CODEWITHSUNDEEP
javasslhttpstls1.2
Jun-Dai Bates-Kobashigawa
Jun-Dai Bates-Kobashigawa

Reputation: 5949

In a large Java app, is there a way to ensure that only TLSv1.2 or above is used?

If I were working on a large Java app with many developers, and in the code there are various means of connecting to https services, is there a fairly straightforward way to enforce that they are all using TLS v1.2?

I've tried using -Dhttps.protocols=TLSv1.2 and -Djdk.tls.client.protocols=TLSv1.2 in a test app, and httpclient is happy to use TLSv1 or TLSv1.1.

Alternatively, if there were a straightforward way to log the SSL connections in a manner that allows me to figure out which call the handshake is coming from, that would work and I could just pound each gopher as it comes up. Unfortunately, enabling -Djavax.net.debug=ssl just vomits out a ton of information to STDOUT and there's no easy way for me to trace a given *** ServerHello, TLSv1.1 to a particular server call.

Upvotes: 2

Views: 831

Answers (1)

pedrofb
pedrofb

Reputation: 39281

With Java8 TLSv1.2 is enabled by default but TLSv1 and TLSv1.1 are also available. To restrict outbound connection to use TLSv1.2 configure

 jdk.tls.disabledAlgorithms= SSLv2Hello, SSLv3, TLSv1, TLSv1.1

in jre/lib/java.security

This will force all connections to TLSv1.2, therefore if an existing server does not support it, the connection will fail.

With the snippet below you can check it without disabling

Supported Protocols: 5
 SSLv2Hello
 SSLv3
 TLSv1
 TLSv1.1
 TLSv1.2
Enabled Protocols: 3
 TLSv1
 TLSv1.1
 TLSv1.2

with disabledAlgorithm 

Supported Protocols: 5
 SSLv2Hello
 SSLv3
 TLSv1
 TLSv1.1
 TLSv1.2
Enabled Protocols: 1
 TLSv1.2

Use this to print SSL context

private static void printSSLContext() throws IOException, NoSuchAlgorithmException, KeyManagementException{
     SSLContext context = SSLContext.getInstance("TLSv1.2");
     context.init(null,null,null);

     SSLSocketFactory factory = (SSLSocketFactory)context.getSocketFactory();
     SSLSocket socket = (SSLSocket)factory.createSocket();

     String[] protocols = socket.getSupportedProtocols();

     System.out.println("Supported Protocols: " + protocols.length);
     for(int i = 0; i < protocols.length; i++) {
         System.out.println(" " + protocols[i]);
     }

     protocols = socket.getEnabledProtocols();

     System.out.println("Enabled Protocols: " + protocols.length);
     for(int i = 0; i < protocols.length; i++) {
         System.out.println(" " + protocols[i]);
     }

     String[] ciphers = socket.getSupportedCipherSuites();
     System.out.println("Enabled Ciphers: " + ciphers.length);
     for(int i = 0; i < ciphers.length; i++) {
         System.out.println(" " + ciphers[i]);
     }
    }

Upvotes: 1

Related Questions