7

I am using java 1.6. I have setup my tomcat as my ssl enabled server. And i have setup a ssl enabled client (java code). When i do a communication from my client to server. In java ssl dump in tomcat logs, I always see TLSv1 picked as SSL protocol version by both my client and server. Is there a way i can switch between SSLv3 and TLSv1 protocols for secure connection? How can i make a client server communication using SSLv3?

Thanks in advance!

Anita
  • 79
  • 1
  • 1
  • 2
  • But SSLv3 is less secure than TLS – OrangeDog Jan 19 '15 at 17:18
  • Do you control the client application's code? This isn't possible in the exact way you're asking, which seems to be that you'll only accept a way that takes TLSv1 completely out of the JVM. Please clarify what you're attempting to achieve, and why a different method to get the same solution isn't acceptable. – Shane Madden Jan 19 '15 at 17:46
  • The poster needs to simulate an app or env that is stuck on ssl3. This is a commom need to see how legacy systems behave with and without ssl3 available. – Jonesome Reinstate Monica Jan 19 '15 at 18:49
  • @ShaneMadden, if i will have to change client code. What exactly do i to change in the code? I am trying to setEnableProtocols in SSLSocket with sslv3 only where in it is actually has sslv3 and tlsv1 values. – Anita Jan 20 '15 at 12:07
  • @Anita So you're making a function call that's setting just SSLv3 active but it's still using TLSv1? Can you update your question with what you're doing and what you're seeing that indicates it's not working? – Shane Madden Jan 20 '15 at 19:51

1 Answers1

9

Disclaimer: from my point of view it is not a good idea to donwgrade the connection protocol to SSLv3 unless you have a device which does not support TLS.

If you really need it you can force the tomcat connector to use the SSLv3 protocol. In the connector XML configuration:

<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector protocol="HTTP/1.1" port="8443" ... sslProtocol="SSLv3"/>

the sslProtocol attribute accepts the SSLContext algorithm names defined in the Java documentation. The default value is TLS.

The HTTP connector documentation is also available here : http://tomcat.apache.org/tomcat-7.0-doc/config/http.html

UPDATE

It seems possible to specify the authorized protocols for SSL and TLS with the java system property https.protocols (see here). You can launch your application with

java -Dhttps.protocols="SSLv3" ... -jar myapp.jar
Jcs
  • 191
  • 4
  • Thanks for the suggestion @Jcs. My requirement is to change the protocol to ssl v3 or tls v1 at java/jre level. Not at tomcat level. Because, tomorrow i may have to do the same for any web server as well. –  Jan 19 '15 at 13:14
  • When you say "at java/jre level" you mean globally for a JVM (for instance with a environment or JVM variable) or in a programmatic way (i.e. the java code which create a SSLv3 SSLSocketFactory) ? –  Jan 19 '15 at 13:18
  • yes, i have to do it globally for JVM. I tried to disable TLS v1 under java control panel. But, no luck. Still SSL communication between client and server is using TLS v1 by default. –  Jan 19 '15 at 13:23
  • FYI for just trying purpose, i tried to add sslProtocol="SSLv3" in my tomcat's server.xml's Connector tag and restarted my tomcat server. But, still SSL communication between client and server is using TLS v1 :( –  Jan 19 '15 at 13:29
  • I update the post with another solution using `https.protocol` system property. But I did not tried it. –  Jan 19 '15 at 13:33
  • I have added this java -Dhttps.protocols="SSLv3" in java system properties. But, no luck :( –  Jan 19 '15 at 13:52
  • I can't think of any way to do it globally for the entire JVM. Individual applications (either a Java app itself, or Java container such as Tomcat) are free to select with protocols they will or will not support (with the exception of ones that are eventually removed from the JVM completely). – Brian Knoblauch Jan 19 '15 at 15:29