How can I disable TLSv1 without change source code?

2
votes

I write a test code(not HTTPS) to test TLS with JDK8. When the test code runs, I use nmap tool to scan and get result as follow:

D:\softwares\nmap-7.12>nmap -p xxxx --script=ssl* x.x.x.x --unprivileged


Starting Nmap 7.12 ( https://nmap.org ) at 2016-07-26 15:33 °?′óà????÷2?±ê×?ê±??
Nmap scan report for x.x.x.x
Host is up (1.0s latency).
PORT     STATE  SERVICE
xxxx/tcp open unknown
| ssl-enum-ciphers:
|  TLSv1.0:
|    ciphers:
|      TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A
|    compressors:
|      NULL
|    cipher preference: indeterminate
|    cipher preference error: Too few ciphers supported
|  TLSv1.1:
|    ciphers:
|      TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A
|    compressors:
|      NULL
|    cipher preference: indeterminate
|    cipher preference error: Too few ciphers supported
|  TLSv1.2:
|    ciphers:
|      TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A
|    compressors:
|      NULL
|    cipher preference: indeterminate
|    cipher preference error: Too few ciphers supported
|_ least strength: A
MAC Address: xx:xx:xx:xx:xx:xx


Nmap done: 1 IP address (1 host up) scanned in 3.88 seconds


D:\softwares\nmap-7.12>

JDK8 enables TLSv1.0 as default, but I want to disable it.

Protocols
The SunJSSE provider supports the following protocol parameters:
Protocol    Enabled by Default for Client   Enabled by Default for Server
SSLv3       No(Unavailable Footnote 2)      No(Unavailable Footnote 2)
TLSv1       Yes                             Yes
TLSv1.1     Yes                             Yes
TLSv1.2     Yes                             Yes

https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSE_Protocols

I invoke "setEnabledProtocols" method of javax.net.ssl.SSLEngine class on my test code, TLSv1.0 can be disabled perfectly. Is there a way to disable TLSv1.0 without change code? for example via configuration file.
I tried several methods as follow, but no one can achieve the desired effect :(
1. -Djdk.tls.client.protocols=TLSv1.1,TLSv1.2
2. -Ddeployment.security.TLSv1=false

Here is the java version:

java version "1.8.0_92"
Java(TM) SE Runtime Environment (build 1.8.0_92-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.92-b14, mixed mode)
2
javassl

2 Answers

1
votes

You appear to be writing a server, and jdk.tls.client.protocols applies to clients, hence the name; although slightly less obvious, in basic JavaSE 'deployment' means browser-or-WebStart which is a subset of client.

There is no property specifically for TLS (or HTTPS) server protocols, but the security property jdk.tls.disabledAlgorithms applies to both client and server (and all context types also) and can be set in JRE/lib/security/java.security as stated in the page you linked. Be sure to keep the existing restrictions (especially removing SSLv3, since 8u31) while adding yours.

1
votes

Thank you for your reply first. If modify JRE/lib/security/java.security, that will have a global impact.

Here is my solution: Copy JRE/lib/security/java.security to a new file, and add TLSv1 to jdk.tls.disabledAlgorithms.
then, start JVM like this:
java -Djava.security.properties=./java.security -jar xxxxx

Here is the summary from JRE/lib/security/java.security: 

#
# This is the "master security properties file".
#
# An alternate java.security properties file may be specified
# from the command line via the system property
#
#    -Djava.security.properties=<URL>
#
# This properties file appends to the master security properties file.
# If both properties files specify values for the same key, the value
# from the command-line properties file is selected, as it is the last
# one loaded.
#
# Also, if you specify
#
#    -Djava.security.properties==<URL> (2 equals),
#

#
# Determines whether this properties file can be appended to
# or overridden on the command line via -Djava.security.properties
#
security.overridePropertiesFile=true