stackoom
  简体   繁体   中英

TLS 1.2 on Java 6

 原文  2017-08-29 07:07:09       java/ ssl/ tls1.2/ java-6

Question

I have a legacy application running on java 6. However , we need to upgrade to TLS 1.2 due to certain security factors. For this I have tried the following code : 

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.URL;
import java.net.UnknownHostException;
import java.security.KeyManagementException;
 import java.security.NoSuchAlgorithmException;
 import java.util.Arrays;
 import javax.net.ssl.HttpsURLConnection;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLParameters;

public class TlsCheck {

/**
 * test whether this client can connect to TLS v1.2 or not
 */

public static boolean isSuccessfulTLS12connection(){
    try{
        SSLContext sslContext = SSLContext.getInstance("TLS");
        sslContext.init(null, null, null);
        HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());

        URL url = new URL("https://tlstest.paypal.com");
        HttpsURLConnection httpsConnection = (HttpsURLConnection)url.openConnection();
        httpsConnection.connect();
        BufferedReader reader = new BufferedReader(new InputStreamReader(httpsConnection.getInputStream()));
        StringBuilder body = new StringBuilder();
        while(reader.ready()){
            body.append(reader.readLine());
        }
        httpsConnection.disconnect();
        System.out.println("The body is::"+body.toString());
        if(body.toString().equals("PayPal_Connection_OK")){
            return true;
        }
    }catch(NoSuchAlgorithmException ne){
        ne.printStackTrace();
    }catch(UnknownHostException ue){
        ue.printStackTrace();
    }catch(IOException ioe){
        ioe.printStackTrace();
    }catch(KeyManagementException ke){
        ke.printStackTrace();
    }
    return false;
}

public static void main(String args[]){
    try{
        SSLParameters sslParams = SSLContext.getDefault().getSupportedSSLParameters();
        System.setProperty("https.protocols", "TLSv1,TLSv1.1,TLSv1.2");
        sslParams.setProtocols(new String[] { "TLSv1.2"});
        String[] protocols = sslParams.getProtocols();
        System.out.println("The Supported Protocols are::"+Arrays.asList(protocols));

    }catch(NoSuchAlgorithmException ne){
        ne.printStackTrace();
    }

    if(isSuccessfulTLS12connection()){
        System.out.println("The connection to TLS v1.2 endpoint is succesful");
    }else{
        System.out.println("The connection to TLS v1.2 failed!");
    }
}

}

But i get the following error: 

  The Supported Protocols are::[TLSv1.2]
  javax.net.ssl.SSLException: Received fatal alert: protocol_version
  The connection to TLS v1.2 failed!
  at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
  at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(Unknown Source)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
  at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
  at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
  at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source)
  at TlsCheck.isSuccessfulTLS12connection(TlsCheck.java:30)
  at TlsCheck.main(TlsCheck.java:65)

Can anyone suggest a better way rather than setting property? I have also tried setting JVM arguments, but no luck!

3 answers

solution1
 5  2017-08-29 10:04:37

The real fix? Upgrade to Java 1.7 or later. Continuing to run Java 1.6 Update 45 and connecting it to the internet is professionally reckless.

How reckless? Very.

Because Oracle released a critical patch update for Java 1.6 Update 45 that fixed over 40 security vulnerabilities over four years ago .

Among those fixed four years ago :

  • CVE-2013-2462 Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-2463 Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-2464 Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-2465 Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-2466 Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
  • CVE-2013-2468 Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.

And SIX more that have a vulnerability rating of 10.0 - that means it's an easily exploitable remote vulnerability.

That's just a list of the critical security vulnerabilities Oracle actually fixed in Java 1.6 Update 45 four years ago. There are more that weren't fixed in that one patch that still exist.

And you don't have any of them fixed.

To reiterate: those vulnerabilities - and a whole lot more - still exist in Java 1.6 Update 45.

Again: continuing to use Java 1.6 Update 45 and connecting it to the internet is reckless . Java 1.6 Update 45 has at least 25(!!!) known remotely exploitable security vulnerabilities with a CVE score of 9.3 or higher.

solution2
 2  2017-08-29 07:47:08

The latest public Java 6 SE build is 6u45, which is not supporting TLS 1.2. To use TLS 1.2 with Java 6, I see two possibilities:

solution3
 0  2017-08-29 08:01:58

正如Marcel已经提到的那样,Java 6不支持TLS。也许您可以使用curl等外部软件作为变通办法来通过System.exec()发出请求?

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question TLS 1.2 for Java 4 applications Java HttpsURLConnection and TLS 1.2 TLS 1.2 was supported in Java 8 but not in Java 7 TLS1.2 support with Java 6 How to enable TLS 1.2 in Java 7 TLS 1.2 + Java 1.6 + BouncyCastle Using TLS 1.2 from java 6 How to use TLS 1.2 in Java 6 Java TLS 1.2 mutual authentication ends in timeout Update Legacy Java to use TLS 1.1/1.2
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM