Tomcat 6 and TLSv1.2 In Java

Question

I have a Java app deployed in tomcat 6. The app sends messages to another service via socket and it needs to use ONLY TLSv1.2 protocol. In my tomcat6.conf file I put this configuration:

JAVA_HOME=/usr/lib/jvm/jre1.7.0_75
JAVA_OPTS="${JAVA_OPTS} -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -Dhttps.protocols=TLSv1.2"

But stll use the older tls version.

It there any configuration to apply in java or tomcat to force use TLSv1.2?

---

Edit 1: The answer provided by @Peter Walser is good and could work. The problem is I can't modify the code because is a jar provided by third party, and I can only configure the enviroment, not the code.

Answer 1

If you are trying to force the server to use TLSv1.2 the following link may provide what you need.

The Apache Tomcat 5.5 Servlet/JSP Container - SSL Configuration HOW-TO

---

As the doc specifies edit the Tomcat Configuration File as below,

The implementation of SSL used by Tomcat is chosen automatically unless it is overridden as described below. If the installation uses APR - i.e. you have installed the Tomcat native library - then it will use the APR SSL implementation, otherwise it will use the Java JSSE implementation.

To avoid auto configuration you can define which implementation to use by specifying a classname in the protocol attribute of the Connector. To define a Java (JSSE) connector, regardless of whether the APR library is loaded or not do:

<Connector protocol="org.apache.coyote.http11.Http11AprProtocol" port="8443" .../>

Configure the Connector in the $CATALINA_BASE/conf/server.xml file, where $CATALINA_BASE represents the base directory for the Tomcat 6 instance. An example <Connector> element for an SSL connector is included in the default server.xml file installed with Tomcat. For JSSE, it should look something like this:

<!--
<Connector 
   port="8443" maxThreads="200"
   scheme="https" secure="true" SSLEnabled="true"
   SSLCertificateFile="/usr/local/ssl/server.crt" 
   SSLCertificateKeyFile="/usr/local/ssl/server.pem"
   clientAuth="optional" SSLProtocol="TLSv1"/>
-->

You will note that the example SSL connector elements are commented out by default. You can either remove the comment tags from around the the example SSL connector you wish to use or add a new Connector element of your own. In either case, you will need to configure the SSL Connector for your requirements and environment.

The port attribute (default value is 8443) is the TCP/IP port number on which Tomcat will listen for secure connections. You can change this to any port number you wish (such as to the default port for https communications, which is 443). However, special setup (outside the scope of this document) is necessary to run Tomcat on port numbers lower than 1024 on many operating systems.

After completing these configuration changes, you must restart Tomcat as you normally do, and you should be in business. You should be able to access any web application supported by Tomcat via SSL.

---

Try changing the SSLProtocol attribute in <Connector> element to SSLProtocol="TLSv1.2".

<Connector 
   port="8443" maxThreads="200"
   scheme="https" secure="true" SSLEnabled="true"
   SSLCertificateFile="/usr/local/ssl/server.crt" 
   SSLCertificateKeyFile="/usr/local/ssl/server.pem"
   clientAuth="optional" SSLProtocol="TLSv1.2"/>

Answer 2

The https.protocols system property is only considered for HttpsURLConnection and URL.openStream(), as stated in Diagnosing TLS, SSL, and HTTPS

Controls the protocol version used by Java clients which obtain https connections through use of the HttpsURLConnection class or via URL.openStream() operations. ...

For non-HTTP protocols, this can be controlled through the SocketFactory's SSLContext.

You can configure the SSLSocket as follows:

SSLSocketFactory factory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket socket = (SSLSocket) factory.createSocket(host, port);
socket.setEnabledProtocols(new String[] {"TLSv1.2"});

When working with REST-clients, most of them support configuring the protocols over the SSLContext. Example (JAX-RS client):

Client client = ClientBuilder.newBuilder()
    .sslContext(SSLContext.getInstance("TLSv1.2"))
    // more settings, such as key/truststore, timeouts, logging
    .build();