-
Bug
-
Resolution: Fixed
-
P4
-
6
-
b44
-
x86
-
windows_xp
FULL PRODUCT VERSION :
J2SE Version 1.6.0-ea (build 1.6.0-ea-b40)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows XP, version 5.1.2600
A DESCRIPTION OF THE PROBLEM :
Selecting or deselecting "Use SSL 2.0" in the "Security Settings" of the "Advanced tab" of the "Java Control Panel" seems to have no affect at all on the https.protocols. Whatever protocols (SSLv2, SSLv3, TLSv1) are selected, the SSLv2Hello protocol remains enabled by default.
Selecting "Use SSL 2.0" does not even appear to add the SSLv2 protocol to https.protocols.
Many systems that require strong encryption for security will reject any connections attempting to use the SSLv2 or SSLv2Hello protocol.
Deselecting the "Use SSL 2.0" should disable any and all SSL 2.0 protocol including the SSLv2Hello protocol.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Deselecting "Use SSL 2.0" in the "Security Settings" of the "Advanced tab" of the "Java Control Panel" .
Attempt to connect to a system that does not allow any SSL 2.0 protocol.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
System should allow the connection.
Open the "Sun Java Console" and type "s" to display the system and deployment properties.
The https.protocols should not have SSLv2Hello enabled and "deployment.security.SSLv2Hello" should equal false..
ACTUAL -
System rejects the connection.
Open the "Sun Java Console" and type "s" to display the system and deployment properties.
The https.protocols has SSLv2Hello enabled and "deployment.security.SSLv2Hello=true".
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Snippet from Sun Java Console that shows deselection "Use SSL 2.0" have no affect on the SSLv2Hello protocol:
Java Plug-in 1.6.0
Using JRE version 1.6.0-ea Java HotSpot(TM) Client VM
User home directory = C:\Documents and Settings\user
----------------------------------------------------
Dump system properties ...
----------------------------------------------------
https.protocols = TLSv1,SSLv3,SSLv2Hello
----------------------------------------------------
Dump deployment properties ...
----------------------------------------------------
deployment.security.SSLv2 = false
deployment.security.SSLv2Hello = true
deployment.security.SSLv3 = true
deployment.security.TLSv1 = true
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
In the "C:\WINDOWS\Sun\Java\Deployment" directory add a "deployment.config" file that contains the following lines:
deployment.system.config=file\:/C\:/WINDOWS/Sun/Java/Deployment/deployment.config
deployment.system.config.mandatory=false
deployment.security.SSLv2Hello=false
###@###.### 2005-06-14 20:15:56 GMT
J2SE Version 1.6.0-ea (build 1.6.0-ea-b40)
ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows XP, version 5.1.2600
A DESCRIPTION OF THE PROBLEM :
Selecting or deselecting "Use SSL 2.0" in the "Security Settings" of the "Advanced tab" of the "Java Control Panel" seems to have no affect at all on the https.protocols. Whatever protocols (SSLv2, SSLv3, TLSv1) are selected, the SSLv2Hello protocol remains enabled by default.
Selecting "Use SSL 2.0" does not even appear to add the SSLv2 protocol to https.protocols.
Many systems that require strong encryption for security will reject any connections attempting to use the SSLv2 or SSLv2Hello protocol.
Deselecting the "Use SSL 2.0" should disable any and all SSL 2.0 protocol including the SSLv2Hello protocol.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Deselecting "Use SSL 2.0" in the "Security Settings" of the "Advanced tab" of the "Java Control Panel" .
Attempt to connect to a system that does not allow any SSL 2.0 protocol.
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
System should allow the connection.
Open the "Sun Java Console" and type "s" to display the system and deployment properties.
The https.protocols should not have SSLv2Hello enabled and "deployment.security.SSLv2Hello" should equal false..
ACTUAL -
System rejects the connection.
Open the "Sun Java Console" and type "s" to display the system and deployment properties.
The https.protocols has SSLv2Hello enabled and "deployment.security.SSLv2Hello=true".
ERROR MESSAGES/STACK TRACES THAT OCCUR :
Snippet from Sun Java Console that shows deselection "Use SSL 2.0" have no affect on the SSLv2Hello protocol:
Java Plug-in 1.6.0
Using JRE version 1.6.0-ea Java HotSpot(TM) Client VM
User home directory = C:\Documents and Settings\user
----------------------------------------------------
Dump system properties ...
----------------------------------------------------
https.protocols = TLSv1,SSLv3,SSLv2Hello
----------------------------------------------------
Dump deployment properties ...
----------------------------------------------------
deployment.security.SSLv2 = false
deployment.security.SSLv2Hello = true
deployment.security.SSLv3 = true
deployment.security.TLSv1 = true
REPRODUCIBILITY :
This bug can be reproduced always.
CUSTOMER SUBMITTED WORKAROUND :
In the "C:\WINDOWS\Sun\Java\Deployment" directory add a "deployment.config" file that contains the following lines:
deployment.system.config=file\:/C\:/WINDOWS/Sun/Java/Deployment/deployment.config
deployment.system.config.mandatory=false
deployment.security.SSLv2Hello=false
###@###.### 2005-06-14 20:15:56 GMT