Java HttpsServer - Forcing TLSv1.1

Question

I am running Java 8 and using com.sun.net.httpserver.HttpsServer to create a HTTPS server. I have a working implementation using a trusted CA signed EC certificate in a Java KeyStore.

I have been looking at how I could restrict what Ciphers and Protocols the server could support (similar to Apache using "SSLProtocol" and "SSLCipherSuite" in the configuration) - mainly to enforce a higher level of security by disabling the use of SHA-1.

No one should really be forcing TLSv1.1 over 1.2, but I am just doing this to prove a point that the following configuration works:

KeyStore ks = KeyStore.getInstance("JKS");
// Load KeyStore into "ks"

KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, jksPassword.toCharArray());

TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(ks);

SSLContext sc = SSLContext.getInstance("TLS");
sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);

HttpsServer hsS = HttpsServer.create(sBind, 0);
hsS.setHttpsConfigurator(new HttpsConfigurator(sc) {
  @Override
  public void configure(HttpsParameters p) {
    try {
      SSLContext c = getSSLContext();
      SSLEngine e = c.createSSLEngine();

      p.setNeedClientAuth(false);
      p.setProtocols(new String[] { "TLSv1.1" });
      p.setCipherSuites(e.getEnabledCipherSuites());
      p.setSSLParameters(c.getDefaultSSLParameters());
    }
    catch (Exception e) {
      e.printStackTrace();
    }
  }
});

Even though I use setProtocols() to only accept "TLSv1.1", this doesn't seem to stop "TLSv1.2" connections and everything from Chrome to IE still uses "TLSv1.2". If I disable the use of "TLSv1.2" and "TLSv1.1" in IE and just leave "TLSv1.0" enabled then it will still work and negotiate "TLSv1.0". The setProtocols() method doesn't seem to do anything!?!

If I got this working then I was going to modify the list of Ciphers using setCipherSuites().

Java HttpsServer - Forcing TLSv1.1

Answers (1)

Related Questions