Disable SSLv3 to avoid POODLE vulnerability

Related: #3031

Motivation:

The only way to protect ourselves from POODLE vulnerability in Java for
now is to disable SSLv3.

- http://en.wikipedia.org/wiki/POODLE
- https://blogs.oracle.com/security/entry/information_about_ssl_poodle_vulnerability

Modifivation:

Disable SSLv3 in SslContext implementations

Result:

Prevent POODLE vulnerability when a user used SslContext with the
default configuration
This commit is contained in:
Trustin Lee 2014-10-21 13:55:32 +09:00
parent c1e398a92c
commit 605c79ca59
2 changed files with 5 additions and 5 deletions

View File

@ -20,6 +20,9 @@ import io.netty.buffer.ByteBufAllocator;
import io.netty.util.internal.logging.InternalLogger;
import io.netty.util.internal.logging.InternalLoggerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLSessionContext;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
@ -27,10 +30,6 @@ import java.util.HashSet;
import java.util.List;
import java.util.Set;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLSessionContext;
/**
* An {@link SslContext} which uses JDK's SSL/TLS implementation.
*/
@ -64,7 +63,7 @@ public abstract class JdkSslContext extends SslContext {
List<String> protocols = new ArrayList<String>();
addIfSupported(
supportedProtocolsSet, protocols,
"TLSv1.2", "TLSv1.1", "TLSv1", "SSLv3");
"TLSv1.2", "TLSv1.1", "TLSv1");
if (!protocols.isEmpty()) {
PROTOCOLS = protocols.toArray(new String[protocols.size()]);

View File

@ -160,6 +160,7 @@ public final class OpenSslServerContext extends SslContext {
SSLContext.setOptions(ctx, SSL.SSL_OP_ALL);
SSLContext.setOptions(ctx, SSL.SSL_OP_NO_SSLv2);
SSLContext.setOptions(ctx, SSL.SSL_OP_NO_SSLv3);
SSLContext.setOptions(ctx, SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
SSLContext.setOptions(ctx, SSL.SSL_OP_SINGLE_ECDH_USE);
SSLContext.setOptions(ctx, SSL.SSL_OP_SINGLE_DH_USE);