{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 forever°为你锁心 的问题《How can I disable TLSv1 without change source code》','https://www.manongdao.com/q-993654.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I write a test code(not HTTPS) to test TLS with JDK8. When the test code runs, I use nmap tool to scan and get result as follow:
D:\softwares\nmap-7.12>nmap -p xxxx --script=ssl* x.x.x.x --unprivileged
Starting Nmap 7.12 ( https://nmap.org ) at 2016-07-26 15:33 °?′óà????÷2?±ê×?ê±??
Nmap scan report for x.x.x.x
Host is up (1.0s latency).
PORT STATE SERVICE
xxxx/tcp open unknown
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A
| compressors:
| NULL
| cipher preference: indeterminate
| cipher preference error: Too few ciphers supported
| TLSv1.1:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A
| compressors:
| NULL
| cipher preference: indeterminate
| cipher preference error: Too few ciphers supported
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) -A
| compressors:
| NULL
| cipher preference: indeterminate
| cipher preference error: Too few ciphers supported
|_ least strength: A
MAC Address: xx:xx:xx:xx:xx:xx
Nmap done: 1 IP address (1 host up) scanned in 3.88 seconds
D:\softwares\nmap-7.12>
JDK8 enables TLSv1.0 as default, but I want to disable it.
Protocols
The SunJSSE provider supports the following protocol parameters:
Protocol Enabled by Default for Client Enabled by Default for Server
SSLv3 No(Unavailable Footnote 2) No(Unavailable Footnote 2)
TLSv1 Yes Yes
TLSv1.1 Yes Yes
TLSv1.2 Yes Yes
https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunJSSE_Protocols
I invoke "setEnabledProtocols" method of javax.net.ssl.SSLEngine class on my test code, TLSv1.0 can be disabled perfectly.
Is there a way to disable TLSv1.0 without change code? for example via configuration file.
I tried several methods as follow, but no one can achieve the desired effect :(
1. -Djdk.tls.client.protocols=TLSv1.1,TLSv1.2
2. -Ddeployment.security.TLSv1=false
Here is the java version:
java version "1.8.0_92"
Java(TM) SE Runtime Environment (build 1.8.0_92-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.92-b14, mixed mode)
Thank you for your reply first. If modify
JRE/lib/security/java.security, that will have a global impact.Here is my solution: Copy
JRE/lib/security/java.securityto a new file, and add TLSv1 tojdk.tls.disabledAlgorithms.then, start JVM like this:
java
-Djava.security.properties=./java.security-jar xxxxxHere is the summary from
JRE/lib/security/java.security:You appear to be writing a server, and
jdk.tls.client.protocolsapplies to clients, hence the name; although slightly less obvious, in basic JavaSE 'deployment' means browser-or-WebStart which is a subset of client.There is no property specifically for TLS (or HTTPS) server protocols, but the security property
jdk.tls.disabledAlgorithmsapplies to both client and server (and all context types also) and can be set inJRE/lib/security/java.securityas stated in the page you linked. Be sure to keep the existing restrictions (especially removing SSLv3, since 8u31) while adding yours.