How to Enable TLS1.1 in Java7 for Axis1 webservice client

Question

Summary: Salesforce.com recently disabled TLSv1 for their sandbox instances(test.salesforce.com) and can only support TLSv1.1 and above for API integrations for both inbound and outbound requests.

I am using Java Axis1.0 client code with JDK 7.0 to connect (via webservice soap) to salesforce.com. I get exception "UNSUPPORTED_CLIENT: TLS 1.0 has been disabled in this organization. Please use TLS 1.1 or higher when connecting to Salesforce using https." With Java7.0 Supported Protocols:SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2 Enabled Protocols: TLSv1

`With Java8.0 when i try to connect to salesforce.com with java8 client, connection is successful.

Supported Protocols: SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2 Enabled Protocols: TLSv1, TLSv1.1, TLSv1.2`

I have to used Java 7 because our application is using it. I tried setting vm args: -Dhttps.protocols=TLSv1.1,TLSv1.2 -Ddeployment.security.SSLv2Hello=false -Ddeployment.security.SSLv3=false -Ddeployment.security.TLSv1=false -Ddeployment.security.TLSv1.1=true -Ddeployment.security.TLSv1.2=true" but no success.

can you help me to find out settings in Java7 to enable TLSv1.1?

Answer 1

Found a solution:

I had to write custom JSSESocketFactory (because i am using Java webservice Axis1.0 client) and AxisProperties settings.

Something like,

public class TLSSocketSecureFactory extends JSSESocketFactory {

private final String TLS_VERSION_1_1 = "TLSv1.1";
private final String TLS_VERSION_1_2 = "TLSv1.2";

public TLSSocketSecureFactory(@SuppressWarnings("rawtypes") Hashtable attributes) {
super(attributes);
}

@Override
protected void initFactory() throws IOException {
SSLContext context;
try {
  context = SSLContext.getInstance(TLS_VERSION_1_1);
  context.init(null, null, null);
  sslFactory = context.getSocketFactory();
} catch (NoSuchAlgorithmException | KeyManagementException e) {
  //printstacktrace or throw IOException
}
}

@Override
public Socket create(String host, int port, StringBuffer otherHeaders, BooleanHolder useFullURL) throws Exception {
if (sslFactory == null) {
  initFactory();
}
Socket s = super.create(host, port, otherHeaders, useFullURL);
((SSLSocket) s).setEnabledProtocols(new String[] {TLS_VERSION_1_1, TLS_VERSION_1_2 });
return s;
}
}

AxisProperties.setProperty("axis.socketSecureFactory",TLSSocketSecureFactory.class.getCanonicalName());

This is required only for JDK7. when application is migrated to JDK8, this class is not required. In Java8 TLSv1.1 and TLS1.2 is enabled by default.

Note: Setting VM config at server will not help here for Axis java client.

Answer 2

From Salesforce documentation:

Java 7: Enable TLS 1.1 and TLS 1.2 using the https.protocols Java system property for HttpsURLConnection. To enable TLS 1.1 and TLS 1.2 on non-HttpsURLConnection connections, set the enabled protocols on the created SSLSocket and SSLEngine instances within the application source code.