How to disable TLSv1 when I configure "akka.remote.netty.ssl.security.protocol" property as TLSv1.2.
613 views
Skip to first unread message
yinzho...@gmail.com
Jul 26, 2016, 4:14:58 AM7/26/16
to Akka User List
Configure file as follow:
# Protocol to use for SSL encryption, choose from:
# Java 6 & 7:
# 'SSLv3', 'TLSv1'
# Java 7:
# 'TLSv1.1', 'TLSv1.2'
protocol = "TLSv1.2"When I use nmap to scan, I find that TLSv1 is enabled:
D:\softwares\nmap-7.12>nmap -p xxxx --script=ssl* x.x.x.x --unprivileged
Starting Nmap 7.12 ( https://nmap.org ) at 2016-07-26 15:33 °?′óà????÷2?±ê×?ê±??
Nmap scan report for x.x.x.x
Host is up (1.0s latency).
PORT STATE SERVICE
xxxx/tcp open unknown
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A
| compressors:
| NULL
| cipher preference: indeterminate
| cipher preference error: Too few ciphers supported
| TLSv1.1:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A
| compressors:
| NULL
| cipher preference: indeterminate
| cipher preference error: Too few ciphers supported
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A
| compressors:
| NULL
| cipher preference: indeterminate
| cipher preference error: Too few ciphers supported
|_ least strength: A
MAC Address: xx:xx:xx:xx:xx:xx
Nmap done: 1 IP address (1 host up) scanned in 3.88 seconds
D:\softwares\nmap-7.12>I want to disable TLSv1. Any method?
Thank you.
Will Sargent
Jul 26, 2016, 4:02:45 PM7/26/16
to akka...@googlegroups.com
You can set the "jdk.tls.client.protocols" system property to set options for the JVM -- this is a feature that is only available in JDK 1.8 though.
Otherwise, you would have to set the security property jdk.tls.disabledAlgorithms to add TLSv1 specifically.
Will Sargent
Engineer, Lightbend, Inc.
--
>>>>>>>>>> Read the docs: http://akka.io/docs/
>>>>>>>>>> Check the FAQ: http://doc.akka.io/docs/akka/current/additional/faq.html
>>>>>>>>>> Search the archives: https://groups.google.com/group/akka-user
---
You received this message because you are subscribed to the Google Groups "Akka User List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to akka-user+...@googlegroups.com.
To post to this group, send email to akka...@googlegroups.com.
Visit this group at https://groups.google.com/group/akka-user.
For more options, visit https://groups.google.com/d/optout.
yinzho...@gmail.com
Jul 28, 2016, 3:36:59 AM7/28/16
to Akka User List
Thank you first for your reply :)
I add TLSv1 to jdk.tls.disabledAlgorithms of JRE java.security file, in this way I can resolve the problem, but the modify will globally affect, for example there is a java app needs TLSv1.
Otherwise, I have tried "jdk.tls.client.protocols" system property, but it does not achieve the desired effect.
I have tried to invoke "setEnabledProtocols" method of javax.net.ssl.SSLEngine class on my java test code, it can achieve the desired effect.
The relevant AKKA source code of akka.remoting as follow:
case Some(context) ⇒
log.debug("Using client SSL context to create SSLEngine ...")
new SslHandler({
val sslEngine = context.createSSLEngine
sslEngine.setUseClientMode(true)
sslEngine.setEnabledCipherSuites(settings.SSLEnabledAlgorithms.toArray)
sslEngine.setEnabledProtocols(Array("TLSv1.2")) => Add this line can resovle my problem, but I don't want to modify AKKA source code :(
sslEngineIs there a way to set ssl option without modify AKKA source code?
Thank you.
在 2016年7月27日星期三 UTC+8上午4:02:45,Will Sargent写道:
Message has been deleted
Konrad 'ktoso' Malawski
Jul 31, 2016, 7:30:04 AM7/31/16
to Akka User List
That seems like a good catch indeed!
Thanks for finding this.
I've made an issue and PR for it:
If reviewed by team we could include this patch very soon.
Thanks for reporting!
-- Konrad
Will Sargent
Aug 1, 2016, 1:34:32 PM8/1/16
to akka...@googlegroups.com
> Otherwise, I have tried "jdk.tls.client.protocols" system property, but it does not achieve the desired effect.
Okay -- "jdk.tls.client.protocols" only disables SSL from a client perspective ONLY. Akka remoting is from a server context. And "https.protocol" is only good for an HTTPSURLConnection, not for SSLEngine.
If you want to disable it from the server perspective and you want to do it on a specific SSL context, then you have to call setAlgorithmConstraints directly:
val sslParameters = sslContext.getDefaultSSLParameters() // clones new instance from default
val sslEngine = sslContext.createSSLEngine(peerHost, peerPort)
sslParameters.setAlgorithmConstraints(algConstraints)
sslEngine.setSSLParameters(sslParameters)
Otherwise, if you want disabled algorithms the only reliable way to set it is:
java -Djava.security.properties=disabledAlgorithms.properties
Wrote more about this in https://tersesystems.com/2014/01/13/fixing-the-most-dangerous-code-in-the-world/
Adding this to the Akka issue so Konrad doesn't have to...
--
Will Sargent
Engineer, Lightbend, Inc.
Reply all
Reply to author
Forward
0 new messages