0

We are bundling jre along with our product and want to change java.security to disable TLSv1.0 (For PCI compliance).

I want to check if doing that violates the license and if there are other products who does the same. Java license is unclear on this topic. http://www.oracle.com/technetwork/java/javase/terms/license/index.html

Atul Soman
  • 4,612
  • 4
  • 30
  • 45
  • If your product does not use (and cannot be configured to use) TLSv1 what is the need for this? – Alex K. Oct 12 '16 at 10:18
  • I'm voting to close this question as off-topic because it is about a legal question instead of programming. – Henry Oct 12 '16 at 11:04
  • @AlexK. Java bydefault allows TLSv1.0 and we want to disable that. – Atul Soman Oct 12 '16 at 13:10
  • So long as the calling code does not use TLS1 its hard to see why you care. My PCI apps use .Net which also supports TLS1, I don't try to modify the framework I just make sure I use TLS1.2. – Alex K. Oct 12 '16 at 13:12
  • @Henry A lot of programming can be avoided (Figuring out all areas of ssl usage and programmatically controlling the protocols and ciphers) if this approach is valid. – Atul Soman Oct 12 '16 at 13:12
  • @AlexK. The calling app's are not in our control. eg: java based https webserver. – Atul Soman Oct 12 '16 at 13:14
  • @AtulSoman sure, but the question "is it allowed" is better answered by a lawer than by a programmer. – Henry Oct 12 '16 at 13:30
  • @Henry, my intend is to see if this is tried anywhere else. I think this question is going to be more relevant because of the mandate of adoption of PCI compliance in the next year onward. – Atul Soman Oct 13 '16 at 03:57

0 Answers0