How to force java server to accept only tls 1.2 and reject tls 1.0 and tls 1.1 connections
Solution 1
I found a solution for this. I set the
jdk.tls.disabledAlgorithms= SSLv2Hello, SSLv3, TLSv1, TLSv1.1
in the file jre/lib/security/java.security
on the server.
After setting this, server only accepts the TLS1.2 connection and reject lower security protocol versions.
Solution 2
I have also done the same changes in "/java/jdk1.7.0_79/jre/lib/security"-java.security
file but some of the clients are still able to call my services with SSL protocol.
Changes:
jdk.tls.disabledAlgorithms=SSL,SSLv2,SSLv3, TLSv1, TLSv1.1,MD5, SSLv3, DSA, RSA keySize < 2048
Solution 3
Just a small remark;
In the question you stated that you generated a 2048 size certificate with MD5. But in the cert path alg you disabled MD5 so this normally should not work. Secondly Server certificates generated with a MD5 hash are banned from modern browsers such as Internet Explorer 10/Edge.
I would like to advice you to generate your Server certificate at least with a SHA256 or < hash.
Solution 4
Update as of November 2021
Starting with version 11.0.11 of the JDK, you do not need to do anything, as TLS 1.0 and TLS 1.1 are disabled by default.
The fix was also backported to JDK 7u301, and 8u291.
For details: JDK-8202343 : Disable TLS 1.0 and 1.1
You can still explicitly enable TLS 1.0/1.1 by changing java.security, as noted in the accepted answer.
PankajSays
Updated on January 29, 2022Comments
-
PankajSays over 2 years
I have a HTTPS web service running on Java 7. I need to make changes so that this service only accepts TLS1.2 connection and reject SSL3, TLS1.0 and TLS1.1.
I have added the following Java parameter so that TLS1.2 is the highest priority.
-Dhttps.protocols=TLSv1.2
but it also accepts the TLS1.0 connections from Java clients. If the client is also running with above Java parameter, the connection is TLS1.2 but if the client is running without this parameter, the connections is TLS1.0.
I did some play around the
java.security
file injdk/jre/lib/security
folder.I currently have following disabled algorithms:
jdk.certpath.disabledAlgorithms= MD2, MD4, MD5, SHA224, DSA, EC keySize < 256, RSA keySize < 2048, SHA1 keysize < 224 jdk.tls.disabledAlgorithms=DSA, DHE, EC keySize < 256, RSA keySize < 2048, SHA1 keysize < 224
I am using Java 7 update 79. I am not inclined towards intercepting each connection and checking the TLS version.
My server certificate is 2048 bit generated with MD5 with RSA algorithm.
If the disabled algorithm list has RSA in place of RSA keySize < 2048, I get the
SSLHandShakeError
with error message:no cipher suites in common.
My test program is running the HTTP server from following URL: http://www.herongyang.com/JDK/HTTPS-HttpsEchoer-Better-HTTPS-Server.html
Please help how to make java accept only TLS1.2 connections.