Enable TLS 1.1 and 1.2 for Clients on Java 7

Question

Java 7 disables TLS 1.1 and 1.2 for clients. From Java Cryptography Architecture Oracle Providers Documentation:

Although SunJSSE in the Java SE 7 release supports TLS 1.1 and TLS 1.2, neither version is enabled by default for client connections. Some servers do not implement forward compatibility correctly and refuse to talk to TLS 1.1 or TLS 1.2 clients. For interoperability, SunJSSE does not enable TLS 1.1 or TLS 1.2 by default for client connections.

I'm interested in enabling the protocols on a system wide setting (perhaps through a config file), and not a per-Java-application solution.

How do I administratively enable TLS 1.1 and 1.2 system wide?

Note: since POODLE, I would like to administratively disable SSLv3 system wide. (The problems with SSLv3 predate POODLE by at least 15 years, but Java/Oracle/Developers did not respect basic best practices, so users like you and me are left with cleaning up the mess).

---

Here's the Java version:

$ /Library/Java/JavaVirtualMachines/jdk1.7.0_07.jdk/Contents/Home/bin/java -version
java version "1.7.0_07"
Java(TM) SE Runtime Environment (build 1.7.0_07-b10)
Java HotSpot(TM) 64-Bit Server VM (build 23.3-b01, mixed mode)

Answer 1

You could just add the following property -Dhttps.protocols=TLSv1.1,TLSv1.2 which configures the JVM to specify which TLS protocol version should be used during https connections.

Answer 2

You could try adding something like the following to your startup script, assuming Java 1.7:

JAVACMD="$JAVACMD -Ddeployment.security.SSLv2Hello=false -Ddeployment.security.SSLv3=false -Ddeployment.security.TLSv1=false -D\ deployment.security.TLSv1.1=true -Ddeployment.security.TLSv1.2=true"

Some other suggestions: https://blogs.oracle.com/java-platform-group/entry/java_8_will_use_tls

Answer 3

I just recently researched this and i want to add - this will not work for JDK , the deployment.properties only relevant to Applets and other stuff running in the JRE.

for JDK applications (a server which needs to connect to LDAP for example) the server is a client but the deployment.security. would not work.

no way to change it unless you write some code like SSLContext.getInstance("TLSv1.2");

Answer 4

For Java 7 on Mac OS X, you go to System Preferences > Java, and the Java Control Panel opens in a separate window. Then you go to the Advanced tab and scroll down to the Advanced Security Settings section and check the Use TLS 1.1 and Use TLS 1.2 checkboxes.

Answer 5

It looks like deployment.security.* settings work for Java Applets and Java Web Start programs running on a desktop. As others mention here you can edit deployment.properties to specify that.

Here is an article that shows how to use a group policy to deploy the same deployment.properties file for all users: http://www.darkoperator.com/blog/2013/1/12/pushing-security-configuration-for-java-7-update-10-via-gpo.html

Unfortunately there is no way to turn this on for all java programs on a computer that directly call java.exe or javaw.exe. You have to find each program that uses java, find the config file where you specify the parameters to pass to java and change it.

For Tomcat we had to pass this so that connections from Tomcat to other servers use TLS 1.1+: -Dhttps.protocols=TLSv1.1,TLSv1.2. On Linux this can be done by editing bin/catalina.sh or by creating bin/setenv.sh.

I don't know what it takes to make Tomcat use only TLS 1.2 on the server side. We front with Apache HTTP.

Answer 6

If you are stuck with Java 7, you can add -Djdk.tls.client.protocols=TLSv1.1,TLSv1.2 to the arguments of the JVM.

Note that this has several caveats:

• It is valid only starting from Java 7 update 95. Reference: https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https
• It is not a system-wide solution, even though it may be set in an environment variable (for instance, JAVA_OPTS), in which case you are dependent on the support of the envvar in your Java applications.

In spite of these shortcomings, I think that this could be useful, especially when the protocol one is interested in uses TLS but is not HTTPS, e.g. LDAPS.

[UPDATE] In my company, which runs its pool of servers on Ubuntu, we've realized that even update 121 of OpenJDK 7 was not enough to implement this correctly. We've updated all servers to update 181 before it worked.