Force TLSv1.2 or higher for the server

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Force TLSv1.2 or higher for the server

Peter
Hello,

I cannot find a way to force the server to just use TLSv1.2. Currently
it says:

Apache Derby Network Server - 10.13.1.1 - (1765088) Enabled Protocols
are TLSv1, TLSv1.1, TLSv1.2

even when using

-Dhttps.protocols=TLSv1.2

or similar settings found on the internet. Then I saw in the source:

SSLContext ctx = SSLContext.getInstance("TLS");

https://github.com/apache/derby/blob/f16c46cbdd5be8dd9bdcee935ec1f68970146478/java/org.apache.derby.commons/org/apache/derby/shared/common/drda/NaiveTrustManager.java#L73

that it seems to ignore command line settings. Is it possible to add
such a property or a different workaround to avoid older TLS versions?

Regards
Peter

Reply | Threaded
Open this post in threaded view
|

Re: Force TLSv1.2 or higher for the server

Bryan Pendleton-3
There was a similar, but not identical, discussion around these topics
four years ago, when the code was changed to remove SSLv3 and SSLv2
support. See DERBY-6764 for the full details.

I think it would certainly be possible to change the code in a similar way
to allow more configurability, but I am not sure of the implications, and if
it is similar to the DERBY-6764 work, a fair amount of testing is required.

According to this article:
https://blogs.oracle.com/java-platform-group/jdk-8-will-use-tls-12-as-default
you might investigate using the deployment.security.TLSvX.Y=false
system property.

Perhaps you could investigate whether the referenced blog article
allows a configuration that suits your needs?

Please let us know what you learn!

thanks,

bryan


On Mon, Jul 9, 2018 at 3:25 AM, Peter <[hidden email]> wrote:

> Hello,
>
> I cannot find a way to force the server to just use TLSv1.2. Currently
> it says:
>
> Apache Derby Network Server - 10.13.1.1 - (1765088) Enabled Protocols
> are TLSv1, TLSv1.1, TLSv1.2
>
> even when using
>
> -Dhttps.protocols=TLSv1.2
>
> or similar settings found on the internet. Then I saw in the source:
>
> SSLContext ctx = SSLContext.getInstance("TLS");
>
> https://github.com/apache/derby/blob/f16c46cbdd5be8dd9bdcee935ec1f68970146478/java/org.apache.derby.commons/org/apache/derby/shared/common/drda/NaiveTrustManager.java#L73
>
> that it seems to ignore command line settings. Is it possible to add
> such a property or a different workaround to avoid older TLS versions?
>
> Regards
> Peter
>
Reply | Threaded
Open this post in threaded view
|

Re: Force TLSv1.2 or higher for the server

Peter
Hello Bryan,

Thanks for your answer.
I already saw the property and issue DERBY-6764 and tried the suggestions but they did not lead to just one enabled protocol.

For peerAuthentication there should be a way to provide the SSLSocketFactory where one could try to overload getEnabledProtocols of SSLSocket without changing any code of Derby but I wasn't able to manage this.

Also in
SSLSocketFactory.getDefault the fallback is SSLContext.getDefault().getSocketFactory() and so something like this:

SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
sslContext.init(null, null, null);
SSLContext.setDefault(sslContext);

could be used (or the method used in NaiveTrustManager) ... but again in my case it still printed the 3 enabled protocols.

I think for future it might be wise to support this out of the box as TLS1.3 is already supported in the JDK 11 https://bugs.openjdk.java.net/browse/JDK-8196584 and the older two are deprecated.

Kind Regards
Peter

Am 09.07.2018 um 18:39 schrieb Bryan Pendleton:
There was a similar, but not identical, discussion around these topics
four years ago, when the code was changed to remove SSLv3 and SSLv2
support. See DERBY-6764 for the full details.

I think it would certainly be possible to change the code in a similar way
to allow more configurability, but I am not sure of the implications, and if
it is similar to the DERBY-6764 work, a fair amount of testing is required.

According to this article:
https://blogs.oracle.com/java-platform-group/jdk-8-will-use-tls-12-as-default
you might investigate using the deployment.security.TLSvX.Y=false
system property.

Perhaps you could investigate whether the referenced blog article
allows a configuration that suits your needs?

Please let us know what you learn!

thanks,

bryan


On Mon, Jul 9, 2018 at 3:25 AM, Peter [hidden email] wrote:
Hello,

I cannot find a way to force the server to just use TLSv1.2. Currently
it says:

Apache Derby Network Server - 10.13.1.1 - (1765088) Enabled Protocols
are TLSv1, TLSv1.1, TLSv1.2

even when using

-Dhttps.protocols=TLSv1.2

or similar settings found on the internet. Then I saw in the source:

SSLContext ctx = SSLContext.getInstance("TLS");

https://github.com/apache/derby/blob/f16c46cbdd5be8dd9bdcee935ec1f68970146478/java/org.apache.derby.commons/org/apache/derby/shared/common/drda/NaiveTrustManager.java#L73

that it seems to ignore command line settings. Is it possible to add
such a property or a different workaround to avoid older TLS versions?

Regards
Peter