Java 7 oracle does not support TLSv1.2

Question

Java 7 oracle does not support TLSv1.2. I have been trying to run my code and I have tried the following things:

    System.setProperty("deployment.security.TLSv1.1", "false")
    System.setProperty("deployment.security.TLSv1", "false")
    System.setProperty("deployment.security.TLSv1.2", "true")
    System.setProperty("https.protocols", "TLSv1.2")
    System.setProperty("https.cipherSuites", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,AES_256_GCM,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384")

and it does not help.

How can I force my Java7 application to use Tlsv1.2. I can run my program using java8 which by default uses TLS1.2 and everything works perfectly.

How can I do it in Java7 from oracle.

I have also tried going into /usr/lib/jvm/java-7-oracle/jre/lib/security and disabled jdk.tls.disabledAlgorithms=SSLv2Hello, SSLv3, TLSv1 but it still does not work.

What am I dong wrong?

Btw I get sslhandshakeexception-handshake-failure

EDIT:

Error:

0000: 02 28                                              .(
main, READ: TLSv1 Alert, length = 2
main, RECV TLSv1 ALERT:  fatal, handshake_failure
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
166  [main] DEBUG org.apache.http.impl.conn.DefaultClientConnection  - Connection org.apache.http.impl.conn.DefaultClientConnection@6b18e1c6 closed
166  [main] DEBUG org.apache.http.impl.conn.DefaultClientConnection  - Connection org.apache.http.impl.conn.DefaultClientConnection@6b18e1c6 shut down
main, called close()
main, called closeInternal(true)


[main] DEBUG org.apache.http.impl.conn.BasicClientConnectionManager  - Releasing connection org.apache.http.impl.conn.ManagedClientConnectionImpl@1f2dc289
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
        at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1979)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1086)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343)
        at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:533)
        at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:401)
        at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
        at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:304)
        at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
        at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
        at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:72)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:214)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:160)

Answer 1

I had similar issues and needed multiple days to solve all my problems. I'm not able to update my JRE version as it is running on an HSM. Maybe there are others than me with such requirements.

GIVEN:

• JRE 1.7.0_25
• TOMCAT 8.0.9

REQUIREMENT: A webapp running on the Tomcat should be able to connect to an socket over TLSv1.2.

Problem 1:

JRE 1.7.0_25 is not able to connect to a socket over TLSv1.2 by itself.

Solution:

Use BouncyCastle library to do it: https://www.bouncycastle.org

Problem 2 (Needed multiple days to solve this issue):

BouncyCastle was activated and added to the security provider on the first place but is still not used when creating SSLContext and the other instances (Certificat, KeyStore, TrustManager).

Solution:

Force the usage of BouncyCastle as security provice in JSSE by the following code:

BouncyCastleProvider provider = new BouncyCastleProvider();
Security.insertProviderAt(new BouncyCastleJsseProvider(provider), 1);
Security.insertProviderAt(provider, 2);

Instead of:

Security.insertProviderAt(new BouncyCastleProvider(), 2);
Security.insertProviderAt(new BouncyCastleJsseProvider(), 1);

But this was leading me to the next Problem:

Problem 3:

java.lang.SecurityException: JCE cannot authenticate the provider BC

Solution:

The latest jar of BouncyCastle (bcprov-jdk15on-162.jar) as well as the previous (bcprov-jdk15on-161.jar) are not properly signed for 1.7.0_25, but bcprov-jdk15on-160.jar is. After using version 160, I was finally able to connect to a socket over TLSv1.2 with the following code:

private static SSLContext createSSLContextBouncy(String base64Cert) {

  BouncyCastleProvider provider = new BouncyCastleProvider();
  Security.insertProviderAt(new BouncyCastleJsseProvider(provider), 1);
  Security.insertProviderAt(provider, 2);

  LOGGER.debug("Using bouncy castle as security provider");

  try {
    byte[] certBytes = Base64.decodeBase64(base64Cert);
    X509Certificate cert =
      (X509Certificate) CertificateFactory.getInstance("X.509", "BC").generateCertificate(new ByteArrayInputStream(certBytes));

    KeyStore keystore = KeyStore.getInstance("BKS", "BC");
    keystore.load(null);
    keystore.setCertificateEntry("alias", cert);

    TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("PKIX", "BCJSSE");
    trustManagerFactory.init(keystore);
    TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();

    SSLContext sslContext = SSLContext.getInstance("TLS", "BCJSSE");
    sslContext.init(null, trustManagers, new SecureRandom());
    return sslContext;
  } catch (Exception e) {
    throw new RuntimeException(e);
  }
}

Unfortunately, it still was not working inside the Tomcat.

Problem 4:

Connection to TLSv1.2 still does not work when I run the code as webapp (on Tomcat). The handshake was starting but ends with an error saying "connection refused".

Solution:

The Tomcat version running on the HSM (maybe others also) needs for any reason 30s for the handshake but the the endpoint has a timeout by 10s. I tested with another version of Tomcat (8.0.37 as we have the info that the HSM is possibly supporting it) and it was running smoothly.

Hope this helps anyone.

Answer 2

I had similar issues, unable to enable TLSv1.2 in Java JDK 1.7.0_80 in WebLogic 10.3, we upgraded it to JDK 1.7.0_181, and it started working for us.

Answer 3

You can upgrade your Java 7 version to 1.7.0_131-b31

For JRE 1.7.0_131-b31 in Oracle site :

TLSv1.2 and TLSv1.1 are now enabled by default on the TLS client end-points. This is similar behavior to what already happens in JDK 8 releases.

Answer 4

I will answer my own question incase someone has a similar problem:

I spent 2 days trying everything and finally I figured it out.

In Java-7-oracle its not possible to use TLS1.2. Even configuring it using System Properties or even setting up at SSLContext level did not help me. Their support is very bad. Although in Java-8-oracle, it is possible.

Simply changing my java to java-7-openjdk-amd64 did the trick for me.

Answer 5

I run into the same issue and, since I was making my requests using Apache HTTP Client library, I solved it initializing my HttpClient this way

CloseableHttpClient client = HttpClients.custom()
                                 .setSSLSocketFactory(getSSLContext())
                                 .build();

where the getSSLContext() method is this

private SSLConnectionSocketFactory getSSLContext() throws NoSuchAlgorithmException {
    return new SSLConnectionSocketFactory(
          SSLContext.getDefault(),
          new String[]{"TLSv1.2"},
          null,
          new NoopHostnameVerifier());
}