Re: Force TLSv1.2 or higher for the server
There was a similar, but not identical, discussion around these topics
four years ago, when the code was changed to remove SSLv3 and SSLv2
support. See DERBY-6764 for the full details.
I think it would certainly be possible to change the code in a similar way
to allow more configurability, but I am not sure of the implications, and if
it is similar to the DERBY-6764 work, a fair amount of testing is required.
According to this article:
https://blogs.oracle.com/java-platform-group/jdk-8-will-use-tls-12-as-default
you might investigate using the deployment.security.TLSvX.Y=false
system property.
Perhaps you could investigate whether the referenced blog article
allows a configuration that suits your needs?
Please let us know what you learn!
thanks,
bryan
On Mon, Jul 9, 2018 at 3:25 AM, Peter wrote:
> Hello,
>
> I cannot find a way to force the server to just use TLSv1.2. Currently
> it says:
>
> Apache Derby Network Server - 10.13.1.1 - (1765088) Enabled Protocols
> are TLSv1, TLSv1.1, TLSv1.2
>
> even when using
>
> -Dhttps.protocols=TLSv1.2
>
> or similar settings found on the internet. Then I saw in the source:
>
> SSLContext ctx = SSLContext.getInstance("TLS");
>
> https://github.com/apache/derby/blob/f16c46cbdd5be8dd9bdcee935ec1f68970146478/java/org.apache.derby.commons/org/apache/derby/shared/common/drda/NaiveTrustManager.java#L73
>
> that it seems to ignore command line settings. Is it possible to add
> such a property or a different workaround to avoid older TLS versions?
>
> Regards
> Peter
>
Register now for ApacheCon and save $250
Greetings, Apache software enthusiasts! (You’re getting this because you’re on one or more dev@ or users@ lists for some Apache Software Foundation project.) ApacheCon North America, in Montreal, is now just 80 days away, and early bird prices end in just two weeks - on July 21. Prices will be going up from $550 to $800 so register NOW to save $250, at http://apachecon.com/acna18 And don’t forget to reserve your hotel room. We have negotiated a special rate and the room block closes August 24. http://www.apachecon.com/acna18/venue.html Our schedule includes over 100 talks and we’ll be featuring talks from dozens of ASF projects., We have inspiring keynotes from some of the brilliant members of our community and the wider tech space, including: * Myrle Krantz, PMC chair for Apache Fineract, and leader in the open source financing space * Cliff Schmidt, founder of Literacy Bridge (now Amplio) and creator of the Talking Book project * Bridget Kromhout, principal cloud developer advocate at Microsoft * Euan McLeod, Comcast engineer, and pioneer in streaming video We’ll also be featuring tracks for Geospatial science, Tomcat, Cloudstack, and Big Data, as well as numerous other fields where Apache software is leading the way. See the full schedule at http://apachecon.com/acna18/schedule.html As usual we’ll be running our Apache BarCamp, the traditional ApacheCon Hackathon, and the Wednesday evening Lighting Talks, too, so you’ll want to be there. Register today at http://apachecon.com/acna18 and we’ll see you in Montreal! -- Rich Bowen VP, Conferences, The Apache Software Foundation h...@apachecon.com @ApacheCon
Force TLSv1.2 or higher for the server
Hello,
I cannot find a way to force the server to just use TLSv1.2. Currently
it says:
Apache Derby Network Server - 10.13.1.1 - (1765088) Enabled Protocols
are TLSv1, TLSv1.1, TLSv1.2
even when using
-Dhttps.protocols=TLSv1.2
or similar settings found on the internet. Then I saw in the source:
SSLContext ctx = SSLContext.getInstance("TLS");
https://github.com/apache/derby/blob/f16c46cbdd5be8dd9bdcee935ec1f68970146478/java/org.apache.derby.commons/org/apache/derby/shared/common/drda/NaiveTrustManager.java#L73
that it seems to ignore command line settings. Is it possible to add
such a property or a different workaround to avoid older TLS versions?
Regards
Peter
Fwd: Got a security exception calling SQLJ.INSTALL_JAR with Derby 10.14
Yes, this is a known result of DERBY-6987. The default security
policy file for Derby no longer allows unlimited access to your
computer's local filesystem.
Please see these resource for how to adjust your security settings to
explicitly authorize loading your jar into Derby:
http://db.apache.org/derby/releases/release-10.14.2.0.cgi
https://db.apache.org/derby/docs/10.14/security/csecjavasecurity.html
In particular, see the section on "Backups/imports/jars".
thanks,
bryan
-- Forwarded message --
From:
Date: Sun, Jul 8, 2018 at 11:22 PM
Subject: Got a security exception calling SQLJ.INSTALL_JAR with Derby 10.14
To: bpendleton.de...@gmail.com
Hi Bryan,
I got following exception with derby 10.14. This exception does not
occur with derby 10.13 but does occur now that I have upgrade to
10.14.2.0.
[sql] Failed to execute: CALL SQLJ.INSTALL_JAR('./demo.jar',
'CSEM.csemderby', 0)
[sql] java.sql.SQLTransactionRollbackException: The exception
'java.security.AccessControlException: access denied
("java.io.FilePermission" "./demo.jar" "read")' was thrown while
evaluating an expression.
I got the following info in derby.log file.
Wed Jul 04 14:25:03 CST 2018 : Security manager installed using the
Basic server security policy.
Wed Jul 04 14:25:03 CST 2018 : Apache Derby Network Server - 10.14.2.0
- (1828579) started and ready to accept connections on port 1527
The application that is starting the JVM that is running Derby Network
Server has not changed. Only the version of Derby has changed.
So could you please give me any advice to solve the issue ?
Any pointers will be greatly appreciated.
Thanks.
Yan
_
Sent from http://apache-database.10148.n7.nabble.com
