JADE supports the 1.0.2g‑level OpenSSL libraries, which removes support for the insecure SSLv2 method. In addition, JADE has removed support for the insecure SSLv3 method.
From JADE 7.1.07, JADE accepts connections using only TLSv1 or above. The TLSv1.2 method is now the JADE default value. This has the following effects on existing JADE systems.
If a value of SSLv2, SSLv23, or SSLv3 in the SSLMethodName parameter is present in the [JadeAppServer] or [JadeThinClient] section of an existing JADE initialization file, it is overwritten with <default>, a message is written to the jommsg log file, and JADE attempts to make an SSL connection using the new TLSv1.2 default method. This connection can fail for the following reasons.
Existing X509 certificates can be rejected by the OpenSSL libraries if they are incompatible with the upgraded requirements of TLSv1 or higher.
As the previously distributed versions of the server.pem and client.pem OpenSSL insecure example certificates are subject to this condition, a new version of the example certificates is provided with this release.
Existing connections can be refused if the explicit list of ciphers defined in the JADE initialization file are incompatible with the upgraded requirements of TLSv1 and higher.
Unless you have special requirements, leave the value of the SSLCipherNames parameter blank, to use the default, compatible list of ciphers provided by the OpenSSL libraries.
To enhance SSL security, the default values of the SSLMethodName and SSLCipherNames parameters in the [JadeAppServer] and [JadeThinClient] sections of the JADE initialization file are as follows.
SSLMethodName=TLSv1.2
SSLCipherNames=Not specified (compatible ciphers are available from the OpenSSL online documentation or openssl.exe)