Disabling SSL Renegotiation in Java

Similar Messages

• How to disable SSL renegotiation in weblogic 10.3

  Hi,
  Can someone advise how to disable the SSL renegotiation in weblogic 10.3 server with jdk 1.6.0_35-b10 or 1.6.0_07-b06?
  I tried to set up below properties when starting up weblogic server. But didn't work.
  -Dweblogic.security.disableNullCipher=true -Dweblogic.ssl.AllowUnencryptedNullCipher=false -Dweblogic.security.ssl.enable.renegotiation=false -Dssl.debug=true -Dsun.security.ssl.allowUnsafeRenegotiation=false -Dsun.security.ssl.allowLegacyHelloMessages=false
  Really appreciate if anyone can give any advise.

  Thanks PratikS.
  I tried to apply such patch in weblogic10.3.0. But got below NoSuchMethodError. Any idea? Any other patch needed?
  <Jun 3, 2013 1:25:49 PM CST> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: java.lang.NoSuchMethodError:weblogic.protocol.ServerChannel.getConfig()Lweblogic/management/configuration/NetworkAccessPointMBean;
  java.lang.NoSuchMethodError: weblogic.protocol.ServerChannel.getConfig()Lweblogic/management/configuration/NetworkAccessPointMBean;
  at weblogic.security.utils.SSLContextManager.getChannelSSLContext(SSLCon
  textManager.java:234)
  at weblogic.security.utils.SSLContextManager.getSSLServerSocketFactory(S
  SLContextManager.java:89)
  at weblogic.server.channels.DynamicSSLListenThread.<init>(DynamicSSLList
  enThread.java:59)
  at weblogic.server.channels.DynamicListenThreadManager.createListener(Dy
  namicListenThreadManager.java:289)
  at weblogic.server.channels.DynamicListenThreadManager.start(DynamicList
  enThreadManager.java:129)
  Truncated. see log file for complete stacktrace
  >

• How to disable SSL Renegotiation

  Hi All,
  A security audit discovered one of our application's SSL termination, resides our ACE, supports SSL Renegotiation, which is, in their opinion, a security risk. As far I know, it is not supported to turn off this feature on ACE. Anyway, I want to be sure, before I reports this to the auditors. If you know, how to disable it, please share with me!
  We are running 3.0(0)A4(2.2).
  Regards,
  Tamas

  Thank you for your answer.
  Our running version is A5(2.0). It should have rehandshake disabled by default.
  Here are the outputs from some commands:
  ACE# sh run | i rehand
  Generating configuration....
  ACE# sh parameter-map SSL_TERMINATION
  Parameter-map : SSL_TERMINATION
  Description : -
  Type : ssl
      version                            : all
      close-protocol                     : none
      expired-crl                        : allow
      cdp-errors                         : reject
      authentication-failure any         : reject
      session-cache timeout              : disabled
      queue-delay timeout                : disabled
      Accepted cipher list:
        RSA_WITH_RC4_128_MD5 (priority:1)
        RSA_WITH_RC4_128_SHA (priority:1)
        RSA_WITH_AES_128_CBC_SHA (priority:10)
        RSA_WITH_AES_256_CBC_SHA (priority:1)
      rehandshake                        : disabled
      purpose-check                      : enabled
  As you can see there is no configuration command to activate rehandshake.
  So my question is if the rehandshake command only affects the ACE´s ability to do a rehandshake from its own side, but always lets the client do it if it wants to.
  It isn't easy to find details about this. And the only place where I have found i little bit of details says "Enables rehandshake, allowing the ACE to send an SSL HelloRequest message to its peer to restart SSL handshake negotiation", so it might just be in that direction.
  A followup question would be if it is possible to prevent the client from doing a rehandshake by a command in the ACE.
  If this behaviour is not the intention this has to be a bug and I would go to the TAC with it.
  I just want to know how the ACE is intended to work before I do that.
  Best Regards,
  /Torbjörn

• Disable SSL/TLS renegotiation

  Is it possible to disable SSL/TLS renegotiation in SJSWS 7.0?
  I'm asking because of the recently published SSL/TLS protocol flaw (CVE-2009-3555) described here: [http://extendedsubset.com/?p=8|http://extendedsubset.com/?p=8]
  Thanks and regards,
  Jostein Tveit.

  The TLS Renegotiation vulnerability is now addressed in Sun Web Server 7.0u7.
  For more details, please refer to
  [http://blogs.sun.com/jyrivirkki/entry/more_thoughts_on_web_server|http://blogs.sun.com/jyrivirkki/entry/more_thoughts_on_web_server] , forum announcement
  [http://forums.sun.com/thread.jspa?threadID=5420698&tstart=0|http://forums.sun.com/thread.jspa?threadID=5420698&tstart=0] and
  the blog [http://blogs.sun.com/webtier/entry/sun_web_server_7_0u7|http://blogs.sun.com/webtier/entry/sun_web_server_7_0u7] .

• SSL Renegotiation with Mail.app and Outlook 2011

  My organization recently disabled SSL insecure renegotiation in Windows on our Exchange 2007 servers. We did this because the ssllabs.com report for my site gives it an F rating “because it is vulnerable to MITM attacks because it supports insecure renegotiation”. We changed a registry setting on the server to match this screenshot:
  However, now that we have added those registry entries, both Outlook 2011 and Mail.app no longer works. They simply will not connect to the servers.
  Has anyone else seen this issue? Can anything be done to fix both issues? Any suggestions are welcome, ranging from server settings to programming solutions. I've been searching for this for a while and have only come across one other person who had this issue and he never found a fix for it.
  Thanks in advance,
  Chris

  Have a look at this page which Google turned u:http://www.uwc.edu/itresources/OutlookExpressConfig/OutlookExpressSetup.htm
  Whilst it's obviously for Outlook Express it contains all the details you need to configure the mail client. Point 5 has the server details for IMAP access (you typically can't access a web-based email account in an email client).
  Bear in mind changes you make on the +iPod touch+ will be reflected when you next log-on into your web-based email or desktop email client.
  regards
  mrtotes

• ILOM, how to disable SSL v2?

  Hello
  Is there any possibility to disable SSL v2?
  I want to use HTTPS to connect to the server (Java Console) but it have to use SSL v3 only. Once trying to connect with v2 of SSL connection should not be established.
  Is there any possibility to do this?
  SP Firmware Version is: 3.0.3.20.e
  SP Filesystem Version 0.1.22
  Edited by: Luceks on Sep 2, 2009 4:28 AM

  Hi.
  You should have a SSL section under:
  1) Log in to the ILOM-SP WEB interface.
  2) Click --> Management --> SSL (or similar...)
  3)
  The SSL page appears. There're some sections to the SSL page.
  One section includes targets and properties and you can configure the SSL settings displayed
  in this section page (example):
  **SSL**
  State = Enabled | Disabled
  Roles = Administrator | Operator | Advanced | (none)
  Address = 0.0.0.0
  Port = 0
  4) Save settings page, to save any changes made to this section.
  s.

• How to disable SSL v3 for sun os 5.6 (OAS 4.0.8), I am facing POODLE vulnerability issue?

  my Website is hosted on Sun OS 5.06 (OAS 4.0.8) and using web server : Oracle_Web_Listener/4.0.8. Website is configured to use https for secure pages and it was working fine from last 10 years but suddenly i am getting complaints from my customers that they can not browse site on chrome version 40 and above and firefox 34 and above.
  I searched for this issue and found that there is POODLE attack which may causing this issue. now the only solution i can see is to disable SSL v3 on server.
  Can any help me out with the process or an idea, How to disable SSL V3 on this Olde server? its sun microsystem server.

  Hi Aamir,
     This is old software, been a while since I saw one of these.
      Normally when SSL was setup there were two listeners, one with SSL and one without, in a different port, so you could try to find this second port, which may work without any need to change the configuration.
      Else, try to check on the OAS manager (Usually on port 8888), the HTTP listener -> WWW -> Network, if there is a setup only for the SSL port, you will need to add a new line, with the same configuration, but a different port and the security disabled.
      Also, there may be some setting on the application itself for the url path. If so, when you navigate in the application it will try to redirect you back to the SSL port. In that case you will need to figure out where to change that, which depend on the application itself.
     Found this page on google with the process to setup SSL on OAS 4.0, you need to do the inverse of step 5.
  WoSign Support: SSL Certificates Installation Instruction - Oracle Web Server (OAS 4.0.8)
  Regards,
  Luis

• How to disable and enable a java bean area's visability?

  I have a large javabean area on my initial canvas when first dispalying my form.
  When I use the SHOW_CANVAS('canvas name') to display another canvas, everything looks fine except that the javabean from my previous canvas is still visible and covering up portions of this new canvas.
  So I tried using the set_property visible for the javabean area in the form and it only got rid of the surrounding edge of the javabean area.
  Last I made some set_custom_property values to send to the bean that would then use java calls to enable and disable the beans visability.
  But once the beans visibility was disabled in Java then it wouldn't come back after the calls to enable the visibility and refresh the bean were made through Java calls.
  Is there any other ways of disabling and enabling a java bean area's visability?
  Thanks,
  Michelle

  Hello,
  Maybe the bean is always display because of its particular paint() method ?
  Anyway, without any reflexion, I could suggest you to set the bean item width and height to 1 pixel when you don't want to display it. (Set_Item_Property)
  Francois

• SSL implementation in Java

  Hi to all
  I am new to SSL topic and i am trying to implement SSL,so,please help me in this regard.
  I am implementing SSL in JSSE(Java).We are developing our Application through self-signed certificate.
  The client is implementing SSL on C Language and server on Java language.
  How to communicate between these client and server .First i want to know how to generate keys,Certificates and how to exchange the certificates between client and server.
  Give me one example in this regard.
  Thank you

  Thanks for your reply........
  I already studied the whole JSSE Reference guide. But there is no explanation when the client is implementing SSL on C Language and server on Java language.
  How to communicate between these client and server
  Please please help in this regard.
  Thank u in advance.

• Disable SSL 2.0 on Windows 2008 R2

  Hi.
  Can anyone give me a step by step on how to disable SSL 2.0 on IIS 7.5 please? I cannot find an article for it and those refering to IIS 7.0 do not seem to work.
  Regards,
  Morris
  Best Regards, Morris Fury AFRIDATA.net

  Morris -
  Client-side SSL 2.0 is disabled by default on Windows 7 and Windows Server 2008 R2, which means that, when initiating an SSL connection from either of those two OSes that SSL 2.0 will not be sent as a supported protocol that the server can use. You can see
  this in the following registry value:
  Key: HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client
  Value: DisabledByDefault
  Server-side SSL 2.0 is not, however, disabled by default. This means that some other client, when initiating an SSL connection
  to Windows Server 2008 R2 can include SSL 2.0 in the list of supported protocols. If SSL 2.0 is the only protocol in common between the client and the server, the server will select it.
  Functionally, there is not much difference between setting Enabled to 0 and setting DisabledByDefault to 1.
  Hope this helps,
  Jonathan Stephens
  This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can
  be beneficial to other community members reading the thread.

• How to disable graphics and/or java in Firefox 23.0.1

  In previous versions of Firefox, like 19.0, it is a simply matter to disable graphics and/or java. Simply go to Firefox "Tools", "Options", "Content", unclick "Load images Automatically", unclick "Enable JavaScript".
  With Firefox 23.0.1, I don't see that as a option. How do I easily disable and enable the graphics and javascript?
  I am aware that "Adblock" has some capabilities to do some of this. Although I find Adblock more complicated and have not been able to achieve my goals with it.
  This is very important to me.

  "In Firefox 23, as part of an effort to simplify the Firefox options set and protect users from unintentially damaging their Firefox,"
  Are you kidding? so you mean to tell me that it helps users by requiring them to download third party addons(memory leaks and all) just to do something that use to be as simple as clicking a button?
  If i have to use untrusted third party add-ons that i need to download to my computer i may as well just ,i don't know, Download a new browser while im at it.
  If anything they should have just made it EASIER to find so users could EASILY undo what they EASILY done.
  it's hogwash to say "just use addons" I try to keep my add-ons and extensions to the bare necessities for a reason. And coming from a user who until recently was stuck with dialup(because there was no other options) the ability to remove images is key. That and if im in a public setting i don't want to put my facebook images on display.
  Overall, HUGE mistake by firefox.

• Does certicom implementation support ssl renegotiation ?

  does certicom implementation support ssl renegotiation ? We are talking to IIS server from OSB using 2 way ssl and get the below error . IIS doesn't request the client certificate in the initial handshake and it does a ssl renegotiation to request the client certificate.
  <<WLS Kernel>> <> <ac73602e9b9282f3:7f182ebf:1342bdce06c:-8000-0000000000000568> <1323589084326> <BEA-000000> <NEW ALERT with Severity: WARNING, Type: 100 (means No- Renegotiation)
  Is there a way to make certicom to allow renegotiation. ..don't want to use JSSE for certain reasons...
  weblogic version 11.1.1.5
  Thanks In advance
  Regards
  Atheek

  ok we need a flag to make it to work : -Dweblogic.security.SSL.enable.renegotiation=true

• Disabling SSL in Aqualogic Service Registry

  Hi All,
  i have installed and deployed Aqualogic Service Registry (ALSR) on weblogic server 9.2. However, by default, SSL is enabled during installation. I tried disabling SSL using Weblogic Admin Console but that didn't help. Is there a way i can configure ALSR war to disable SSL?
  --Vivek                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               

  Hi James,
  As I am using ALSR and not OSR and also, deploying it on weblogic server (since, ALSR doesn't support oc4j server), I don't understand why i need to put this question in SOA suite forum.
  Installation of ALSR creates registry.war that eventually gets deployed on weblogic server. ALSR doesn't allow me to choose SSL enabling, it choses it by default which is not the case in OSR.
  --Vivek                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               

• Disable SSL 3.0 in DSEE 7

  Hello,
  Is there a way to disable SSL 3.0 in DSEE 7, such that only TLS 1.0/1.1/1.2 can be used?  I Googled for this and found MOS document 1950334.1, but the instructions in the document only apply to a DS proxy server.
  Thanks,
  Dave

  Disabling SSLv3 by changing the encryption settings but it did not actually work.  I loaded the LDIF and restarted the instance, and LDAP indicated that the change took effect:
  root@ldap-test:/# ldapsearch -D "cn=Directory Manager" -w xxxxxxxx -b "cn=config" -s sub '(cn=encryption)'
  version: 1
  dn: cn=encryption,cn=config
  objectClass: top
  objectClass: nsEncryptionConfig
  cn: encryption
  nsSSLSessionTimeout: 0
  nsSSLClientAuth: allowed
  nsSSLServerAuth: cert
  nsSSL2: off
  nsKeyfile: alias/slapd-key3.db
  nsCertfile: alias/slapd-cert8.db
  nsSSL3Ciphers: all
  nsSSL3: off
  However, a test with openssl with the "-ssl3" option (forcing it to only use SSLv3) still connected:
  $ /usr/local/openssl-1.0.1k/bin/openssl s_client -connect ldap-test.our-domain.edu:636 -ssl3
  CONNECTED(00000003)
  ... <showed our server certificate, etc.> ...
  If SSLv3 were actually disabled, that openssl test would have failed with an error. Disabling SSLv3 is required by our auditing tool because of the POODLE vulnerability, and a system cannot pass our audit unless SSLv2 and SSLv3 are disabled completely, but TLS 1.0/1.1/1.2 are still available.

• Apple Mail 8.2 disables SSL to POP3 server (Securityrisk)

  Hi,
  Setup
  Computer:
  OSX 10.10.2
  Mail 8.2 (2070.6)
  Mail server A
  POP3 port 995 SSL
  (Non SSL - port 110 -  is disabled due to security reasons)
  Mail server B
  POP3 port 110
  POP3 port 995 SSL
  Summary
  OSX Mail client removes SSL support on non regular intervals for POP3 connections. For the connections that support regular non SSL POP3 (port 110) this reduces the security, but the mail is available. This was noticed by me because one ISP has locked down their POP3 server to SSL only due to security reasons. After reenabling SSL on the connection (Mail -> Preferences -> Accounts -> Account in question -> Advanced) the connection remains with SSL support for a while, then it is removed again. As OS X Mail has no token to identify SSL or regular port 110 connection this is transparant to the user, unless the server does not support regular POP3, at which time a error is generated.
  Comments
  1) This seems to be a security related issue with mail where OS X mail downgrades from SSL connection to regular port 110 POP3 traffic
  2) If corrected the connection is downgraded again within a couple of days, if not sooner.
  3) Connections to POP3 servers supporting port 110 are "unaffected" with the exception of the security issue of a downgrade
  4) Connections to POP3 servers that only support SSL - port 995 - are not able to complete until SSL has been reenabled manualy.
  5) Downgrade bug has been seen only on my machine, so it might not be something mainstream. Machine is updated to latest patches.
  Questions
  1) As this has only been observed on my machine, has anybody else seen this POP3 SSL downgrade bug?

  Same problem. The following information is from Symantec:
  To disable SSL\TLS
  Open Apple Mail.
  Click the Mail menu and select Preferences.
  Select your mail account on the left under Accounts, then click the Advanced tab.
  Confirm the check box labeled "use SSL" is not checked next to ports. If necessary remove the checkmark.
  Click the Account Information tab and select Edit Server list from the drop down next to Outgoing Mail Server.
  Click the Advanced tab and confirm there is not a checkmark next to Use Secure Socket Layer(SSL).
  Click OK and close the accounts. Window and choose to save.
  Click Save to update your settings.
  Restart Apple Mail.
  This does work for a while but eventually Mail reverts to enabling Use SSL and disabling Allow Insecure Authentication but only one some of my addresses but not all. Some accounts POP logs-in but not SMTP.