Hello,
with the Java 7u76 update the default security setting is, that SSL3 is
banned.
At first I thought, this would reflect in enabled and supported protocols,
however the list of supported protocols still contain SSL3 and I can also
enable SSL3 and this is reflected on the getEnabledProtocols():
1.7.0_76 Oracle Corporation jdk.tls.disabledAlgorithms=SSLv3
Default Protocols, enabled: [TLSv1] supported: [SSLv2Hello, SSLv3, TLSv1,
TLSv1.1, TLSv1.2]
Set SSL3+TLSv1, enabled: [SSLv3, TLSv1]
Set SSL3, enabled: [SSLv3]
Now handshaking...
Exception in thread "main" javax.net.ssl.SSLHandshakeException: No
appropriate protocol (protocol is disabled or cipher suites are
inappropriate)
Only at handshake time it looks, like the disabled check is done.
I wonder would it be cleaner to remove it from the supported set and not
keep it in the enabled set (but accept the setEnabled for backward
compatibility).
Gruss
Bernd
PS: testcode:
//Security.setProperty("jdk.tls.disabledAlgorithms", "");
System.out.printf("%s %s jdk.tls.disabledAlgorithms=%s%n",
System.getProperty("java.version", "?"), System.getProperty("java.vendor",
"?"), Security.getProperty("jdk.tls.disabledAlgorithms"));
SSLSocket s =
(SSLSocket)SSLSocketFactory.getDefault().createSocket("www.google.com",
443);
System.out.printf("Default Protocols, enabled: %s supported: %s%n",
Arrays.toString(s.getEnabledProtocols()),
Arrays.toString(s.getSupportedProtocols()));
s.setEnabledProtocols(new String[]{ "SSLv3", "TLSv1"});
System.out.printf("Set SSL3+TLSv1, enabled: %s%n",
Arrays.toString(s.getEnabledProtocols()));
s.setEnabledProtocols(new String[]{ "SSLv3"});
System.out.printf("Set SSL3, enabled: %s%nNow handshaking...%n",
Arrays.toString(s.getEnabledProtocols()));
s.startHandshake();
System.out.println("Ciper " + s.getSession().getCipherSuite() + "
(" + s.getSession().getProtocol() + ")");
