oa4mp uses legacy "SSL" protocol

nesi / oa4mp-shibboleth

Extensions to the OAuth for MyProxy project to allow it to retrieve user information from a shibboleth service provider.

2 stars 0 forks source link

oa4mp uses legacy "SSL" protocol #1

Open vladimir-mencl-eresearch opened 9 years ago

vladimir-mencl-eresearch commented 9 years ago

In edu.uiuc.ncsa.myproxy.MyProxyLogon.connect(), oa4mp uses:

 SSLContext.getInstance("SSL")

which breaks with OpenJDK 1.7.0.79 which disables SSLv3 by default in jre/lib/security/java.security.

This is really an upstream issue, but recording it here, as we should also switch to a newer upstream release. (And report/chase this upstream if not fixed yet).

vladimir-mencl-eresearch commented 9 years ago

See [1] for list of suitable protocol names to pass to [2]

[1] http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SSLContext [2] http://docs.oracle.com/javase/7/docs/api/javax/net/ssl/SSLContext.html#getInstance%28java.lang.String%29

jbasney commented 8 years ago

Hi. This was fixed in upstream OA4MP v1.2 in October 2014:

So switching to the current upstream release should take care of it.