Can anyone inform me as to whether or not Java on CentOS-6.6 still has SSLv3 enabled? And if it does then how is it disabled?
4 thoughts on - Java SSLv3 Status On CentOS-6.6
James:
Check the java.security file for your JRE. I’m running OpenJDK 8 on Cent
6.6 and it’s located at /usr/lib/jvm/jre/lib/security/java.security. I
haven’t made any changes to the java.security file, which shows SSLv3 is already disabled: jdk.tls.disabledAlgorithms=SSLv3
But, if you’re using the OpenJDK included in CentOS 6.6, it can be OpenJDK
7 or OpenJDK 8, which was included AFAIK as a technology preview, not the default.
“Note: This update disables SSL 3.0 by default to address this issue. The jdk.tls.disabledAlgorithms security property can be used to re-enable SSL 3.0 support if needed. For additional information, refer to the Red Hat Bugzilla bug linked to in the References section.”
4 thoughts on - Java SSLv3 Status On CentOS-6.6
James:
Check the java.security file for your JRE. I’m running OpenJDK 8 on Cent
6.6 and it’s located at /usr/lib/jvm/jre/lib/security/java.security. I
haven’t made any changes to the java.security file, which shows SSLv3 is already disabled: jdk.tls.disabledAlgorithms=SSLv3
Grant
If you’re using Oracle JRE / JDK previous to 8u31 here are instructions on how to disable SSLv3
http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html
(the latest is Java8 version from Oracle is 8u40 and that DOES have sslv3
disabled by default)
Here, instructions on how to install Oracle Java8u40 on CentOS
http://tecadmin.net/install-java-8-on-CentOS-rhel-and-fedora/
But, if you’re using the OpenJDK included in CentOS 6.6, it can be OpenJDK
7 or OpenJDK 8, which was included AFAIK as a technology preview, not the default.
Here’s more info on how to get OpenJDK8 in CentOS 6.6 if you don’t have it already http://www.2daygeek.com/openjdk-8-installation-CentOS-fedora/
…then get the latest update from the repo which is 8.0u31 aka 1.8.0.31
dated 21-Jan-2015
http://mirrors.syringanetworks.net/CentOS/6.6/updates/x86_64/Packages/java-1.8.0-openjdk-1.8.0.31-1.b13.el6_6.x86_64.rpm
OpenJDK 8.0u31 disables SSLv3 by default, according to this http://support.blancco.com/index.php?/News/NewsItem/View/73/important-notification-java-8-update-31-disables-sslv3–support
YMMV
Hope this helps!
FC
jdk.tls.disabledAlgorithms=SSLv3
Thank you. It is disabled here as well.
[root@vhost04 ~ (master *%)]# which java
/usr/bin/java
[root@vhost04 ~ (master *%)]# ll /usr/bin/java lrwxrwxrwx. 1 root root 22 Jan 28 16:52 /usr/bin/java ->
/etc/alternatives/java
[root@vhost04 ~ (master *%)]# ll /etc/alternatives/java lrwxrwxrwx. 1 root root 46 Jan 28 16:52 /etc/alternatives/java ->
/usr/lib/jvm/jre-1.7.0-openjdk.x86_64/bin/java
[root@vhost04 ~ (master *%)]# grep jdk.tls.disabledAlgorithms
/usr/lib/jvm/java-1.7.0-openjdk-1.7.0.75.x86_64/jre/lib/security/java.security
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 jdk.tls.disabledAlgorithms=SSLv3
According to these updates for openjdk java:
java-1.6.0-openjdk https://rhn.redhat.com/errata/RHSA-2015-0085.html
java-1.7.0-openjdk https://rhn.redhat.com/errata/RHSA-2015-0067.html
java-1.8.0-openjdk https://rhn.redhat.com/errata/RHSA-2015-0069.html
“Note: This update disables SSL 3.0 by default to address this issue. The jdk.tls.disabledAlgorithms security property can be used to re-enable SSL 3.0 support if needed. For additional information, refer to the Red Hat Bugzilla bug linked to in the References section.”
All these announcements were posted to the enterprise-watch-list mailing list:
https://www.redhat.com/mailman/listinfo/enterprise-watch-list