Reputation: 2406
How do I allow Java client TLS10 connections?
While attempting to do a hello world MSSQL JDBC connection in Eclipse with Java 16, I'm getting this error:
"...server selected protocol version TLS10 is not accepted by client preferences [TLS13, TLS12]..."
Upon searching, it appears my Java client is not allowing this TLS version while trying to connect to my deprecated MSSQL instance. How do I enable it?
Here's how I added the MSSQL JDBC driver:
- Download jar driver: https://learn.microsoft.com/en-us/sql/connect/jdbc/download-microsoft-jdbc-driver-for-sql-server?view=sql-server-ver15
- Add jar to build path, under Class path, jar for java version (version listed above)
Upvotes: 5
Views: 21869
Answers (2)
Reputation: 753
TLS 1.0 and 1.1 are disabled by default in latest Java versions (OpenJDK 11.0.11 onwards). Because these versions of TLS have weakened over time and lack support for stronger, more modern algorithms.
Solution:
Patch your MSSQL server and enable TLS1.2 on your MSSQL Server as per the Microsoft KB article: https://support.microsoft.com/en-us/topic/kb3135244-tls-1-2-support-for-microsoft-sql-server-e4472ef8-90a9-13c1-e4d8-44aad198cdbe
Alternate Solutions: (Prone to security risks)
- Enabling them by doing modification in existing java.security file of installed JDK as mentioned in Kevin's answer.
- Or by overriding java.security for your specific application as given below.(preferred)
- Create a file named enableLegacyTLS.security.
- In that file, add an entry for jdk.tls.disabledAlgorithms with the same contents as the jdk.tls.disabledAlgorithms property in the java.security file.
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \ DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL,...
Remove TLSv1, TLSv1.1, from the list on the enableLegacyTLS.security.
Start your application with -Djava.security.properties=path/to/enableLegacyTLS.security
Note: In last point, When you use a double equals sign (==), you tell the JVM to ignore the default java.security file and load only this file. But if a single equals sign (=) is used, it loads both your copy and superimposes it over the default java.security file
Upvotes: 7
Reputation: 2406
Solution (though be aware of security risks):
- C:\Program Files\Java\jdk-16.0.1\conf\security\java.security
- Or C:\Program Files\Java\jre7\lib\security\java.security
- Remove "TLSv1, TLSv1.1, " from this line:
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL
Upvotes: 4
Related Questions
- Use TLS 1.2 in mssql jdbc
- Java 1.8.0 enable TLS1.2 in JDBC connection
- JDBC Connection to Oracle database using TLS Certificate
- mysql jdbc connection with SSL fails at tls handshake level
- OpenJDK 11 use TLS 1.2 in JDBC connection string
- SSl Handshake validation error in connection to SQL Server by JDBC driver
- Using TLSv1.2 with Microsoft JDBC driver and Oracle JRE 7
- Java: SSL Connection to MySQL
- Java JDBC unable to connect to a Oracle database with SSL
- Unsupported protocol with JDBC connection