Karthik Krishnamoorthy wrote:
> > Thanks for your help with this, I see what you mean and looking at the > JSS libraries it looks like only a subset of NSS has been implemented in > JSS. Currently it seems like there is no option to implement an > equivalent of the above with JSS.
You are right. There are options to enable/disable SSLv2 and SSLv3 but not TLS. I just filed an RFE: http://bugzilla.mozilla.org/show_bug.cgi?id=208193.
So, the only way to disable TLS right now is to disable all the TLS cipher suites individually. See http://www.mozilla.org/projects/security/pki/jss/javadoc/org/mozilla/jss/ssl/SSLSocket.html for a list of all the ciphers, then call SSLSocket.setCipherPreference on all the TLS_ ciphers to turn them off. (Or you can call setCipherPreferenceDefault, and all sockets created subsequently will have it disabled.)
Thanks, I tried this and the TLS ciphers seem to be disabled but it still seems to use version 3.1. The stack trace confirms this. I used the setCipherPreferenceDefault method.
Looking up "garfield.central.sun.com"...
Proxy socket ready and listening
Connected to garfield.central.sun.com:443
--> [
alloclen = 66 bytes
(66 bytes of 66)
[Tue Jun 3 19:27:36 2003] [ssl2] ClientHelloV2 {
version = {0x03, 0x01}
cipher-specs-length = 39 (0x27)
sid-length = 0 (0x00)
challenge-length = 16 (0x10)
cipher-suites = {
(0x010080) SSL2/RSA/RC4-128/MD5
(0x030080) SSL2/RSA/RC2CBC128/MD5
(0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5
(0x060040) SSL2/RSA/DES56-CBC/MD5
(0x020080) SSL2/RSA/RC4-40/MD5
(0x040080) SSL2/RSA/RC2CBC40/MD5
(0x000004) SSL3/RSA/RC4-128/MD5
(0x00feff) SSL3/RSA-FIPS/3DES192EDE-CBC/SHA
(0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
(0x00fefe) SSL3/RSA-FIPS/DES56-CBC/SHA
(0x000009) SSL3/RSA/DES56-CBC/SHA
(0x000003) SSL3/RSA/RC4-40/MD5
(0x000006) SSL3/RSA/RC2CBC40/MD5
}
session-id = { }
challenge = { 0x529b 0xbc67 0xadf5 0x0f66 0x6e7f 0xe9d9 0x2303 0x10b8 }
}
]
<-- [
(717 bytes of 712)
SSLRecord { [Tue Jun 3 19:27:43 2003]
0: 16 03 00 02 c8 |....�
type = 22 (handshake)
version = { 3,0 }
length = 712 (0x2c8)
handshake {
0: 02 00 00 46 |...F
type = 2 (server_hello)
length = 70 (0x000046)
ServerHello {
server_version = {3, 0}
random = {...}
0: 3e dd 59 1e 07 96 c3 86 1c 38 09 b4 97 db 5c 33 | >�Y...�?.8.�.�\3
10: 6e 34 3e 13 59 e2 06 68 a0 44 60 c6 b6 7e 0b 66 | n4>.Y�.h D`ƶ~.f
session ID = {
length = 32
contents = {..}
0: 3e dd 59 1f e4 c9 c9 ed 0f 4f 3f 2c 22 83 72 a0 | >�Y.����.O?,"?r 10: 55 59 fc fd 89 cc f7 31 62 f4 42 2a c6 4c 0c 65 | UY��?��1b�B*�L.e
}
cipher_suite = (0x0004) SSL3/RSA/RC4-128/MD5
}
0: 0b 00 02 76 |...v
type = 11 (certificate)
length = 630 (0x000276)
CertificateChain {
chainlength = 627 (0x0273)
Certificate {
size = 624 (0x0270)
data = { saved in file 'cert.001' }
}
}
0: 0e 00 00 00 |....
type = 14 (server_hello_done)
length = 0 (0x000000)
}
}
]
--> [
(204 bytes of 132, with 67 left over)
SSLRecord { [Tue Jun 3 19:27:43 2003]
0: 16 03 00 00 84 |....?
type = 22 (handshake)
version = { 3,0 }
length = 132 (0x84)
handshake {
0: 10 00 00 80 |....
type = 16 (client_key_exchange)
length = 128 (0x000080)
ClientKeyExchange {
message = {...}
}
}
}
(204 bytes of 1, with 61 left over)
SSLRecord { [Tue Jun 3 19:27:43 2003]
0: 14 03 00 00 01 |.....
type = 20 (change_cipher_spec)
version = { 3,0 }
length = 1 (0x1)
0: 01 |.
}
(204 bytes of 56)
SSLRecord { [Tue Jun 3 19:27:43 2003]
0: 16 03 00 00 38 |....8
type = 22 (handshake)
version = { 3,0 }
length = 56 (0x38)
< encrypted >
}
]
<-- [
(7 bytes of 2)
SSLRecord { [Tue Jun 3 19:27:43 2003]
0: 15 03 00 00 02 |.....
type = 21 (alert)
version = { 3,0 }
length = 2 (0x2)
fatal: handshake failure
0: 02 28 |.(
}
]
I am not sure if I am missing something ..
The best solution is to fix the TLS intolerant web server or use another web server. If the web server is still being maintained, could you submit a bug report to its maintainers
Unfortunately this is an old web server with no more engineers and I don't have access to its source. I am trying to get the users moved from it to other standard web server but am facing resistance.
thanks again .. Karthik
Wan-Teh
