LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

January 2015

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS January 2015

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Safe to install Oracle Java 1.8?
From:	Steven Haigh <[log in to unmask]>
Reply To:	Steven Haigh <[log in to unmask]>
Date:	Sat, 31 Jan 2015 13:38:20 +1100
Content-Type:	multipart/signed
Parts/Attachments:	text/plain (4 kB) , signature.asc (4 kB)

On 31/01/15 13:30, Steven Haigh wrote:
> On 31/01/15 03:44, Vladimir Mosgalin wrote:
>> Hi hansel!
>>
>>  On 2015.01.29 at 19:30:33 -0500, hansel wrote next:
>>
>>> If I download the Oracle rpm for 1.8, do the necessary links in
>>> /etc/alternatives, remove Open JDK 1.7 and make sure the enviroment
>>> variables are correct, do I avoid crashes (or silent errors) -- to the
>>> best
>>> of more experienced SL users' knowledge, of course?
>>>
>>> Some of what I do depends on Java version 1.8 andI need to do
>>> something. (On
>>> other distos, I would just do it (and did with Ubuntu), but SL7 docs
>>> carry
>>> strong warnings about introducting conflicts.)
>>
>> You don't have to "remove" OpenJDK 1.7 if there is some dependency
>> installed. alternatives system allows multiple java versions to be
>> installed at the same time.
>>
>> The warnings mostly apply to the way Oracle JDK is packaged, if you
>> correct the packaging there is no problem with having it on the system,
>> and no need to remove openjdk (if something depends on it) too.
>>
>> For example, one of the Oracle JDK packaging problems is inability to
>> install both 32-bit and 64-bit JDK from rpm (official workaround:
>> "install from .bin bundle into distinct directories"). Another problem
>> is manual steps required for activating browser plugin.
>> OpenJDK doesn't suffer from these and other problems.
>>
>> RHEL offers Oracle JDK 1.7 and 1.8 packages, for example, properly
>> repackaged and ready to install. So there is definitely no inherent
>> incompatibility.
> 
> On a related note, from what I can tell the update to 1.8 has disabled
> some SSL connect methods. Sadly, this has locked me out of any Dell
> DRAC5 remote console interfaces...
> 
> I'm hunting for a way to re-enable the disabled SSL methods, but I'm not
> quite sure how to do so...
> 
> I'm on Fedora 21 on my desktop - but I believe its the same with any
> upgrade to 1.8 - even the Oracle JRE disables these SSL methods :(

Whoops - forgot to paste in my reference for this:
	https://rhn.redhat.com/errata/RHSA-2015-0069.html

Although, further research that turned up the above URL also shows:

A flaw was found in the way the SSL 3.0 protocol handled padding bytes
when decrypting messages that were encrypted using block ciphers in
cipher block chaining (CBC) mode. This flaw could possibly allow a
man-in-the-middle (MITM) attacker to decrypt portions of the cipher text
using a padding oracle attack. (CVE-2014-3566)

Note: This update disables SSL 3.0 by default to address this issue.
The jdk.tls.disabledAlgorithms security property can be used to
re-enable SSL 3.0 support if needed. For additional information, refer
to the Red Hat Bugzilla bug linked to in the References section.

Further digging on that shows up:
Users who need to re-enable SSL 3.0 protocol support in OpenJDK or
Oracle JDK can do so using one of the following ways:

* Change the master security properties file to not include SSLv3 in the
list of disabled algorithms.  The java.security files for each JDK can
be found at the following path:

  /usr/lib/jvm/*/jre/lib/security/java.security

The sub-directory under /usr/lib/jvm contains package name (such as
java-1.7.0-openjdk or java-1.7.0-oracle) possibly followed by package
version or architecture (depending on the JDK and its version).

Note that the change to the file will affect all applications using
given JDK.  Local changes to the file will also cause new java.security
versions to be installed as java.security.rpmnew if future updates
change packaged version, requiring manual merge of changes.

* Re-enable SSLv3 support only for specific application or applications
that require it.  Create a new security properties file that will
override the default jdk.tls.disabledAlgorithms setting from the master
java.security, and use the java.security.properties system property to
make Java read the file in addition to the master security properties
file.  Example:

  $ cat enable-ssl3.security
  jdk.tls.disabledAlgorithms=

  $ java -Djava.security.properties=/path/to/enable-ssl3.security ...

Note that this only works if the master security properties file sets
the security.overridePropertiesFile security property to true.  That is
the default setting in all OpenJDK and Oracle JDK packages shipped in
Red Hat Enterprise Linux.

-- 
Steven Haigh

Email: [log in to unmask]
Web: http://www.crc.id.au
Phone: (03) 9001 6090 - 0412 935 897

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV