greg-db
commented
5 years ago Thanks for the report! I'll ask the team to get this fixed up.
Closed florent-tradeshift closed 5 years ago
greg-db
commented
5 years ago Thanks for the report! I'll ask the team to get this fixed up.
cakoose
commented
5 years ago @florent-tradeshift: There seem to be two problems with the code. One is that it doesn't prioritize later versions of TLS.
The other is that it doesn't interact well with the "java.security" configuration. If you disable "TLSv1" in "java.security", it should pick another acceptable version, right? (Same for ciphersuite selection.) Do you know how to make that work?
florent-tradeshift
commented
5 years ago @cakoose It doesn't seem that SSLSocket#getSupportedProtocols takes the java.security configuration into account. It just lists all SSL protocols that it can use to create an SSL connection. You can use getEnabledProtocols() to get the list of default enabled protocols. https://stackoverflow.com/questions/28236091/how-to-enable-ssl-3-in-java
greg-db
commented
5 years ago This change should be live in the latest release now, currently v3.1.1.
When you disable TLSv1 from java.security, DbxClientV2 cannot connect anymore to Dropbox APIs.
This is due to the code in SSLConfig.java method limitProtocolsAndCiphers.
By default, it's iterating over all supported protocols and as soon as it finds one that he knows, he will take this one (and not the strongest one)!
getSupportedProtocols returns all protocols and the list is not sorted.
Solution: