0

I want to force java existing program in jdk 1.5 to use tls in place of sslv2 or sslv3.

The jdk 1.5 support tls 1.0... but generally default use ssl v2 or v3 clienthello in place of tlsv1...

For now many ssl service are forcing tls only (some now force tls 1.2... but is another subject...)...

On jdk 1.6 you can add a javaagent that set SSLContext.setDefault to force tlsV1...

But on jdk 1.5 there no SSLContext.setDefault equivalent...

Normally java program use SSLContext.getInstance("SSL") to make ssl connection... i'm not expert on coding javaagent but in searching to know how to transform SSLContext.getInstance with value SSLv2, SSLv3, SSL to TLS or TLSv1...

schtever
  • 3,210
  • 16
  • 25
Mathieu CARBONNEAUX
  • 174
  • 1
  • 10
  • I would not allow a Java 1.5 base application to perform network connections - this Java version is heavily outdated and should not be used anymore. If you have to use it for a point-to-point connection place it on a special host and encapsulate all the traffic in a VPN connection and don't allow connections from outside of the VPN. Then the SSL version inside the VPN does not matter anymore. – Robert Apr 26 '19 at 18:48
  • did you try setting `https.protocols` system property ? It was already available for Java 5 as stated [JSSE Reference Guide](https://docs.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#Customization) . Maybe the correct title of your question should be How to force SSL/TLS version by configuration ? – Eugène Adell Apr 26 '19 at 19:36
  • jdk 5, and 6 support tls 1.0, but try ssl v2 hello by default and if the server support sslv2 hello and be abel to handcheck to force upgrading in tls .... but if the server refuse ssl v2 hello and support only tls hello they don"t work.... – Mathieu CARBONNEAUX Aug 28 '19 at 22:21
  • i have many old application and i need to upgrade some equipement in version that refuse sslv2 hello for now... and i need to force this old application to work in tls v1 by default (not trying ssl v2 hello but force tls hello)... the idea is to overide SSL context to be a TLS context without modifing the code... and using javaagent ... i've made this in C but i've not found suffisant information to do that in java.. – Mathieu CARBONNEAUX Aug 28 '19 at 22:25
  • this old application cannot be upgraded (some of them are closed source), and my equipement who serve service in ssl when upgrade it accept tls hello only. is why i try to find solution to force tls hello (java 1.5, 1.6, 1.7 all support tls v1) without modifing the code. in c language i've made openssl libhook (with LD_PRELOAD) that force tls usage of this program. https://gist.github.com/mcarbonneaux/2bf5fc4f48d194482417e651bdc9f6a6. and i search a way to do the same in java. – Mathieu CARBONNEAUX Aug 06 '21 at 15:04
  • my idea is to use javaagent to intercept SSLContext.getInstance, and when the first argument are SSLv2, SSLv3, SSL, overide to TLS or TLSv1. but i'm not an expert on coding java agent to do that... – Mathieu CARBONNEAUX Aug 06 '21 at 15:11
  • https.protocols limit list of procotol, not force using ssl hello in tls. – Mathieu CARBONNEAUX Aug 06 '21 at 15:13
  • on jdk 1.6 and higher you can use : jdk.tls.client.protocols. This property was introduced to JDK 7 in 7u95 and to JDK 6 in 6u121. but this version of jdk are only downloadable with oracle support... https://java.com/en/configure_crypto.html – Mathieu CARBONNEAUX Aug 06 '21 at 15:17

0 Answers0