Disable SSLv3 to avoid POODLE vulnerability

Related: #3031

Motivation:

The only way to protect ourselves from POODLE vulnerability in Java for
now is to disable SSLv3.

- http://en.wikipedia.org/wiki/POODLE
- https://blogs.oracle.com/security/entry/information_about_ssl_poodle_vulnerability

Modifivation:

Disable SSLv3 in SslContext implementations

Result:

Prevent POODLE vulnerability when a user used SslContext with the
default configuration
This commit is contained in:
Trustin Lee 2014-10-21 13:55:32 +09:00
parent f3ef94d35e
commit a1af35313c
2 changed files with 2 additions and 1 deletions

View File

@ -55,7 +55,7 @@ public abstract class JdkSslContext extends SslContext {
List<String> protocols = new ArrayList<String>(); List<String> protocols = new ArrayList<String>();
addIfSupported( addIfSupported(
supportedProtocols, protocols, supportedProtocols, protocols,
"TLSv1.2", "TLSv1.1", "TLSv1", "SSLv3"); "TLSv1.2", "TLSv1.1", "TLSv1");
if (!protocols.isEmpty()) { if (!protocols.isEmpty()) {
PROTOCOLS = protocols.toArray(new String[protocols.size()]); PROTOCOLS = protocols.toArray(new String[protocols.size()]);

View File

@ -170,6 +170,7 @@ public final class OpenSslServerContext extends SslContext {
SSLContext.setOptions(ctx, SSL.SSL_OP_ALL); SSLContext.setOptions(ctx, SSL.SSL_OP_ALL);
SSLContext.setOptions(ctx, SSL.SSL_OP_NO_SSLv2); SSLContext.setOptions(ctx, SSL.SSL_OP_NO_SSLv2);
SSLContext.setOptions(ctx, SSL.SSL_OP_NO_SSLv3);
SSLContext.setOptions(ctx, SSL.SSL_OP_CIPHER_SERVER_PREFERENCE); SSLContext.setOptions(ctx, SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
SSLContext.setOptions(ctx, SSL.SSL_OP_SINGLE_ECDH_USE); SSLContext.setOptions(ctx, SSL.SSL_OP_SINGLE_ECDH_USE);
SSLContext.setOptions(ctx, SSL.SSL_OP_SINGLE_DH_USE); SSLContext.setOptions(ctx, SSL.SSL_OP_SINGLE_DH_USE);