db-derby-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Peter <tableyourt...@gmail.com>
Subject Re: Force TLSv1.2 or higher for the server
Date Tue, 10 Jul 2018 06:34:17 GMT
Hello Bryan,

Thanks for your answer.
I already saw the property and issue DERBY-6764 and tried the
suggestions but they did not lead to just one enabled protocol.

For peerAuthentication there should be a way to provide the
SSLSocketFactorywhere one could try to overload getEnabledProtocols of
SSLSocket without changing any code of Derby but I wasn't able to manage
this.

Also in SSLSocketFactory.getDefault the fallback is
SSLContext.getDefault().getSocketFactory() and so something like this:

SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
sslContext.init(null, null, null);
SSLContext.setDefault(sslContext);

could be used (or the method used in NaiveTrustManager) ... but again in
my case it still printed the 3 enabled protocols.

I think for future it might be wise to support this out of the box as
TLS1.3 is already supported in the JDK 11
https://bugs.openjdk.java.net/browse/JDK-8196584 and the older two are
deprecated.

Kind Regards
Peter

Am 09.07.2018 um 18:39 schrieb Bryan Pendleton:
> There was a similar, but not identical, discussion around these topics
> four years ago, when the code was changed to remove SSLv3 and SSLv2
> support. See DERBY-6764 for the full details.
>
> I think it would certainly be possible to change the code in a similar way
> to allow more configurability, but I am not sure of the implications, and if
> it is similar to the DERBY-6764 work, a fair amount of testing is required.
>
> According to this article:
> https://blogs.oracle.com/java-platform-group/jdk-8-will-use-tls-12-as-default
> you might investigate using the deployment.security.TLSvX.Y=false
> system property.
>
> Perhaps you could investigate whether the referenced blog article
> allows a configuration that suits your needs?
>
> Please let us know what you learn!
>
> thanks,
>
> bryan
>
>
> On Mon, Jul 9, 2018 at 3:25 AM, Peter <tableyourtime@gmail.com> wrote:
>> Hello,
>>
>> I cannot find a way to force the server to just use TLSv1.2. Currently
>> it says:
>>
>> Apache Derby Network Server - 10.13.1.1 - (1765088) Enabled Protocols
>> are TLSv1, TLSv1.1, TLSv1.2
>>
>> even when using
>>
>> -Dhttps.protocols=TLSv1.2
>>
>> or similar settings found on the internet. Then I saw in the source:
>>
>> SSLContext ctx = SSLContext.getInstance("TLS");
>>
>> https://github.com/apache/derby/blob/f16c46cbdd5be8dd9bdcee935ec1f68970146478/java/org.apache.derby.commons/org/apache/derby/shared/common/drda/NaiveTrustManager.java#L73
>>
>> that it seems to ignore command line settings. Is it possible to add
>> such a property or a different workaround to avoid older TLS versions?
>>
>> Regards
>> Peter
>>


Mime
View raw message