Reputation: 11
Restrict SSL protocols to TLS 1.2 on Vert.x
I'd like to restrict SSL protocols to TLS 1.2 on Vert.x 2.1.5 as http server and client. I'm using jdk 7. Does anyone have experience on how to do it?
Upvotes: 1
Views: 2105
Answers (1)
Reputation: 18310
Oracle says here that SSL protocols should be restricted on JRE 7 by explicitly setting enabled protocols on the SSL Engine:
sslEngine.setEnabledProtocols(new String[] {"SSLv2Hello", "TLSv1", "TLSv1.1", "TLSv1.2"});
Now check out TCPSSLHelper.java class in Vert.x v2.1.5. There is a constant containing the list of enabled protocols, and it's used to set enabled protocols on the SSL Engine:
// Make sure SSLv3 is NOT enabled due to POODLE issue
private static final String[] ENABLED_PROTOCOLS =
{"SSLv2Hello", "TLSv1", "TLSv1.1", "TLSv1.2"};
Change that value to {"TLSv1.2"}; to limit support to TLSv1.2.
For a quick test:
- Create the org.vertx.java.core.net.impl package in your own project
- Copy TCPSSLHelper to your package and edit the enabled protocols constant
- Build and run.
- CURL using the specific protocol directives, and see that server will only connect with TLSv1.2.
Your source will typically come before third party source on the classpath, so this change will override the class in the Vert.x lib and is all you need to restrict to TLSv1.2.
Ideally this would be submitted back to Vert.x as a patch, where the protocols are read on command line as properties.
Upvotes: 1
Related Questions
- How to enforce the server to use only TLSv1.2?
- Enable TLS 1.2 Apache
- How to force java server to accept only tls 1.2 and reject tls 1.0 and tls 1.1 connections
- How to enable only TLSv1.2 in Apache Airflow
- Disabling TLS 1.0 in Apache 2.4
- How can i prevent connection from clients using TLS less than v1.2?
- Prevent TLS version negotiation?
- How do I specify "TLSv1.2 protocol or later" for Apache httpd
- In a large Java app, is there a way to ensure that only TLSv1.2 or above is used?
- Disable TLS 1.2 in Linux using any of the chrome /firefox