How to set TLS1.2 version in Java

Question

Environment details:

java version "1.7.0_40"
Java(TM) SE Runtime Environment (build 1.7.0_40-b43)
Java HotSpot(TM) 64-Bit Server VM (build 24.0-b56, mixed mode).

We are using jboss-4.2.3.GA and thick client using ejb.

And we have tried to set the TLS1.2 version in the following ways:

1. Control Panel --> Programs-->Java-->Advanced Tab-->Advanced Security Settings checked the TLS1.1 and TLS1.2 and unchecked the remaining old versions. But still in Wire shark software we are seeing client is talking to server in TLSV1 only.

2. -Ddeployment.security.SSLv2Hello=false -Ddeployment.security.SSLv3=false -Ddeployment.security.TLSv1=false -Ddeployment.security.TLSv1.1=true -Ddeployment.security.TLSv1.2=true

   Given in the startup script, but in Wire shark software we are seeing client is talking to server in TLSV1 only.

   Reference link : https://superuser.com/questions/747377/enable-tls-1-1-and-1-2-for-clients-on-java-7

3. jdk.tls.disabledAlgorithms= SSLv2Hello, SSLv3, TLSv1, TLSv1.1

   in the jre/lib/security/java.security and jdk1.7.0_40/jre/lib/security/java.security. But still in Wire shark software we are seeing client is talking to server in TLSV1 only.

   Reference link : How to force java server to accept only tls 1.2 and reject tls 1.0 and tls 1.1 connections

Can somebody tell us how enforce TLS1.2 version for both client and server.

Answer 1

I'm using Tomcat 6 with java 7 because java 6 and earlier versions don't support TLS1.2.

For configuring my server I did the following:

1. Modified the file server.xml at tag Connector on its attribute sslEnabledProtocols as follows:

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="450" scheme="https" secure="true"
           keystoreFile="<your_keystore>" keystorePass="<somepasswd>" clientAuth="false"
           keyAlias="tomcat" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
           URIEncoding="UTF-8" maxHttpHeaderSize="32768" 
           ciphers = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
                      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,
                      TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" />

2. I tested my whole application for avoiding no compatibilities.

Answer 2

I am working with a Java command application and had a similar issue.

From Oracle, java 7 default using TLSv1, java 8 default using TLSv1.2

After I try to the application using JRE8, the application starts to use TLSv1.2 automatically. Here is my java info:

java version "1.8.0_92"
Java(TM) SE Runtime Environment (build 1.8.0_92-b14)
Java HotSpot(TM) 64-Bit Server VM (build 25.92-b14, mixed mode)

I continued to search how I can configure what runtime TLS version with Java8, I tried your 1st,2nd way (also including -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2) and nothing really changed.

I am able to see runtime changes when using your 3rd way for java8: jdk.tls.disabledAlgorithms= SSLv2Hello, SSLv3, TLSv1, TLSv1.1. I am not able to make it work using java7. Not sure if this is the same issue you have. Did you modify the correct JRE configuration your application is running on? Or if you could upgrade to java 8 and try again?

Oracle needs to provide better documentation, good luck!