLS protocol aspects. It relies on JSSE APIs to do TLS/SSL handshaking and to establish secure SSL sessions. With the exception of SSL hostname verification logic, as far as TLS/SSL is concerned Apache HttpClient is as secure (or as vulnerable) as the JRE it is running in.

    Update: HttpClient 4.3 by default always uses TLS, so, unless one explicitly configures it to use SSLv3 HttpClient should not be vulnerable to exploits based on POODLE.

    This turned out to be wrong. One MUST explicitly remove SSLv3 from the list of supported protocols! 

    SSLContext sslContext = SSLContexts.custom()
        .useTLS() // Only this turned out to be not enough
        .build();
SSLConnectionSocketFactory sf = new SSLConnectionSocketFactory(
        sslContext,
        new String[] {"TLSv1", "TLSv1.1", "TLSv1.2"},
        null,
        SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
CloseableHttpClient client = HttpClients.custom()
        .setSSLSocketFactory(sf)
        .build();

    Update 2: As of version 4.3.6 HttpClient disables all versions of SSL (including SSLv3) by default.

    0 讨论(0)
  • 遥遥无期
    2020-12-05 12:03

    You MUST disable SSL v3.0 on java clients if you use https.

    This can be done by adding this property on java 6/7:

    -Dhttps.protocols="TLSv1"

    And for Java 8 :

    -Dhttps.protocols="TLSv1,TLSv1.1,TLSv1.2"

    -Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2"

    Source : http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html

    0 讨论(0)
 看不清?
提交回复
热议问题