Padding Oracle On Downgraded Legacy Encryption (POODLE) security vulnerability
To address security vulnerability CVE-2014-3566 , the Secure Socket Layer (SSL) V3.0 protocol is turned off by default and the TLS protocol is enabled. The vulnerability is addressed by IBM® and by Oracle through different properties. The Oracle implementation takes precedence.
- The application uses a protocol configuration that enables SSL and TLS, which might fall back to SSL V3.0.
- The application explicitly allows or requests SSL V3.0.
|Protocol label||Protocol enabled before the fix||Protocol enabled after the fix|
|SSLv3||SSL V3.0||None, the connection fails.|
|TLS||TLS V1.0 (defined in RFC2246)||TLS V1.0 (defined in RFC2246)|
|TLSv1||TLS V1.0 (defined in RFC2246)||TLS V1.0 (defined in RFC2246)|
|TLSv1.1||TLS V1.1 (defined in RFC4346)||TLS V1.1 (defined in RFC4346)|
|TLSv1.2||TLS V1.2 (defined in RFC5246)||TLS V1.2 (defined in RFC5246)|
|SSL_TLS||Enables all SSL V3.0 and TLS V1.0 protocols||TLS V1.0|
|SSL_TLSv2||Enables all SSL V3.0 and TLS V1.0, V1.1, and V1.2 protocols||Enables all TLS V1.0, V1.1, and V1.2 protocols|
If you must enable SSL V3.0, IBM provides a system property. Set the following system property either statically or dynamically: com.ibm.jsse2.disableSSLv3=false.
This security property has precedence over the IBM system property com.ibm.jsse2.disableSSLv3. The following table shows the effect of setting either the IBM property or the Oracle property, on the SSL v3.0 protocol:
jdk.tls.disabledAlgorithms = <Algorithm_1>, <Algorithm_2>
|jdk.tls.disabledAlgorithms setting||com.ibm.jsse2.disableSSLv3 setting||SSL V3.0 status|
|SSLv3 (default)||true (default)||Disabled|
|No value set (SSLv3 removed)||false||Enabled|
|No value set (SSLv3 removed)||true (default)||Disabled|
This vulnerability is addressed in IBM SDK, Java™ Technology Edition Version 7, service refresh 8.
If your application hard codes the protocol label
SSLv3, you can use the com.ibm.jsse2.convertSSLv3 property to
automatically match the behavior for protocol label
SSL without modifying your
source code. For more information, see Matching SSLv3 to SSL behavior.
For information about setting system properties, see How to Specify a java.lang.system Property.
If your application attempts to use SSL V3.0, the application will fail to negotiate a session. The failure might be manifested in different ways and might not immediately point to an SSL connection error. For more information about the POODLE vulnerability, see IBM SDK, Java Technology Edition fixes to mitigate against the POODLE security vulnerability (CVE-2014-3566).