Disable SSLv3 to avoid POODLE vulnerability
Related: #3031 Motivation: The only way to protect ourselves from POODLE vulnerability in Java for now is to disable SSLv3. - http://en.wikipedia.org/wiki/POODLE - https://blogs.oracle.com/security/entry/information_about_ssl_poodle_vulnerability Modifivation: Disable SSLv3 in SslContext implementations Result: Prevent POODLE vulnerability when a user used SslContext with the default configuration
This commit is contained in:
parent
f3ef94d35e
commit
a1af35313c
@ -55,7 +55,7 @@ public abstract class JdkSslContext extends SslContext {
|
|||||||
List<String> protocols = new ArrayList<String>();
|
List<String> protocols = new ArrayList<String>();
|
||||||
addIfSupported(
|
addIfSupported(
|
||||||
supportedProtocols, protocols,
|
supportedProtocols, protocols,
|
||||||
"TLSv1.2", "TLSv1.1", "TLSv1", "SSLv3");
|
"TLSv1.2", "TLSv1.1", "TLSv1");
|
||||||
|
|
||||||
if (!protocols.isEmpty()) {
|
if (!protocols.isEmpty()) {
|
||||||
PROTOCOLS = protocols.toArray(new String[protocols.size()]);
|
PROTOCOLS = protocols.toArray(new String[protocols.size()]);
|
||||||
|
@ -170,6 +170,7 @@ public final class OpenSslServerContext extends SslContext {
|
|||||||
|
|
||||||
SSLContext.setOptions(ctx, SSL.SSL_OP_ALL);
|
SSLContext.setOptions(ctx, SSL.SSL_OP_ALL);
|
||||||
SSLContext.setOptions(ctx, SSL.SSL_OP_NO_SSLv2);
|
SSLContext.setOptions(ctx, SSL.SSL_OP_NO_SSLv2);
|
||||||
|
SSLContext.setOptions(ctx, SSL.SSL_OP_NO_SSLv3);
|
||||||
SSLContext.setOptions(ctx, SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
|
SSLContext.setOptions(ctx, SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
|
||||||
SSLContext.setOptions(ctx, SSL.SSL_OP_SINGLE_ECDH_USE);
|
SSLContext.setOptions(ctx, SSL.SSL_OP_SINGLE_ECDH_USE);
|
||||||
SSLContext.setOptions(ctx, SSL.SSL_OP_SINGLE_DH_USE);
|
SSLContext.setOptions(ctx, SSL.SSL_OP_SINGLE_DH_USE);
|
||||||
|
Loading…
Reference in New Issue
Block a user