Reference Guide
SSL/TLS Communications 7
RSA BSAFE SSL-J 6.2.6 Security Best Practices Guide
The SSLv3 protocol and RC4 cipher suites are disabled by default for SSL-J 6.2 and
above, however care must be taken when changing the enabled protocols and cipher
suites to ensure that the SSLv3 protocol and RC4 cipher suites do not become enabled
unless their security attributes are fully understood and they are required for
interoperability reasons. Due to the way the SSLJ and JSSE APIs work, requiring that
the complete set of protocols or cipher suites be specified when any are enabled or
disabled, it is possible to inadvertently enable protocols or cipher suites that are no
longer in the default set; this especially applies to applications that were written before
the POODLE attack was known.
The following demonstrates how to disable a protocol (TLSv1.0), without
inadvertently re-enabling SSLv3.
SSL-J JSSE Provider
If using the
SSL-J
JSSE provider, invoke
setEnabledProtocols
on each newly
created
SSLSocket
,
SSLServerSocket
, or
SSLEngine
object, specifying the
required TLS protocol versions.
For example, after creating and initializing ctx, an SSLContext:
// Get the SocketFactory from the SSLContext.
SSLSocketFactory factory = ctx.getSocketFactory();
// Create an SSLSocket and connect it to the server.
socket = (SSLSocket) factory.createSocket(HOSTNAME, PORT);
// Set the allowed TLS versions (not including SSLv3).
String[] protocols = {
JsseProvider.TLS_V11,
JsseProvider.TLS_V12
};
socket.setEnabledProtocols(protocols);
// Use the Socket.
InputStream in = socket.getInputStream();
OutputStream out = socket.getOutputStream();
For more information, see the following JSSE CipherSuiteAndProtocol
samples:
•
jsse/client/CipherSuiteAndProtocol.java
•
jsse/server/CipherSuiteAndProtocol.java
SSLJ API
If using the SSLJ API, invoke setVersions on the SSLParams instance before
passing it as a parameter to the
com.rsa.ssl.SSLSocket or
com.rsa.ssl.SSLServerSocket constructor.