Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-5077603

SSL/TLS configuration options in Java Control Panel

XMLWordPrintable

    • Icon: Enhancement Enhancement
    • Resolution: Fixed
    • Icon: P4 P4
    • 6
    • 1.4.2, 5.0, 6
    • deploy

        Due to #5023701 (Default handshaking protocols in HTTPS in webstart is problematic), we have set the default SSL handshaking protocols to SSLv3 and SSLv2Hello because some servers may not be able to handle TLS:

        //
        // Set only if https.protocols is not defined and Config.SEC_TLS_KEY
        // is false (default)
        //
        if (p.get("https.protocols") == null &&
            Config.getBooleanProperty(Config.SEC_TLS_KEY) == false) {
                 p.put("https.protocols", "SSLv3,SSLv2Hello");
        }

        However, it is quite problematic for users to change the default handshaking protocols without going through the deployment configuration file. Thus, we should add three deployment configuration properties for various types of protocol support in SSL handshaking:

        deployment.security.SSLv2 -> Use SSL 2.0 (default: true)
        deployment.security.SSLv3 -> Use SSL 3.0 (default: true)
        deployment.security.TLSv1 -> Use TLS 1.0 (default: false)

        We should set the value of "https.protocols" in Java Plug-in and Java Web Start according to the values of these deployment configuration properties.

        We should also add three related options under "Security" in the Advanced tab of Java Control Panel.
        ###@###.### 2004-07-23
        ###@###.### 2004-07-23

              mafishersunw Margarita Fisher (Inactive)
              stanleyh Stanley Ho (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Created:
                Updated:
                Resolved:
                Imported:
                Indexed: