Swiftdiff options
| author | Nick Hudson <nick.hudson@isode.com> | 2014-10-15 12:58:37 (GMT) |
|---|---|---|
| committer | Nick Hudson <nick.hudson@isode.com> | 2014-10-17 12:43:36 (GMT) |
| commit | e82c5e8cae00d7f9d4b0c42e9e8e38f22c072c6d (patch) | |
| tree | e6a4dd135a3d5edca2042d65c88c69a4b17d13e5 | |
| parent | 768ec40ad0229804ca1dcc06dc9cdc7c8dab9769 (diff) | |
| download | stroke-e82c5e8cae00d7f9d4b0c42e9e8e38f22c072c6d.zip stroke-e82c5e8cae00d7f9d4b0c42e9e8e38f22c072c6d.tar.bz2 | |
Don't use SSLv3 in JSSEContext
The POODLE vulnerability means that using SSLv3 is insecure. So this
change removes it from the list of protocols that JSSEContext may use.
Oracle's "Java Cryptography Architecture Standard Algorithm
Name Documentation"
http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html
Lists the "standard names" that can be used in this context:
SSLv2
SSLv3
TLSv1
TLSv1.1
TLSv1.2
SSLv2Hello
After this patch, only the three "TLS" protocols will be allowed.
Test-information:
Tested using JRE6 and JRE7; viewing the SSL handshake indicates that
the protocol being requested is being used when the handshake occurs
Change-Id: I99710a72a4b8567226b1205fdf64c6c67ccc2a9a
| -rw-r--r-- | src/com/isode/stroke/tls/java/JSSEContext.java | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/com/isode/stroke/tls/java/JSSEContext.java b/src/com/isode/stroke/tls/java/JSSEContext.java index aeb9300..03a6c8f 100644 --- a/src/com/isode/stroke/tls/java/JSSEContext.java +++ b/src/com/isode/stroke/tls/java/JSSEContext.java @@ -1224,8 +1224,8 @@ public class JSSEContext extends TLSContext { /* These work for JRE 7 but may not be available for JRE 6*/ "TLSv1.2", "TLSv1.1", - /* These work for JRE 6 */ - "TLSv1", "TLS", "SSLv3" }; + /* These work for JRE 6. SSLv3 excluded to avoid POODLE vulnerability */ + "TLSv1", "TLS" }; /* Accumulate a list of problems which will be discarded if things * go well, but including in the error if things fail |