Fixing POODLE Issue, need help on SSLContext.getInstance(“TLS”)
Question
All,
Iam in process of fixing a security vulnerability issue(see below link) in code. http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
At places we have used the below ssl context to make secure communications
SSLContext.getInstance("TLS")(package: javax.net.ssl).
I know getInstance takes a protocol string value, but question is what does "TLS" means by value, ie, is it same as TLS1.0? Similarly what does "SSL" means by value, is it same as "SSLv3"?
Is there a way to mention "TLS_FALLBACK_SCSV" while creating the context to fix this vulnerability? One way we are thinking is to disable ssl and use only TLS1.2, but to make it back ward compatible, is there a way to specify fall back option as mentioned in article, this option if any can be passed to api calls while creating ssl context?
Thanks! Santhosh
1 answers
solution1
1 2014-10-27 19:25:25
I've been working on the same issue. In short, SSLContext.getInstance("TLS") does not exclude SSLv3 from the list of supported protocols. You must use the setEnabledProtocols() method on SSLServerSocket or SSLSocket (whichever is appropriate to your usecase).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.