Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Java http clients and POODLE

Tags:

java

security

https

apache-httpclient-4.x

poodle-attack

Regarding the POODLE vulnerability, if I understand it correctly, it requires a client that automatically downgrades TLS protocol to SSLv3 when failing to establish a secure channel with a server using higher version protocol advertised by the server.

Do the common java HTTP client libraries, specifically javax.net.ssl.HttpsURLConnection and Apache HttpClient, automatically downgrade the TLS protocol when failing to establish TLS session with a server? If not, am I correct that they are immune from he POODLE attack unless either (a) the server only supports SSLv3, or (b) a logic at a higher level performs the downgrade?

I'm looking for something like http://blog.hagander.net/archives/222-A-few-short-notes-about-PostgreSQL-and-POODLE.html but for Java clients.

like image 411
ykaganovich Avatar asked Oct 17 '14 16:10

ykaganovich

2 Answers

Apache HttpClient does not implement any of the TLS protocol aspects. It relies on JSSE APIs to do TLS/SSL handshaking and to establish secure SSL sessions. With the exception of SSL hostname verification logic, as far as TLS/SSL is concerned Apache HttpClient is as secure (or as vulnerable) as the JRE it is running in.

Update: HttpClient 4.3 by default always uses TLS, so, unless one explicitly configures it to use SSLv3 HttpClient should not be vulnerable to exploits based on POODLE.

This turned out to be wrong. One MUST explicitly remove SSLv3 from the list of supported protocols! 

SSLContext sslContext = SSLContexts.custom()
        .useTLS() // Only this turned out to be not enough
        .build();
SSLConnectionSocketFactory sf = new SSLConnectionSocketFactory(
        sslContext,
        new String[] {"TLSv1", "TLSv1.1", "TLSv1.2"},
        null,
        SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
CloseableHttpClient client = HttpClients.custom()
        .setSSLSocketFactory(sf)
        .build();

Update 2: As of version 4.3.6 HttpClient disables all versions of SSL (including SSLv3) by default.

like image 141
ok2c Avatar answered Oct 25 '22 12:10

ok2c

You MUST disable SSL v3.0 on java clients if you use https.

This can be done by adding this property on java 6/7:

-Dhttps.protocols="TLSv1"

And for Java 8 :

-Dhttps.protocols="TLSv1,TLSv1.1,TLSv1.2"

-Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2"

Source : http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html

like image 40
yyvess Avatar answered Oct 25 '22 11:10

yyvess
Sign in to Comment

Related questions

no segments* file found
How to run a thread separate from main thread in Java?
get char value in java
How to use an Internet time server to get the time?
Velocity Templates - New Line
Can I change my Windows desktop wallpaper programmatically in Java/Groovy?
HashSet contains problem with custom objects
How to get all imports defined in a class using java reflection?
How do I iterate through the values of a row from a result set in java?
How to increase the slow scroll speed on a JScrollPane?
How to convert byte array to blob
are arrays faster than arraylist? [duplicate]
Why is class declared as static in Java? [duplicate]
Selenium webdriver click google search
Best way to avoid Toast accumulation in Android
FreeMarker - Remove comma from milliseconds
what's the difference between CyclicBarrier/CountDownLatch and join in Java?
Is there any difference between Objects::nonNull and x -> x != null?
org.hibernate.PersistentObjectException: detached entity passed to persist exception
Java syntax - extra plus sign after cast is valid?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!