I should clarify that my tests results for 6b36-1.13.8-0ubuntu1 are based on a modified java.security file which removed SSLv3 from the jdk.tls.disabledAlgorithms property. That may be the reason why they show SSLv3 as a default-enabled algorithm.
Also, I was finally able to test your Wily package (I had to install an image in VirtualBox.) Unlike the openjdk-6 package from the PPA, it works as expected in the sense that TLSv1.2 is on by default: nbryant@wily:~$ java -version java version "1.7.0_79" OpenJDK Runtime Environment (IcedTea 2.5.6) (7u79-2.5.6-1ubuntu1~ppa3) OpenJDK 64-Bit Server VM (build 24.79-b02, mixed mode) nbryant@wily:~$ java TLSVersions java.vendor java.version proto enabledProtocols Oracle Corporation 1.7.0_79 TLSv1.2 SSLv3,TLSv1,TLSv1.1,TLSv1.2 Oracle Corporation 1.7.0_79 TLSv1.1 SSLv3,TLSv1,TLSv1.1 Oracle Corporation 1.7.0_79 TLSv1 SSLv3,TLSv1 Oracle Corporation 1.7.0_79 TLS SSLv3,TLSv1,TLSv1.1,TLSv1.2 Oracle Corporation 1.7.0_79 SSL SSLv3,TLSv1,TLSv1.1,TLSv1.2 This is a little weird though, SSLv3 is on, even though I have this in java.security: jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768 -- You received this bug notification because you are a member of OpenJDK, which is subscribed to openjdk-7 in Ubuntu. https://bugs.launchpad.net/bugs/1482924 Title: Regressions due to USN-2696-1 Status in openjdk-6 package in Ubuntu: New Status in openjdk-7 package in Ubuntu: New Bug description: Due to [CBCATT], some server administrators (including the webservices gateway for a major airline reservations provider) choose to disable CBC ciphersuites unless the protocol level is TLSv1.1 or later; [TLS1.1] introduced an explicit CBC IV to guard against such attacks. (See [TLS1.1] section 1.1) On such servers, disabling all CBC ciphersuites may leave only RC4 as a trusted cipher. JDK7 introduced support for TLSv1.2, but chose not to enable it by default, due to a policy of not changing such defaults in minor revisions. JDK8 enables TLSv1.2 by default. On Ubuntu, due to USN-2696-1, starting with the openjdk-7-jre-7u79-2.5.6-0ubuntu1.12.04.1 package, RC4 is disabled by default but the protocol default remains TLSv1.0. This can leave no remaining trusted ciphers, and negotiation can fail. Workaround: on OpenJDK7, it is possible to either use SSLContext.getInstance("TLSv1.2") or re-enable RC4 via SSLSocket.setEnabledCipherSuites(), but neither workaround is viable if one doesn't have access to 3rd-party source code. References: [TLS1.1] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.1", RFC 4346, April 2006. https://www.ietf.org/rfc/rfc4346.txt [CBCATT] Moeller, B., "Security of CBC Ciphersuites in SSL/TLS: Problems and Countermeasures", http://www.openssl.org/~bodo/tls-cbc.txt. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openjdk-6/+bug/1482924/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~openjdk Post to : [email protected] Unsubscribe : https://launchpad.net/~openjdk More help : https://help.launchpad.net/ListHelp
