Re: [akka-user] How to disable TLSv1 when I configure "akka.remote.netty.ssl.security.protocol" property as TLSv1.2.
> Otherwise, I have tried "jdk.tls.client.protocols" system property, but it does not achieve the desired effect. Okay -- "jdk.tls.client.protocols" only disables SSL from a client perspective ONLY. Akka remoting is from a server context. And "https.protocol" is only good for an HTTPSURLConnection, not for SSLEngine. If you want to disable it from the server perspective and you want to do it on a specific SSL context, then you have to call setAlgorithmConstraints directly: val sslParameters = sslContext.getDefaultSSLParameters() // clones new instance from default val sslEngine = sslContext.createSSLEngine(peerHost, peerPort) sslParameters.setAlgorithmConstraints(algConstraints) sslEngine.setSSLParameters(sslParameters) Otherwise, if you want disabled algorithms the only reliable way to set it is: java -Djava.security.properties=disabledAlgorithms.properties Wrote more about this in https://tersesystems.com/2014/01/13/fixing-the-most-dangerous-code-in-the-world/ Adding this to the Akka issue so Konrad doesn't have to... -- Will Sargent *Engineer, Lightbend, Inc.* will.sarg...@lightbend.com On Sun, Jul 31, 2016 at 4:30 AM, Konrad 'ktoso' Malawskiwrote: > That seems like a good catch indeed! > Thanks for finding this. > > I've made an issue and PR for it: > https://github.com/akka/akka/issues/21077 > https://github.com/akka/akka/pull/21078 > > If reviewed by team we could include this patch very soon. > > Thanks for reporting! > > -- Konrad > > > W dniu czwartek, 28 lipca 2016 09:36:59 UTC+2 użytkownik > yinzho...@gmail.com napisał: >> >> Thank you first for your reply :) >> >> I add TLSv1 to jdk.tls.disabledAlgorithms of JRE java.security file, in >> this way I can resolve the problem, but the modify will globally affect, >> for example there is a java app needs TLSv1. >> Otherwise, I have tried "jdk.tls.client.protocols" system property, but >> it does not achieve the desired effect. >> >> I have tried to invoke "setEnabledProtocols" method >> of javax.net.ssl.SSLEngine class on my java test code, it can achieve the >> desired effect. >> The relevant AKKA source code of akka.remoting as follow: >> case Some(context) ⇒ >> log.debug("Using client SSL context to create SSLEngine ...") >> new SslHandler({ >> val sslEngine = context.createSSLEngine >> sslEngine.setUseClientMode(true) >> sslEngine.setEnabledCipherSuites(settings.SSLEnabledAlgorithms. >> toArray) >> sslEngine.setEnabledProtocols(Array("TLSv1.2")) => Add this >> line can resovle my problem, but I don't want to modify AKKA source code >> :( >> sslEngine >> >> Is there a way to set ssl option without modify AKKA source code? >> Thank you. >> >> >> 在 2016年7月27日星期三 UTC+8上午4:02:45,Will Sargent写道: >>> >>> You can set the "jdk.tls.client.protocols" system property to set >>> options for the JVM -- this is a feature that is only available in JDK 1.8 >>> though. >>> >>> >>> https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSE_Protocols >>> >>> Otherwise, you would have to set the security >>> property jdk.tls.disabledAlgorithms to add TLSv1 specifically. >>> >>> >>> Will Sargent >>> Engineer, Lightbend, Inc. >>> >>> >>> On Tue, Jul 26, 2016 at 1:12 AM, wrote: >>> Configure file as follow: # Protocol to use for SSL encryption, choose from: # Java 6 & 7: # 'SSLv3', 'TLSv1' # Java 7: # 'TLSv1.1', 'TLSv1.2' protocol = "TLSv1.2" When I use nmap to scan, I find that TLSv1 is enabled: D:\softwares\nmap-7.12>nmap -p --script=ssl* x.x.x.x -- unprivileged Starting Nmap 7.12 ( https://nmap.org ) at 2016-07-26 15:33 °?′óà÷2?±ê×?ê±?? Nmap scan report for x.x.x.x Host is up (1.0s latency). PORT STATE SERVICE /tcp open unknown | ssl-enum-ciphers: | TLSv1.0: |ciphers: | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A |compressors: | NULL |cipher preference: indeterminate |cipher preference error: Too few ciphers supported | TLSv1.1: |ciphers: | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A |compressors: | NULL |cipher preference: indeterminate |cipher preference error: Too few ciphers supported | TLSv1.2: |ciphers: | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A |compressors: | NULL |cipher preference: indeterminate |cipher preference error: Too few ciphers supported |_ least strength: A MAC Address: xx:xx:xx:xx:xx:xx Nmap done: 1 IP address (1 host up) scanned in 3.88 seconds D:\softwares\nmap-7.12> I want to disable TLSv1. Any method? Thank you. -- >> Read the docs: http://akka.io/docs/ >> Check the FAQ:
Re: [akka-user] How to disable TLSv1 when I configure "akka.remote.netty.ssl.security.protocol" property as TLSv1.2.
That seems like a good catch indeed! Thanks for finding this. I've made an issue and PR for it: https://github.com/akka/akka/issues/21077 https://github.com/akka/akka/pull/21078 If reviewed by team we could include this patch very soon. Thanks for reporting! -- Konrad W dniu czwartek, 28 lipca 2016 09:36:59 UTC+2 użytkownik yinzho...@gmail.com napisał: > > Thank you first for your reply :) > > I add TLSv1 to jdk.tls.disabledAlgorithms of JRE java.security file, in > this way I can resolve the problem, but the modify will globally affect, > for example there is a java app needs TLSv1. > Otherwise, I have tried "jdk.tls.client.protocols" system property, but it > does not achieve the desired effect. > > I have tried to invoke "setEnabledProtocols" method > of javax.net.ssl.SSLEngine class on my java test code, it can achieve the > desired effect. > The relevant AKKA source code of akka.remoting as follow: > case Some(context) ⇒ > log.debug("Using client SSL context to create SSLEngine ...") > new SslHandler({ > val sslEngine = context.createSSLEngine > sslEngine.setUseClientMode(true) > sslEngine.setEnabledCipherSuites(settings.SSLEnabledAlgorithms. > toArray) > sslEngine.setEnabledProtocols(Array("TLSv1.2")) => Add this > line can resovle my problem, but I don't want to modify AKKA source code > :( > sslEngine > > Is there a way to set ssl option without modify AKKA source code? > Thank you. > > > 在 2016年7月27日星期三 UTC+8上午4:02:45,Will Sargent写道: >> >> You can set the "jdk.tls.client.protocols" system property to set options >> for the JVM -- this is a feature that is only available in JDK 1.8 though. >> >> >> https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSE_Protocols >> >> Otherwise, you would have to set the security >> property jdk.tls.disabledAlgorithms to add TLSv1 specifically. >> >> >> Will Sargent >> Engineer, Lightbend, Inc. >> >> >> On Tue, Jul 26, 2016 at 1:12 AM,wrote: >> >>> Configure file as follow: >>> # Protocol to use for SSL encryption, choose from: >>> # Java 6 & 7: >>> # 'SSLv3', 'TLSv1' >>> # Java 7: >>> # 'TLSv1.1', 'TLSv1.2' >>> protocol = "TLSv1.2" >>> >>> >>> When I use nmap to scan, I find that TLSv1 is enabled: >>> D:\softwares\nmap-7.12>nmap -p --script=ssl* x.x.x.x --unprivileged >>> >>> >>> Starting Nmap 7.12 ( https://nmap.org ) at 2016-07-26 15:33 >>> °?′óà÷2?±ê×?ê±?? >>> Nmap scan report for x.x.x.x >>> Host is up (1.0s latency). >>> PORT STATE SERVICE >>> /tcp open unknown >>> | ssl-enum-ciphers: >>> | TLSv1.0: >>> |ciphers: >>> | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A >>> |compressors: >>> | NULL >>> |cipher preference: indeterminate >>> |cipher preference error: Too few ciphers supported >>> | TLSv1.1: >>> |ciphers: >>> | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A >>> |compressors: >>> | NULL >>> |cipher preference: indeterminate >>> |cipher preference error: Too few ciphers supported >>> | TLSv1.2: >>> |ciphers: >>> | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A >>> |compressors: >>> | NULL >>> |cipher preference: indeterminate >>> |cipher preference error: Too few ciphers supported >>> |_ least strength: A >>> MAC Address: xx:xx:xx:xx:xx:xx >>> >>> >>> Nmap done: 1 IP address (1 host up) scanned in 3.88 seconds >>> >>> >>> D:\softwares\nmap-7.12> >>> >>> I want to disable TLSv1. Any method? >>> Thank you. >>> >>> >>> -- >>> >> Read the docs: http://akka.io/docs/ >>> >> Check the FAQ: >>> http://doc.akka.io/docs/akka/current/additional/faq.html >>> >> Search the archives: >>> https://groups.google.com/group/akka-user >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "Akka User List" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to akka-user+...@googlegroups.com. >>> To post to this group, send email to akka...@googlegroups.com. >>> Visit this group at https://groups.google.com/group/akka-user. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- >> Read the docs: http://akka.io/docs/ >> Check the FAQ: >> http://doc.akka.io/docs/akka/current/additional/faq.html >> Search the archives: https://groups.google.com/group/akka-user --- You received this message because you are subscribed to the Google Groups "Akka User List" group. To unsubscribe from this group and stop receiving emails from it, send an email to akka-user+unsubscr...@googlegroups.com. To post to this group, send email to akka-user@googlegroups.com. Visit this group at https://groups.google.com/group/akka-user. For more options, visit https://groups.google.com/d/optout.
Re: [akka-user] How to disable TLSv1 when I configure "akka.remote.netty.ssl.security.protocol" property as TLSv1.2.
Thank you first for your reply :) I add TLSv1 to jdk.tls.disabledAlgorithms of JRE java.security file, in this way I can resolve the problem, but the modify will globally affect, for example there is a java app needs TLSv1. Otherwise, I have tried "jdk.tls.client.protocols" system property, but it does not achieve the desired effect. I have tried to invoke "setEnabledProtocols" method of javax.net.ssl.SSLEngine class on my java test code, it can achieve the desired effect. The relevant AKKA source code of akka.remoting as follow: case Some(context) ⇒ log.debug("Using client SSL context to create SSLEngine ...") new SslHandler({ val sslEngine = context.createSSLEngine sslEngine.setUseClientMode(true) sslEngine.setEnabledCipherSuites(settings.SSLEnabledAlgorithms. toArray) sslEngine.setEnabledProtocols(Array("TLSv1.2")) => Add this line can resovle my problem, but I don't want to modify AKKA source code :( sslEngine Is there a way to set ssl option without modify AKKA source code? Thank you. 在 2016年7月27日星期三 UTC+8上午4:02:45,Will Sargent写道: > > You can set the "jdk.tls.client.protocols" system property to set options > for the JVM -- this is a feature that is only available in JDK 1.8 though. > > > https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSE_Protocols > > Otherwise, you would have to set the security > property jdk.tls.disabledAlgorithms to add TLSv1 specifically. > > > Will Sargent > Engineer, Lightbend, Inc. > > > On Tue, Jul 26, 2016 at 1:12 AM,> wrote: > >> Configure file as follow: >> # Protocol to use for SSL encryption, choose from: >> # Java 6 & 7: >> # 'SSLv3', 'TLSv1' >> # Java 7: >> # 'TLSv1.1', 'TLSv1.2' >> protocol = "TLSv1.2" >> >> >> When I use nmap to scan, I find that TLSv1 is enabled: >> D:\softwares\nmap-7.12>nmap -p --script=ssl* x.x.x.x --unprivileged >> >> >> Starting Nmap 7.12 ( https://nmap.org ) at 2016-07-26 15:33 >> °?′óà÷2?±ê×?ê±?? >> Nmap scan report for x.x.x.x >> Host is up (1.0s latency). >> PORT STATE SERVICE >> /tcp open unknown >> | ssl-enum-ciphers: >> | TLSv1.0: >> |ciphers: >> | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A >> |compressors: >> | NULL >> |cipher preference: indeterminate >> |cipher preference error: Too few ciphers supported >> | TLSv1.1: >> |ciphers: >> | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A >> |compressors: >> | NULL >> |cipher preference: indeterminate >> |cipher preference error: Too few ciphers supported >> | TLSv1.2: >> |ciphers: >> | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A >> |compressors: >> | NULL >> |cipher preference: indeterminate >> |cipher preference error: Too few ciphers supported >> |_ least strength: A >> MAC Address: xx:xx:xx:xx:xx:xx >> >> >> Nmap done: 1 IP address (1 host up) scanned in 3.88 seconds >> >> >> D:\softwares\nmap-7.12> >> >> I want to disable TLSv1. Any method? >> Thank you. >> >> >> -- >> >> Read the docs: http://akka.io/docs/ >> >> Check the FAQ: >> http://doc.akka.io/docs/akka/current/additional/faq.html >> >> Search the archives: https://groups.google.com/group/akka-user >> --- >> You received this message because you are subscribed to the Google Groups >> "Akka User List" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to akka-user+...@googlegroups.com . >> To post to this group, send email to akka...@googlegroups.com >> . >> Visit this group at https://groups.google.com/group/akka-user. >> For more options, visit https://groups.google.com/d/optout. >> > > -- >> Read the docs: http://akka.io/docs/ >> Check the FAQ: >> http://doc.akka.io/docs/akka/current/additional/faq.html >> Search the archives: https://groups.google.com/group/akka-user --- You received this message because you are subscribed to the Google Groups "Akka User List" group. To unsubscribe from this group and stop receiving emails from it, send an email to akka-user+unsubscr...@googlegroups.com. To post to this group, send email to akka-user@googlegroups.com. Visit this group at https://groups.google.com/group/akka-user. For more options, visit https://groups.google.com/d/optout.
Re: [akka-user] How to disable TLSv1 when I configure "akka.remote.netty.ssl.security.protocol" property as TLSv1.2.
You can set the "jdk.tls.client.protocols" system property to set options for the JVM -- this is a feature that is only available in JDK 1.8 though. https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSE_Protocols Otherwise, you would have to set the security property jdk.tls.disabledAlgorithms to add TLSv1 specifically. Will Sargent Engineer, Lightbend, Inc. On Tue, Jul 26, 2016 at 1:12 AM,wrote: > Configure file as follow: > # Protocol to use for SSL encryption, choose from: > # Java 6 & 7: > # 'SSLv3', 'TLSv1' > # Java 7: > # 'TLSv1.1', 'TLSv1.2' > protocol = "TLSv1.2" > > > When I use nmap to scan, I find that TLSv1 is enabled: > D:\softwares\nmap-7.12>nmap -p --script=ssl* x.x.x.x --unprivileged > > > Starting Nmap 7.12 ( https://nmap.org ) at 2016-07-26 15:33 > °?′óà÷2?±ê×?ê±?? > Nmap scan report for x.x.x.x > Host is up (1.0s latency). > PORT STATE SERVICE > /tcp open unknown > | ssl-enum-ciphers: > | TLSv1.0: > |ciphers: > | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A > |compressors: > | NULL > |cipher preference: indeterminate > |cipher preference error: Too few ciphers supported > | TLSv1.1: > |ciphers: > | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A > |compressors: > | NULL > |cipher preference: indeterminate > |cipher preference error: Too few ciphers supported > | TLSv1.2: > |ciphers: > | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A > |compressors: > | NULL > |cipher preference: indeterminate > |cipher preference error: Too few ciphers supported > |_ least strength: A > MAC Address: xx:xx:xx:xx:xx:xx > > > Nmap done: 1 IP address (1 host up) scanned in 3.88 seconds > > > D:\softwares\nmap-7.12> > > I want to disable TLSv1. Any method? > Thank you. > > > -- > >> Read the docs: http://akka.io/docs/ > >> Check the FAQ: > http://doc.akka.io/docs/akka/current/additional/faq.html > >> Search the archives: https://groups.google.com/group/akka-user > --- > You received this message because you are subscribed to the Google Groups > "Akka User List" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to akka-user+unsubscr...@googlegroups.com. > To post to this group, send email to akka-user@googlegroups.com. > Visit this group at https://groups.google.com/group/akka-user. > For more options, visit https://groups.google.com/d/optout. > -- >> Read the docs: http://akka.io/docs/ >> Check the FAQ: >> http://doc.akka.io/docs/akka/current/additional/faq.html >> Search the archives: https://groups.google.com/group/akka-user --- You received this message because you are subscribed to the Google Groups "Akka User List" group. To unsubscribe from this group and stop receiving emails from it, send an email to akka-user+unsubscr...@googlegroups.com. To post to this group, send email to akka-user@googlegroups.com. Visit this group at https://groups.google.com/group/akka-user. For more options, visit https://groups.google.com/d/optout.
[akka-user] How to disable TLSv1 when I configure "akka.remote.netty.ssl.security.protocol" property as TLSv1.2.
Configure file as follow: # Protocol to use for SSL encryption, choose from: # Java 6 & 7: # 'SSLv3', 'TLSv1' # Java 7: # 'TLSv1.1', 'TLSv1.2' protocol = "TLSv1.2" When I use nmap to scan, I find that TLSv1 is enabled: D:\softwares\nmap-7.12>nmap -p --script=ssl* x.x.x.x --unprivileged Starting Nmap 7.12 ( https://nmap.org ) at 2016-07-26 15:33 °?′óà÷2?±ê×?ê±?? Nmap scan report for x.x.x.x Host is up (1.0s latency). PORT STATE SERVICE /tcp open unknown | ssl-enum-ciphers: | TLSv1.0: |ciphers: | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A |compressors: | NULL |cipher preference: indeterminate |cipher preference error: Too few ciphers supported | TLSv1.1: |ciphers: | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A |compressors: | NULL |cipher preference: indeterminate |cipher preference error: Too few ciphers supported | TLSv1.2: |ciphers: | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A |compressors: | NULL |cipher preference: indeterminate |cipher preference error: Too few ciphers supported |_ least strength: A MAC Address: xx:xx:xx:xx:xx:xx Nmap done: 1 IP address (1 host up) scanned in 3.88 seconds D:\softwares\nmap-7.12> I want to disable TLSv1. Any method? Thank you. -- >> Read the docs: http://akka.io/docs/ >> Check the FAQ: >> http://doc.akka.io/docs/akka/current/additional/faq.html >> Search the archives: https://groups.google.com/group/akka-user --- You received this message because you are subscribed to the Google Groups "Akka User List" group. To unsubscribe from this group and stop receiving emails from it, send an email to akka-user+unsubscr...@googlegroups.com. To post to this group, send email to akka-user@googlegroups.com. Visit this group at https://groups.google.com/group/akka-user. For more options, visit https://groups.google.com/d/optout.