Monday, July 25, 2016

TLS v1.2 support in Java 6

According to Oracle Doc:
JDK 6 release supports TLS v1. See:
http://docs.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider
JDK 6 supports TLS 1.1 as well since JDK 6u111.
http://www.oracle.com/technetwork/java/javase/overview-156328.html#R160_111
JDK 7 release supports TLS v1, TLS v1.1 and TLS v1.2. See:
https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider

In fact, TLS 1.2 is available in Java 6: "TLS v1.2 is now a TLS protocol option with the release of JDK 6u121" or maybe even in 6u115 b32 (copy and paste issue?)
http://www.oracle.com/technetwork/java/javase/overview-156328.html
enabled with -Djdk.tls.client.protocols="TLSv1.2"

To test if you have TLSv1.2 support:
public class TLSTest  {
        public static void main(String[] args) throws Exception {
                System.out.println("before TLSv1.1");
                SSLContext ctx = SSLContext.getInstance("TLSv1.1");
                System.out.println("before TLSv1.2");
                ctx = SSLContext.getInstance("TLSv1.2");
                System.out.println("after");
        }

}

and run with
java -Djdk.tls.client.protocols="TLSv1.1,TLSv1.2" TLSTest

if you get "Exception in thread "main" java.security.NoSuchAlgorithmException: TLSv1.2 SSLContext not available" then you are screwed.


which Cipher Suites your JVM supports

"SunJSSE supports a large number of ciphersuites" http://docs.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider
1) WLS 11g (WLS 10.3.6) uses JSSE and runs on Java SE 6
2) JSSE java 6  http://docs.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider
3) WLS 10.3.6 ciphers: http://docs.oracle.com/cd/E28280_01/web.1111/e13707/ssl.htm#BABBDACC

The classification of the different bits (TLS_DHE_RSA_WITH_AES_128_CBC_SHA) is as follows:
TLS vs SSL
RSA vs ECDH vs ECDHE vs DHE vs KRB5
ECDSA vs RSA
RC4 vs 3DES vs DES vs AES
EDE vs CBC
SHA vs MD5

Set "-Dssl.debug=true -Djavax.net.debug=ssl -Dweblogic.log.StdoutSeverity=Debug" then search for the statement
SSLEngine.setEnabledCipherSuites
to see which Ciphers are actually ENABLED (not only supported).
See also http://stackoverflow.com/questions/10487962/java-cipher-suites
There is a property https.cipherSuites , and a SSLSocket.setEnabledCipherSuites()/SSLEngine.setEnabledCipherSuites() method.

Sunday, July 24, 2016

SSL TLS renegotiation, RFC 5746

Generalities:
https://devcentral.f5.com/articles/ssl-profiles-part-6-ssl-renegotiation

Oracle technical details on the famous RFC 5746, here the mythical JSEE Ref Guide (something every human should read) :
http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#tlsRenegotiation

More explanations
http://security.stackexchange.com/a/24569/118343



Other tags: no_renegotiation handshake_failure