Re: [akka-user] How to disable TLSv1 when I configure "akka.remote.netty.ssl.security.protocol" property as TLSv1.2.

2016-08-01 Thread Will Sargent 
> Otherwise, I have tried "jdk.tls.client.protocols" system property, but
it does not achieve the desired effect.

Okay -- "jdk.tls.client.protocols" only disables SSL from a client
perspective ONLY.  Akka remoting is from a server context.  And
"https.protocol" is only good for an HTTPSURLConnection, not for SSLEngine.

If you want to disable it from the server perspective and you want to do it
on a specific SSL context, then you have to call setAlgorithmConstraints
directly:

val sslParameters = sslContext.getDefaultSSLParameters() // clones new
instance from default
val sslEngine = sslContext.createSSLEngine(peerHost, peerPort)
sslParameters.setAlgorithmConstraints(algConstraints)
sslEngine.setSSLParameters(sslParameters)

Otherwise, if you want disabled algorithms the only reliable way to set it
is:

java -Djava.security.properties=disabledAlgorithms.properties

Wrote more about this in
https://tersesystems.com/2014/01/13/fixing-the-most-dangerous-code-in-the-world/

Adding this to the Akka issue so Konrad doesn't have to...



--
Will Sargent
*Engineer, Lightbend, Inc.*
will.sarg...@lightbend.com


On Sun, Jul 31, 2016 at 4:30 AM, Konrad 'ktoso' Malawski 
wrote:

> That seems like a good catch indeed!
> Thanks for finding this.
>
> I've made an issue and PR for it:
> https://github.com/akka/akka/issues/21077
> https://github.com/akka/akka/pull/21078
>
> If reviewed by team we could include this patch very soon.
>
> Thanks for reporting!
>
> -- Konrad
>
>
> W dniu czwartek, 28 lipca 2016 09:36:59 UTC+2 użytkownik
> yinzho...@gmail.com napisał:
>>
>> Thank you first for your reply :)
>>
>> I add TLSv1 to jdk.tls.disabledAlgorithms of JRE java.security file, in
>> this way I can resolve the problem, but the modify will globally affect,
>> for example there is a java app needs TLSv1.
>> Otherwise, I have tried "jdk.tls.client.protocols" system property, but
>> it does not achieve the desired effect.
>>
>> I have tried to invoke "setEnabledProtocols" method
>> of javax.net.ssl.SSLEngine class on my java test code, it can achieve the
>> desired effect.
>> The relevant AKKA source code of akka.remoting as follow:
>> case Some(context) ⇒
>> log.debug("Using client SSL context to create SSLEngine ...")
>> new SslHandler({
>>   val sslEngine = context.createSSLEngine
>>   sslEngine.setUseClientMode(true)
>>   sslEngine.setEnabledCipherSuites(settings.SSLEnabledAlgorithms.
>> toArray)
>>   sslEngine.setEnabledProtocols(Array("TLSv1.2"))   =>  Add this
>> line can resovle my problem, but I don't want to modify AKKA source code
>> :(
>>   sslEngine
>>
>> Is there a way to set ssl option without modify AKKA source code?
>> Thank you.
>>
>>
>> 在 2016年7月27日星期三 UTC+8上午4:02:45,Will Sargent写道:
>>>
>>> You can set the "jdk.tls.client.protocols" system property to set
>>> options for the JVM -- this is a feature that is only available in JDK 1.8
>>> though.
>>>
>>>
>>> https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSE_Protocols
>>>
>>> Otherwise, you would have to set the security
>>> property jdk.tls.disabledAlgorithms to add TLSv1 specifically.
>>>
>>>
>>> Will Sargent
>>> Engineer, Lightbend, Inc.
>>>
>>>
>>> On Tue, Jul 26, 2016 at 1:12 AM,  wrote:
>>>
 Configure file as follow:
 # Protocol to use for SSL encryption, choose from:
 # Java 6 & 7:
 #   'SSLv3', 'TLSv1'
 # Java 7:
 #   'TLSv1.1', 'TLSv1.2'
 protocol = "TLSv1.2"


 When I use nmap to scan, I find that TLSv1 is enabled:
 D:\softwares\nmap-7.12>nmap -p  --script=ssl* x.x.x.x --
 unprivileged


 Starting Nmap 7.12 ( https://nmap.org ) at 2016-07-26 15:33
 °?′óà÷2?±ê×?ê±??
 Nmap scan report for x.x.x.x
 Host is up (1.0s latency).
 PORT STATE  SERVICE
 /tcp open unknown
 | ssl-enum-ciphers:
 |  TLSv1.0:
 |ciphers:
 |  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A
 |compressors:
 |  NULL
 |cipher preference: indeterminate
 |cipher preference error: Too few ciphers supported
 |  TLSv1.1:
 |ciphers:
 |  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A
 |compressors:
 |  NULL
 |cipher preference: indeterminate
 |cipher preference error: Too few ciphers supported
 |  TLSv1.2:
 |ciphers:
 |  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A
 |compressors:
 |  NULL
 |cipher preference: indeterminate
 |cipher preference error: Too few ciphers supported
 |_ least strength: A
 MAC Address: xx:xx:xx:xx:xx:xx


 Nmap done: 1 IP address (1 host up) scanned in 3.88 seconds


 D:\softwares\nmap-7.12>

 I want to disable TLSv1. Any method?
 Thank you.


 --
 >> Read the docs: http://akka.io/docs/
 >> Check the FAQ:

Re: [akka-user] How to disable TLSv1 when I configure "akka.remote.netty.ssl.security.protocol" property as TLSv1.2.

2016-07-31 Thread Konrad 'ktoso' Malawski 
That seems like a good catch indeed!
Thanks for finding this.

I've made an issue and PR for it: 
https://github.com/akka/akka/issues/21077
https://github.com/akka/akka/pull/21078

If reviewed by team we could include this patch very soon.

Thanks for reporting!

-- Konrad

W dniu czwartek, 28 lipca 2016 09:36:59 UTC+2 użytkownik 
yinzho...@gmail.com napisał:
>
> Thank you first for your reply :)
>
> I add TLSv1 to jdk.tls.disabledAlgorithms of JRE java.security file, in 
> this way I can resolve the problem, but the modify will globally affect, 
> for example there is a java app needs TLSv1.
> Otherwise, I have tried "jdk.tls.client.protocols" system property, but it 
> does not achieve the desired effect.
>
> I have tried to invoke "setEnabledProtocols" method 
> of javax.net.ssl.SSLEngine class on my java test code, it can achieve the 
> desired effect.
> The relevant AKKA source code of akka.remoting as follow:
> case Some(context) ⇒
> log.debug("Using client SSL context to create SSLEngine ...")
> new SslHandler({
>   val sslEngine = context.createSSLEngine
>   sslEngine.setUseClientMode(true)
>   sslEngine.setEnabledCipherSuites(settings.SSLEnabledAlgorithms.
> toArray)
>   sslEngine.setEnabledProtocols(Array("TLSv1.2"))   =>  Add this 
> line can resovle my problem, but I don't want to modify AKKA source code 
> :(
>   sslEngine
>
> Is there a way to set ssl option without modify AKKA source code?
> Thank you.
>
>
> 在 2016年7月27日星期三 UTC+8上午4:02:45,Will Sargent写道:
>>
>> You can set the "jdk.tls.client.protocols" system property to set options 
>> for the JVM -- this is a feature that is only available in JDK 1.8 though.
>>
>>
>> https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSE_Protocols
>>
>> Otherwise, you would have to set the security 
>> property jdk.tls.disabledAlgorithms to add TLSv1 specifically.
>>
>>
>> Will Sargent
>> Engineer, Lightbend, Inc.
>>
>>
>> On Tue, Jul 26, 2016 at 1:12 AM,  wrote:
>>
>>> Configure file as follow:
>>> # Protocol to use for SSL encryption, choose from:
>>> # Java 6 & 7:
>>> #   'SSLv3', 'TLSv1'
>>> # Java 7:
>>> #   'TLSv1.1', 'TLSv1.2'
>>> protocol = "TLSv1.2"
>>>
>>>
>>> When I use nmap to scan, I find that TLSv1 is enabled:
>>> D:\softwares\nmap-7.12>nmap -p  --script=ssl* x.x.x.x --unprivileged
>>>
>>>
>>> Starting Nmap 7.12 ( https://nmap.org ) at 2016-07-26 15:33 
>>> °?′óà÷2?±ê×?ê±??
>>> Nmap scan report for x.x.x.x
>>> Host is up (1.0s latency).
>>> PORT STATE  SERVICE
>>> /tcp open unknown
>>> | ssl-enum-ciphers:
>>> |  TLSv1.0:
>>> |ciphers:
>>> |  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A
>>> |compressors:
>>> |  NULL
>>> |cipher preference: indeterminate
>>> |cipher preference error: Too few ciphers supported
>>> |  TLSv1.1:
>>> |ciphers:
>>> |  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A
>>> |compressors:
>>> |  NULL
>>> |cipher preference: indeterminate
>>> |cipher preference error: Too few ciphers supported
>>> |  TLSv1.2:
>>> |ciphers:
>>> |  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A
>>> |compressors:
>>> |  NULL
>>> |cipher preference: indeterminate
>>> |cipher preference error: Too few ciphers supported
>>> |_ least strength: A
>>> MAC Address: xx:xx:xx:xx:xx:xx
>>>
>>>
>>> Nmap done: 1 IP address (1 host up) scanned in 3.88 seconds
>>>
>>>
>>> D:\softwares\nmap-7.12>
>>>
>>> I want to disable TLSv1. Any method?
>>> Thank you.
>>>
>>>
>>> -- 
>>> >> Read the docs: http://akka.io/docs/
>>> >> Check the FAQ: 
>>> http://doc.akka.io/docs/akka/current/additional/faq.html
>>> >> Search the archives: 
>>> https://groups.google.com/group/akka-user
>>> --- 
>>> You received this message because you are subscribed to the Google 
>>> Groups "Akka User List" group.
>>> To unsubscribe from this group and stop receiving emails from it, send 
>>> an email to akka-user+...@googlegroups.com.
>>> To post to this group, send email to akka...@googlegroups.com.
>>> Visit this group at https://groups.google.com/group/akka-user.
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>

-- 
>>  Read the docs: http://akka.io/docs/
>>  Check the FAQ: 
>> http://doc.akka.io/docs/akka/current/additional/faq.html
>>  Search the archives: https://groups.google.com/group/akka-user
--- 
You received this message because you are subscribed to the Google Groups "Akka 
User List" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to akka-user+unsubscr...@googlegroups.com.
To post to this group, send email to akka-user@googlegroups.com.
Visit this group at https://groups.google.com/group/akka-user.
For more options, visit https://groups.google.com/d/optout.

Re: [akka-user] How to disable TLSv1 when I configure "akka.remote.netty.ssl.security.protocol" property as TLSv1.2.

2016-07-28 Thread yinzhonghong 
Thank you first for your reply :)

I add TLSv1 to jdk.tls.disabledAlgorithms of JRE java.security file, in 
this way I can resolve the problem, but the modify will globally affect, 
for example there is a java app needs TLSv1.
Otherwise, I have tried "jdk.tls.client.protocols" system property, but it 
does not achieve the desired effect.

I have tried to invoke "setEnabledProtocols" method 
of javax.net.ssl.SSLEngine class on my java test code, it can achieve the 
desired effect.
The relevant AKKA source code of akka.remoting as follow:
case Some(context) ⇒
log.debug("Using client SSL context to create SSLEngine ...")
new SslHandler({
  val sslEngine = context.createSSLEngine
  sslEngine.setUseClientMode(true)
  sslEngine.setEnabledCipherSuites(settings.SSLEnabledAlgorithms.
toArray)
  sslEngine.setEnabledProtocols(Array("TLSv1.2"))   =>  Add this 
line can resovle my problem, but I don't want to modify AKKA source code :(
  sslEngine

Is there a way to set ssl option without modify AKKA source code?
Thank you.


在 2016年7月27日星期三 UTC+8上午4:02:45,Will Sargent写道:
>
> You can set the "jdk.tls.client.protocols" system property to set options 
> for the JVM -- this is a feature that is only available in JDK 1.8 though.
>
>
> https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSE_Protocols
>
> Otherwise, you would have to set the security 
> property jdk.tls.disabledAlgorithms to add TLSv1 specifically.
>
>
> Will Sargent
> Engineer, Lightbend, Inc.
>
>
> On Tue, Jul 26, 2016 at 1:12 AM,  
> wrote:
>
>> Configure file as follow:
>> # Protocol to use for SSL encryption, choose from:
>> # Java 6 & 7:
>> #   'SSLv3', 'TLSv1'
>> # Java 7:
>> #   'TLSv1.1', 'TLSv1.2'
>> protocol = "TLSv1.2"
>>
>>
>> When I use nmap to scan, I find that TLSv1 is enabled:
>> D:\softwares\nmap-7.12>nmap -p  --script=ssl* x.x.x.x --unprivileged
>>
>>
>> Starting Nmap 7.12 ( https://nmap.org ) at 2016-07-26 15:33 
>> °?′óà÷2?±ê×?ê±??
>> Nmap scan report for x.x.x.x
>> Host is up (1.0s latency).
>> PORT STATE  SERVICE
>> /tcp open unknown
>> | ssl-enum-ciphers:
>> |  TLSv1.0:
>> |ciphers:
>> |  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A
>> |compressors:
>> |  NULL
>> |cipher preference: indeterminate
>> |cipher preference error: Too few ciphers supported
>> |  TLSv1.1:
>> |ciphers:
>> |  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A
>> |compressors:
>> |  NULL
>> |cipher preference: indeterminate
>> |cipher preference error: Too few ciphers supported
>> |  TLSv1.2:
>> |ciphers:
>> |  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A
>> |compressors:
>> |  NULL
>> |cipher preference: indeterminate
>> |cipher preference error: Too few ciphers supported
>> |_ least strength: A
>> MAC Address: xx:xx:xx:xx:xx:xx
>>
>>
>> Nmap done: 1 IP address (1 host up) scanned in 3.88 seconds
>>
>>
>> D:\softwares\nmap-7.12>
>>
>> I want to disable TLSv1. Any method?
>> Thank you.
>>
>>
>> -- 
>> >> Read the docs: http://akka.io/docs/
>> >> Check the FAQ: 
>> http://doc.akka.io/docs/akka/current/additional/faq.html
>> >> Search the archives: https://groups.google.com/group/akka-user
>> --- 
>> You received this message because you are subscribed to the Google Groups 
>> "Akka User List" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to akka-user+...@googlegroups.com .
>> To post to this group, send email to akka...@googlegroups.com 
>> .
>> Visit this group at https://groups.google.com/group/akka-user.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 
>>  Read the docs: http://akka.io/docs/
>>  Check the FAQ: 
>> http://doc.akka.io/docs/akka/current/additional/faq.html
>>  Search the archives: https://groups.google.com/group/akka-user
--- 
You received this message because you are subscribed to the Google Groups "Akka 
User List" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to akka-user+unsubscr...@googlegroups.com.
To post to this group, send email to akka-user@googlegroups.com.
Visit this group at https://groups.google.com/group/akka-user.
For more options, visit https://groups.google.com/d/optout.

Re: [akka-user] How to disable TLSv1 when I configure "akka.remote.netty.ssl.security.protocol" property as TLSv1.2.

2016-07-26 Thread Will Sargent 
You can set the "jdk.tls.client.protocols" system property to set options
for the JVM -- this is a feature that is only available in JDK 1.8 though.

https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSE_Protocols

Otherwise, you would have to set the security
property jdk.tls.disabledAlgorithms to add TLSv1 specifically.


Will Sargent
Engineer, Lightbend, Inc.


On Tue, Jul 26, 2016 at 1:12 AM,  wrote:

> Configure file as follow:
> # Protocol to use for SSL encryption, choose from:
> # Java 6 & 7:
> #   'SSLv3', 'TLSv1'
> # Java 7:
> #   'TLSv1.1', 'TLSv1.2'
> protocol = "TLSv1.2"
>
>
> When I use nmap to scan, I find that TLSv1 is enabled:
> D:\softwares\nmap-7.12>nmap -p  --script=ssl* x.x.x.x --unprivileged
>
>
> Starting Nmap 7.12 ( https://nmap.org ) at 2016-07-26 15:33
> °?′óà÷2?±ê×?ê±??
> Nmap scan report for x.x.x.x
> Host is up (1.0s latency).
> PORT STATE  SERVICE
> /tcp open unknown
> | ssl-enum-ciphers:
> |  TLSv1.0:
> |ciphers:
> |  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A
> |compressors:
> |  NULL
> |cipher preference: indeterminate
> |cipher preference error: Too few ciphers supported
> |  TLSv1.1:
> |ciphers:
> |  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A
> |compressors:
> |  NULL
> |cipher preference: indeterminate
> |cipher preference error: Too few ciphers supported
> |  TLSv1.2:
> |ciphers:
> |  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A
> |compressors:
> |  NULL
> |cipher preference: indeterminate
> |cipher preference error: Too few ciphers supported
> |_ least strength: A
> MAC Address: xx:xx:xx:xx:xx:xx
>
>
> Nmap done: 1 IP address (1 host up) scanned in 3.88 seconds
>
>
> D:\softwares\nmap-7.12>
>
> I want to disable TLSv1. Any method?
> Thank you.
>
>
> --
> >> Read the docs: http://akka.io/docs/
> >> Check the FAQ:
> http://doc.akka.io/docs/akka/current/additional/faq.html
> >> Search the archives: https://groups.google.com/group/akka-user
> ---
> You received this message because you are subscribed to the Google Groups
> "Akka User List" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to akka-user+unsubscr...@googlegroups.com.
> To post to this group, send email to akka-user@googlegroups.com.
> Visit this group at https://groups.google.com/group/akka-user.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
>>  Read the docs: http://akka.io/docs/
>>  Check the FAQ: 
>> http://doc.akka.io/docs/akka/current/additional/faq.html
>>  Search the archives: https://groups.google.com/group/akka-user
--- 
You received this message because you are subscribed to the Google Groups "Akka 
User List" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to akka-user+unsubscr...@googlegroups.com.
To post to this group, send email to akka-user@googlegroups.com.
Visit this group at https://groups.google.com/group/akka-user.
For more options, visit https://groups.google.com/d/optout.

[akka-user] How to disable TLSv1 when I configure "akka.remote.netty.ssl.security.protocol" property as TLSv1.2.

2016-07-26 Thread yinzhonghong 
Configure file as follow:
# Protocol to use for SSL encryption, choose from:
# Java 6 & 7:
#   'SSLv3', 'TLSv1'
# Java 7:
#   'TLSv1.1', 'TLSv1.2'
protocol = "TLSv1.2"


When I use nmap to scan, I find that TLSv1 is enabled:
D:\softwares\nmap-7.12>nmap -p  --script=ssl* x.x.x.x --unprivileged


Starting Nmap 7.12 ( https://nmap.org ) at 2016-07-26 15:33 
°?′óà÷2?±ê×?ê±??
Nmap scan report for x.x.x.x
Host is up (1.0s latency).
PORT STATE  SERVICE
/tcp open unknown
| ssl-enum-ciphers:
|  TLSv1.0:
|ciphers:
|  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A
|compressors:
|  NULL
|cipher preference: indeterminate
|cipher preference error: Too few ciphers supported
|  TLSv1.1:
|ciphers:
|  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A
|compressors:
|  NULL
|cipher preference: indeterminate
|cipher preference error: Too few ciphers supported
|  TLSv1.2:
|ciphers:
|  TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A
|compressors:
|  NULL
|cipher preference: indeterminate
|cipher preference error: Too few ciphers supported
|_ least strength: A
MAC Address: xx:xx:xx:xx:xx:xx


Nmap done: 1 IP address (1 host up) scanned in 3.88 seconds


D:\softwares\nmap-7.12>

I want to disable TLSv1. Any method?
Thank you.


-- 
>>  Read the docs: http://akka.io/docs/
>>  Check the FAQ: 
>> http://doc.akka.io/docs/akka/current/additional/faq.html
>>  Search the archives: https://groups.google.com/group/akka-user
--- 
You received this message because you are subscribed to the Google Groups "Akka 
User List" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to akka-user+unsubscr...@googlegroups.com.
To post to this group, send email to akka-user@googlegroups.com.
Visit this group at https://groups.google.com/group/akka-user.
For more options, visit https://groups.google.com/d/optout.