Problem:

• Product Name:VisiBroker Java
• Product Versions:6.0 and later
• Product Component: Security

VisiBroker for Java can run on a number of security protocol. How do you configure VisiBroker to run only on a particular protocol? Why is it that setting "vbroker.security.transport.protocol=SSLv3" will NOT configure VisiBroker to run on SSLv3.

You can reproduce the issue by following the steps listed.

1. Add in the following properties: "vbroker.security.transport.protocol=SSLv3" for both java_client.properties and java_server.properties in the Bank SSL example in your Visibroker installation.
2. Run the example.

If you capture the packet using the Wireshark tool, you can see that the client is not using SSLv3 to contact to the server. It is using SSLv2Hello and TLSv1.

Resolution:

Java by default uses the SSLv2 Hello handshake protocol. For compatibility reasons, some protocols such as SSLv3 and TLSv1 allow sending SSLv3/TLSv1 hellos encapsulated in an SSLv2 format hello.

Why VisiBroker ORB uses TLSv1 instead of SSLv3 as specified in the property "vbroker.security.transport.protocol"?

In the implementation, VisiBroker uses an SSLContext object for the secure socket protocol. An SSLContext holds all of the protocol state information that is shared across all sockets created under this context. If you have set "vbroker.security.transport.protocol=SSLv3", you have only ensure that the SSLContext object implements at least the requested secure socket protocol. However, it is most likely to contain more than the requested socket protocol.

For example, you have requested for a "SSLv3" SSLContext. The SSLContext may implements both SSLv3 and TLSv1. Therefore, it is reasonable that the protocol used is TLSv1 instead of SSLv3 since SSLContext supports both SSLv3 and TLSv1 protocol.

If you want to force SSLv3 protocols to be used, you need to include the following properties:

vbroker.security.client.socket.enabledProtocols=SSLv3
vbroker.security.server.socket.enabledProtocols=SSLv3