How can I disable TLSv1.0 with spring boot and embedded tomcat?

java spring spring-mvc tomcat

16,503

Solution 1

The most transparent and readable way is to explicitly configure the valid TLS protocols in your application configuration file by excluding - of course - the unwanted ones.

e.g. in YAML

server.ssl.enabled-protocols=TLSv1.1,TLSv1.2

You can then start your server and check whether TLSv1.0 is working by peforming the following

openssl s_client -connect localhost:443 -tls1

The above connections should be rejected whereas the following two will be accepted and print the certificate's details

openssl s_client -connect localhost:443 -tls1_1
openssl s_client -connect localhost:443 -tls1_2

Solution 2

A way that i found is to set ciphers that are supported only by TLSv1.2. Ex: If you will put in application.yml

server.ssl.ciphers:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

And the using CURL

openssl s_client -connect example.com:443 -tls1

You will see that request will be ignored / rejected because that cipher that you set in application.yml will validate only TLSv1.2 requests.

Solution 3

My solution is

@Bean
public EmbeddedServletContainerFactory servletContainerFactory()
{
    TomcatEmbeddedServletContainerFactory factory = new TomcatEmbeddedServletContainerFactory();

    factory.addConnectorCustomizers(new TomcatConnectorCustomizer()
    {
        @Override
        public void customize(Connector connector)
        {
            connector.setAttribute("sslProtocols", "TLSv1.1,TLSv1.2");
            connector.setAttribute("sslEnabledProtocols", "TLSv1.1,TLSv1.2");
        }
    });

    return factory;
}

And remove protocol: TLSv1.2 from application.yml

Solution 4

The answers so far only show how to lock-down TLS to a set of versions not yet considered broken. Since the question was how to de-activate a specific version, here's how using at least java 8:

  String algs = Security.getProperty("jdk.tls.disabledAlgorithms");

  // TODO: null/empty check on algs

  Set<String> disabled =
      Arrays.stream(algs.split(","))
          .map(String::trim)
          .collect(Collectors.toSet());

  // TODO: inject these algs as properties for configurability

  disabled.add("TLSv1");

  algs = String.join(", ", disabled);
  Security.setProperty("jdk.tls.disabledAlgorithms", algs);

Do this early on in your context initialisation before the Tomcat server is created and to be thorough you should catch SecurityException in case there's a policy in place that blocks the setProperty() call.

Using this method you benefit from new versions included in the JDK in the future.

View more solutions

16,503

Author by

Walter

Updated on June 20, 2022

Comments

Walter almost 2 years

I want to de-activate TLSv1.0 with spring boot(release 1.3.3), but it doesn't work if application.yml as below:

ssl: protocol: TLSv1.2 key-store: /E:/key/server.jks key-store-password: serverpkcs12

I still can access web page if only choose "USE TLS 1.0" in IE. See this pic--not work.

However, if doesn't use embedded tomcat, and add these arguments for Connector located in server.xml, it works fine for me--web page blocked by IE. See this pic--worked for me

sslProtocols="TLSv1.2" sslEnabledProtocols="TLSv1.2"

And I also tried some VM arguments, for exmaple -Dhttps.protocols="TLSv1.2", all of them are useless.

So What can I do for this?
Markus G. about 5 years

Most suitable answer here. Thanks