How to use TLS 1.2 in Java 6

Question

It seems that Java 6 supports TLS up to v1.0, is there any way to use TLS 1.2 in Java 6?

Maybe a patch or a particular update of Java 6 will have support for it?

Answer 1

After a few hours of playing with the Oracle JDK 1.6, I was able to make it work without any code change. The magic is done by Bouncy Castle to handle SSL and allow JDK 1.6 to run with TLSv1.2 by default. In theory, it could also be applied to older Java versions with eventual adjustments.

1. Download the latest Java 1.6 version from the Java Archive Oracle website
2. Uncompress it on your preferred path and set your JAVA_HOME environment variable
3. Update the JDK with the latest Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6
4. Download the Bounce Castle files bcprov-jdk15to18-165.jar and bctls-jdk15to18-165.jar and copy them into your ${JAVA_HOME}/jre/lib/ext folder
5. Modify the file ${JAVA_HOME}/jre/lib/security/java.security commenting out the providers section and adding some extra lines

    # Original security providers (just comment it)     # security.provider.1=sun.security.provider.Sun     # security.provider.2=sun.security.rsa.SunRsaSign     # security.provider.3=com.sun.net.ssl.internal.ssl.Provider     # security.provider.4=com.sun.crypto.provider.SunJCE     # security.provider.5=sun.security.jgss.SunProvider     # security.provider.6=com.sun.security.sasl.Provider     # security.provider.7=org.jcp.xml.dsig.internal.dom.XMLDSigRI     # security.provider.8=sun.security.smartcardio.SunPCSC      # Add the Bouncy Castle security providers with higher priority     security.provider.1=org.bouncycastle.jce.provider.BouncyCastleProvider     security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider          # Original security providers with different priorities     security.provider.3=sun.security.provider.Sun     security.provider.4=sun.security.rsa.SunRsaSign     security.provider.5=com.sun.net.ssl.internal.ssl.Provider     security.provider.6=com.sun.crypto.provider.SunJCE      security.provider.7=sun.security.jgss.SunProvider     security.provider.8=com.sun.security.sasl.Provider     security.provider.9=org.jcp.xml.dsig.internal.dom.XMLDSigRI     security.provider.10=sun.security.smartcardio.SunPCSC      # Here we are changing the default SSLSocketFactory implementation     ssl.SocketFactory.provider=org.bouncycastle.jsse.provider.SSLSocketFactoryImpl  

Just to make sure it's working let's make a simple Java program to download files from one URL using https.

import java.io.*; import java.net.*;   public class DownloadWithHttps {      public static void main(String[] args) {         try {             URL url = new URL(args[0]);             System.out.println("File to Download: " + url);             String filename = url.getFile();             File f = new File(filename);             System.out.println("Output File: " + f.getName());             BufferedInputStream in = new BufferedInputStream(url.openStream());             FileOutputStream fileOutputStream = new FileOutputStream(f.getName());             int bytesRead;             byte dataBuffer[] = new byte[1024];              while ((bytesRead = in.read(dataBuffer, 0, 1024)) != -1) {                 fileOutputStream.write(dataBuffer, 0, bytesRead);             }             fileOutputStream.close();          } catch (Exception ex) {             ex.printStackTrace();         }      } } 

Now, just compile the DownloadWithHttps.java program and execute it with your Java 1.6

 ${JAVA_HOME}/bin/javac DownloadWithHttps.java ${JAVA_HOME}/bin/java DownloadWithHttps https://repo1.maven.org/maven2/org/apache/commons/commons-lang3/3.10/commons-lang3-3.10.jar  

Important note for Windows users: This solution was tested in a Linux OS, if you are using Windows, please replace the ${JAVA_HOME} by %JAVA_HOME%.

Answer 2

Public Oracle Java 6 releases do not support TLSv1.2. Paid-for releases of Java 6 (post-EOL) might. (UPDATE - TLSv1.1 is available for Java 1.6 from update 111 onwards; source)

Contact Oracle sales.

Other alternatives are:

• Use an alternative JCE implementation such as Bouncy Castle. See this answer for details on how to do it. It changes the default SSLSocketFactory implementation, so that your application will use BC transparently. (Other answers show how to use the BC SSLSocketFactory implementation explicitly, but that approach will entail modifying application or library code that that is opening sockets.)

• Use an IBM Java 6 ... if available for your platform. According to "IBM SDK, Java Technology Edition fixes to mitigate against the POODLE security vulnerability (CVE-2014-3566)":

  "TLSv1.1 and TLSv1.2 are available only for Java 6 service refresh 10, Java 6.0.1 service refresh 1 (J9 VM2.6), and later releases."

---

However, I'd advise upgrading to a Java 11 (now). Java 6 was EOL'd in Feb 2013, and continuing to use it is potentially risky. Free Oracle Java 8 is EOL for many use-cases. (Tell or remind the boss / the client. They need to know.)