How to enable TLSv1.2 in JAVA 7u80 client
Without any code change, as I wrote in the comment, you need at least 7u95.
jdk.tls.client.protocols system property. To enable specific SunJSSE protocols on the client, specify them in a comma-separated list within quotation marks; all other supported protocols are then disabled on the client. For example, if the value of this property is "TLSv1,TLSv1.1", then the default protocol settings on the client for TLSv1 and TLSv1.1 are enabled on the client, while SSLv3, TLSv1.2, and SSLv2Hello are disabled on the client. This propery has been available since Java SE 7u95.
The same property is also available since Java 6u121, with Java 6 supporting and implementing TLS 1.2.
OTUser
Updated on June 04, 2022Comments
-
OTUser almost 2 years
We have a java application which runs on
Java Version: 1.7.0_80
and we are trying to enableTLSv1.2
with the jvm argument-Dhttps.protocols=TLSv1.1,TLSv1.2 -Djdk.tls.client.protocols=TLSv1.1,TLSv1.2-Ddeployment.security.TLSv1=false -Ddeployment.security.TLSv1.1=true -Ddeployment.security.TLSv1.2=true
to consume a web service which supports onlyTLSv1.2
. Though we have the jvm argument java client still usingTLSv1
for communicating with web services,can someone please help me is there any jvm configurations I need to make to use TLSv1.2 without any code change?
-
Sergei Sirik about 6 yearsPossible duplicate of How to enable TLS 1.2 in Java 7
-
OTUser about 6 yearsI'm trying to make it work with just configuration changes in my case, without code change
-
Sergei Sirik about 6 yearsAs I understand, no. You have to either update your java 7 to the latest patch (I guess it is 131) or make code change.
-
Eugène Adell about 6 years@SergeiSirik : not really a duplicate. In the question you mention, no answer gives the real reason why it was not working : ""jdk.tls.client.protocols system property. This propery has been available since Java SE 7u95."
-
OTUser about 6 yearsits a https protocol for webservice call
-
-
Vaibhav Jain over 5 yearsJava 7u95 is available only for business users. Not available for simple users. I guess question was originally about how to enable TLSv1.2 in Java 7u80. Can anyone help on enabling TLSv1.2 in 7u80?
-
Eugène Adell over 5 yearsThe question was indeed for 7u80 and if you cannot upgrade you need a code change (one of the solutions given by Sergei Sirik's link above).
-
Vaibhav Jain over 5 yearsUnfortunately the code provided in the link is working only for sql authentication. Not for windows authentication.
-
Eugène Adell over 5 yearsThe question is about enabling TLS 1.2. If you have difficulties with Windows authentication, either provide code and raise a question on SO, or ask on ServerFault.
-
Per Lindberg over 4 yearsIt appears that Java 6u161 is a 'Java SE Advanced version', and therefore only available to paying customers. See stackoverflow.com/questions/45859426/…
-
Eugène Adell over 4 years@PerLindberg You probably wanted to say 6u121 and you are right. Are there still Java 6 users around ?
-
Per Lindberg over 4 yearsYes, 6u121, that's right. And yes, I'm currently stuck with Java 6 / Glassfish 3.1.2.2 for now. So I need to somehow transplant TLS 1.2 to it.
-
Eugène Adell over 4 years@PerLindberg You need TLS for running as a client or as a server ? As a server maybe just putting a reverse proxy in front of Glassfish would fit your need ?
-
Per Lindberg over 4 yearsIt's for Glassfish application server. TLS 1.2 must be supported by March 2020, when the major browsers cease to support TLS 1.1. A reverse proxy (e.g. Apache) is a cool workaround, but won't do in my particular case.
-
Eugène Adell over 4 years@PerLindberg I don't have the Glassfish source code to check how it's calling SSL classes. From what I know and tested on simple programs, you can install the BouncyCastle provider and get Java 6 running with TLS 1.2. It takes 15 minutes to download the jar files, edit java.security, and restart your server. Please let us know if this worked.
-
Per Lindberg over 4 yearsEugène, thanks for the suggestion. Took more than 15 minutes, though, since I'm not familiar with this particular kind of magic. :-) I downloaded and installed bc_fips-1.0.2.jar in ...jdk1.6.0_35/jre/lib/ext and added ' security.provider.9=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider' to ...jdk1.6.0_35/jre/lib/security/java.security. Then I restarted Glassfish. No joy; the browser still warns about deprecated version of TLS. Perhaps there's some missing setting in my Glasfish Admin Console...
-
Eugène Adell over 4 years@PerLindberg I think you need bcprov-jdk15to18-164.jar (and bctls-jdk15to18-164.jar ? ) rather than the fips one, and add the provider in first position then it comes before SUN JSSE . All this is experimental. Where can we download the same Glassfish as yours ?
-
Per Lindberg over 4 yearsI tried with bcprov-jdk15to18-164.jar (from bouncycastle.org/latest_releases.html) and added security.provider.1=org.bouncycastle.jce.provider.BouncyCastleProvider to java.security (and renumbered the existing providers). Did not help. There doesn't seem the be a .jar file with bctls-jdk15to18-164, only a .tar.gz file with sources. I didn't have to use it, since Glassfish starts without it. Glassfish 3.1.2.2 can be downloaded from oracle.com/java/technologies/ogs-v3122-downloads.html
-
Eugène Adell over 4 years@PerLindberg Have a look at this question which shows how to declare the provider. Check again, I can see bctls-jdk15to18-164.jar on the latest releases page.
-
Per Lindberg over 4 yearsThanks again, @Eugène. I installed bctls-jdk15to18-164.jar and configured the two bouncycastle providers in java.security. It probably made Java TLS work, but Glassfish fails. Connection attempts result in the log message
org.bouncycastle.jsse.provider.ProvTlsServer Server raised fatal(2) bad_record_mac(20) alert: Failed to process record org.bouncycastle.tls.TlsFatalAlert: bad_record_mac(20)
Also, changing tossl.KeyManagerFactory.algorithm=PKIX
didn't help. Presumably some more esotheric Glassfish magic is needed. -
Eugène Adell over 4 years@PerLindberg Two things could maybe help : adding -Djavax.net.debug=all and a network capture. Maybe, open a new question here, because your question is more about Glassfish than TLS1.2 on legacy JVM. Keep us informed