Menu
I am trying to enable TLS 1.2 on Tomcat on Spring-boot 1.2.1. Android 5.0 is failing to connect to the default SSL settings, due to an SSL handshake failure. Android 4.4, iOS, Firefox, and Chrome all connect to the default version. I think this is because of a mismatch in the TLS protocols supported in Android 5.0 and the spring boot tomcat defaults (TLS v1?).
I imagine I want to change this application.properties setting:
server.ssl.protocol=TLS but I have not located the other acceptable strings (or if there are any, even). There is no enumeration that I can find by searching on "protocol" in spring boot github. I have tried "TLSv1.2", but this appears to have no effect.
The current SSL configuration in application.properties is:
server.ssl.key-store = chainedcertificates.p12 server.ssl.key-store-password = secret server.ssl.key-store-type = PKCS12 How do you enable TLS 1.2 in spring boot?
If it matters, I am using Java 1.7. The documentation for this seems to indicate it should support TLS 1.2.
Tomcat 8 seems to have support present. I am not sure how to check exactly which version is running in spring boot.
754
Newer spring-boot versions support TLS 1.2 but you can determine your version with the command: openssl s_client -connect serverAddress:port. You can use the command in 1. or SSLScan. TLS is a client AND a server side touching protocol. It defines the way both of them are securely communicating with each other.
TLS 1.2 is automatically enabled in Google Chrome version 29 or greater.
You may experience an SSL handshake error due to the default ciphers that spring boot includes. It is recommended that you define a set of ciphers. We had a similar issue, and the way we fixed it was by using SSLScan on the caller and then scanning our system to see if there were any matches. This lead us to find out that there were no matches and helped us define a list of ciphers we should support.
Using SSLScan these are the default ciphers spring boot will use:
Preferred TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256 Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 1024 bits Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 1024 bits Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA DHE 1024 bits To enable TLS 1.2 and to define the cipher list please do the following:
#enable/diable https server.ssl.enabled=true #ssl ciphers server.ssl.ciphers=TLS_RSA_WITH_AES_128_CBC_SHA256, INCLUDE_ANY_OTHER_ONES_YOU_NEED_TO_SUPPORT # SSL protocol to use. server.ssl.protocol=TLS # Enabled SSL protocols. server.ssl.enabled-protocols=TLSv1.2 For a list of of ciphers you can use https://testssl.sh/openssl-rfc.mapping.html and https://msdn.microsoft.com/en-us/library/windows/desktop/mt813794(v=vs.85).aspx
192
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
