2

We have a java application which runs on Java Version: 1.7.0_80 and we are trying to enable TLSv1.2 with the jvm argument -Dhttps.protocols=TLSv1.1,TLSv1.2 -Djdk.tls.client.protocols=TLSv1.1,TLSv1.2-Ddeployment.security.TLSv1=false -Ddeployment.security.TLSv1.1=true -Ddeployment.security.TLSv1.2=true to consume a web service which supports only TLSv1.2. Though we have the jvm argument java client still using TLSv1 for communicating with web services,

enter image description here can someone please help me is there any jvm configurations I need to make to use TLSv1.2 without any code change?

OTUser
  • 3,788
  • 19
  • 69
  • 127
  • 1
    Possible duplicate of [How to enable TLS 1.2 in Java 7](https://stackoverflow.com/questions/39157422/how-to-enable-tls-1-2-in-java-7) – Sergei Sirik Mar 27 '18 at 22:00
  • I'm trying to make it work with just configuration changes in my case, without code change – OTUser Mar 27 '18 at 22:03
  • As I understand, no. You have to either update your java 7 to the latest patch (I guess it is 131) or make code change. – Sergei Sirik Mar 27 '18 at 22:04
  • 1
    @SergeiSirik : not really a duplicate. In the question you mention, no answer gives the real reason why it was not working : ""jdk.tls.client.protocols system property. This propery has been available since Java SE 7u95." – Eugène Adell Mar 27 '18 at 22:06
  • its a https protocol for webservice call – OTUser Mar 27 '18 at 22:09

1 Answers1

4

Without any code change, as I wrote in the comment, you need at least 7u95.

jdk.tls.client.protocols system property. To enable specific SunJSSE protocols on the client, specify them in a comma-separated list within quotation marks; all other supported protocols are then disabled on the client. For example, if the value of this property is "TLSv1,TLSv1.1", then the default protocol settings on the client for TLSv1 and TLSv1.1 are enabled on the client, while SSLv3, TLSv1.2, and SSLv2Hello are disabled on the client. This propery has been available since Java SE 7u95.

The same property is also available since Java 6u121, with Java 6 supporting and implementing TLS 1.2.

Eugène Adell
  • 3,089
  • 2
  • 18
  • 34
  • Java 7u95 is available only for business users. Not available for simple users. I guess question was originally about how to enable TLSv1.2 in Java 7u80. Can anyone help on enabling TLSv1.2 in 7u80? – Vaibhav Jain Nov 22 '18 at 07:25
  • The question was indeed for 7u80 and if you cannot upgrade you need a code change (one of the solutions given by Sergei Sirik's link above). – Eugène Adell Nov 22 '18 at 08:43
  • Unfortunately the code provided in the link is working only for sql authentication. Not for windows authentication. – Vaibhav Jain Nov 22 '18 at 09:27
  • The question is about enabling TLS 1.2. If you have difficulties with Windows authentication, either provide code and raise a question on SO, or ask on ServerFault. – Eugène Adell Nov 22 '18 at 13:19
  • It appears that Java 6u161 is a 'Java SE Advanced version', and therefore only available to paying customers. See https://stackoverflow.com/questions/45859426/how-can-i-download-java-se-6-update-121 – Per Lindberg Oct 08 '19 at 08:49
  • @PerLindberg You probably wanted to say 6u121 and you are right. Are there still Java 6 users around ? – Eugène Adell Oct 08 '19 at 18:10
  • Yes, 6u121, that's right. And yes, I'm currently stuck with Java 6 / Glassfish 3.1.2.2 for now. So I need to somehow transplant TLS 1.2 to it. – Per Lindberg Oct 09 '19 at 07:23
  • @PerLindberg You need TLS for running as a client or as a server ? As a server maybe just putting a reverse proxy in front of Glassfish would fit your need ? – Eugène Adell Oct 09 '19 at 16:14
  • It's for Glassfish application server. TLS 1.2 must be supported by March 2020, when the major browsers cease to support TLS 1.1. A reverse proxy (e.g. Apache) is a cool workaround, but won't do in my particular case. – Per Lindberg Oct 10 '19 at 07:14
  • @PerLindberg I don't have the Glassfish source code to check how it's calling SSL classes. From what I know and tested on simple programs, you can install the BouncyCastle provider and get Java 6 running with TLS 1.2. It takes 15 minutes to download the jar files, edit java.security, and restart your server. Please let us know if this worked. – Eugène Adell Oct 10 '19 at 18:48
  • Eugène, thanks for the suggestion. Took more than 15 minutes, though, since I'm not familiar with this particular kind of magic. :-) I downloaded and installed bc_fips-1.0.2.jar in ...jdk1.6.0_35/jre/lib/ext and added ' security.provider.9=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider' to ...jdk1.6.0_35/jre/lib/security/java.security. Then I restarted Glassfish. No joy; the browser still warns about deprecated version of TLS. Perhaps there's some missing setting in my Glasfish Admin Console... – Per Lindberg Oct 11 '19 at 11:44
  • @PerLindberg I think you need bcprov-jdk15to18-164.jar (and bctls-jdk15to18-164.jar ? ) rather than the fips one, and add the provider in first position then it comes before SUN JSSE . All this is experimental. Where can we download the same Glassfish as yours ? – Eugène Adell Oct 11 '19 at 20:50
  • I tried with bcprov-jdk15to18-164.jar (from https://www.bouncycastle.org/latest_releases.html) and added security.provider.1=org.bouncycastle.jce.provider.BouncyCastleProvider to java.security (and renumbered the existing providers). Did not help. There doesn't seem the be a .jar file with bctls-jdk15to18-164, only a .tar.gz file with sources. I didn't have to use it, since Glassfish starts without it. Glassfish 3.1.2.2 can be downloaded from https://www.oracle.com/java/technologies/ogs-v3122-downloads.html – Per Lindberg Oct 15 '19 at 07:44
  • @PerLindberg Have a look at this [question](https://stackoverflow.com/q/50489592/7748072) which shows how to declare the provider. Check again, I can see [bctls-jdk15to18-164.jar](https://www.bouncycastle.org/download/bctls-jdk15to18-164.jar) on the latest releases page. – Eugène Adell Oct 15 '19 at 08:17
  • Thanks again, @Eugène. I installed bctls-jdk15to18-164.jar and configured the two bouncycastle providers in java.security. It _probably_ made Java TLS work, but Glassfish fails. Connection attempts result in the log message `org.bouncycastle.jsse.provider.ProvTlsServer Server raised fatal(2) bad_record_mac(20) alert: Failed to process record org.bouncycastle.tls.TlsFatalAlert: bad_record_mac(20)` Also, changing to `ssl.KeyManagerFactory.algorithm=PKIX` didn't help. Presumably some more esotheric Glassfish magic is needed. – Per Lindberg Oct 16 '19 at 11:28
  • @PerLindberg Two things could maybe help : adding -Djavax.net.debug=all and a network capture. Maybe, open a new question here, because your question is more about Glassfish than TLS1.2 on legacy JVM. Keep us informed – Eugène Adell Oct 16 '19 at 12:59