How to enable TLS 1.2 in Java 7

Question

I am trying to enable TLS 1.2 in my web app which uses JBoss 6.4 and Java 1.7. I have -Dhttp.protocols = TLSv1.2 in my application environment but it doesn't seem to work for me.

Is there anything I could do to enable TLS 1.2?

I wrote a simple program

context = SSLContext.getInstance("TLSv1.2");
context.init(null,null,null);
SSLContext.setDefault(context); 
SSLSocketFactory factory = (SSLSocketFactory)context.getSocketFactory();
SSLSocket socket = (SSLSocket)factory.createSocket();
protocols = socket.getEnabledProtocols();

After running this program within the app the TLS 1.2 gets enabled. I do not want to run this program but I want to directly enable it during app startup. Is there any way to do it?

sysprop `https.protocols` only works if spelled with both s's and only for connections made with `URL.openConnection` not some other means like `SSLSocketFactory` — dave_thompson_085, Jun 08 '18 at 11:58

ankit.vishen · Answer 1 · 2021-02-02T12:40:19.623

34

There are many suggestions but I found two of them most common.

Re. JAVA_OPTS

I first tried export JAVA_OPTS="-Dhttps.protocols=SSLv3,TLSv1,TLSv1.1,TLSv1.2" on command line before startup of program but it didn't work for me.

Re. constructor

Then I added the following code in the startup class constructor and it worked for me.

try {
        SSLContext ctx = SSLContext.getInstance("TLSv1.2");
        ctx.init(null, null, null);
        SSLContext.setDefault(ctx);
} catch (Exception e) {
        System.out.println(e.getMessage());
}

Frankly, I don't know in detail why ctx.init(null, null, null); but all (SSL/TLS) is working fine for me.

Re. System.setProperty

There is one more option: System.setProperty("https.protocols", "SSLv3,TLSv1,TLSv1.1,TLSv1.2");. It will also go in code but I've not tried it.

edited Feb 02 '21 at 12:40

answered Feb 17 '17 at 06:52

ankit.vishen

920
10
26

This should be the accepted answer. There seems to be a bug with the -Dhttps.protocols="TLSv1.2" property as java opts in Java 7_80. – karnesJ.R May 20 '20 at 19:18
I also tried with Java options (eg. https.protocols) and did not work - it seemed like it didn't even look at the option. – Victor Dec 07 '20 at 11:55

score 23 · Answer 2 · edited Oct 06 '17 at 05:57

23

You can upgrade your Java 7 version to 1.7.0_131-b31

For JRE 1.7.0_131-b31 in Oracle site :

TLSv1.2 and TLSv1.1 are now enabled by default on the TLS client end-points. This is similar behavior to what already happens in JDK 8 releases.

edited Oct 06 '17 at 05:57

TT.

14,883
6
41
77

answered Oct 05 '17 at 09:54

Joby Wilson Mathews

7,870
2
42
43

Can you please share a link to this? – Uday Reddy Aug 14 '18 at 11:59
1

https://www.oracle.com/technetwork/java/javase/7u131-relnotes-3338543.html – Joby Wilson Mathews Aug 14 '18 at 12:02
1

Its a page with release notes. How do I download the jdk? – Uday Reddy Aug 15 '18 at 09:43
1

@UdayReddy you need to be a bussiness user to download. – Joby Wilson Mathews Aug 16 '18 at 05:40
2

It worked for me with the non business version jdk1.7.0_80 - but I did have to add `-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2` as Ankit and Meeraj suggested – JGlass Feb 21 '19 at 17:22
I confirm that it work with jdk1.7.0_80, just remember to compile the classes with this jdk. – luandrea May 27 '19 at 13:27

score 16 · Answer 3 · edited Oct 06 '17 at 05:57

16

Add following option for java application:

-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2

edited Oct 06 '17 at 05:57

TT.

14,883
6
41
77

answered Sep 07 '17 at 10:52

Meeraj Kanaparthi

219
2
4

1

I have a question, what does this change do? Does it enable TLS for all incoming and outbound connection requests? Is there a way to log the TLS handshake? – Prakhar Mohan Srivastava Sep 02 '20 at 21:00

score 10 · Answer 4 · edited Feb 02 '21 at 14:09

10

Add this parameter to JAVA_OPTS or to the command line in Maven: -Dhttps.protocols=TLSv1.2

edited Feb 02 '21 at 14:09

StackzOfZtuff

1,671
18
19

answered Dec 26 '16 at 16:37

AntonioOtero

1,671
12
15

score 8 · Answer 5 · edited May 22 '18 at 00:00

8

System.setProperty("https.protocols", "TLSv1.2"); worked in my case. Have you checked that within the application?

edited May 22 '18 at 00:00

Community

1
1

answered Aug 26 '16 at 02:41

Sirsendu

269
1
8

this is a COTS product. i cannot use that. atleast i dont know how to use that when a system starts – New Bee Aug 26 '16 at 02:57
Have you checked https://developer.jboss.org/thread/251967?start=0&tstart=0 in that case ? – Sirsendu Aug 26 '16 at 03:14

Sridhar Sarnobat · Answer 6 · 2018-07-14T04:23:25.653

5

The stated answers are correct, but I'm just sharing one additional gotcha that was applicable to my case: in addition to using setProtocol/withProtocol, you may have some nasty jars that won't go away even if have the right jars plus an old one:

Remove

<dependency>
    <groupId>commons-httpclient</groupId>
    <artifactId>commons-httpclient</artifactId>
    <version>3.1</version>
</dependency>

Retain

<dependency>
    <groupId>org.apache.httpcomponents</groupId>
    <artifactId>httpclient</artifactId>
    <version>4.5.2</version>
</dependency>

<dependency>
    <groupId>org.apache.httpcomponents</groupId>
    <artifactId>httpcore</artifactId>
    <version>4.4.6</version>
</dependency>

Java is backward compatible, but most libraries are not. Each day that passes the more I wish shared libraries were outlawed with this lack of accountability.

Further info

java version "1.7.0_80"
Java(TM) SE Runtime Environment (build 1.7.0_80-b15)
Java HotSpot(TM) 64-Bit Server VM (build 24.80-b11, mixed mode)

edited Jul 14 '18 at 04:23

answered Jul 14 '18 at 04:01

Sridhar Sarnobat

19,595
12
74
93

Sridhar, So with these changes along with Dhttp.protocols = TLSv1.2 does 1.7.0_80 support TLSv1.2 by default (as I'm seeing sslHandshake is using TLSv1) or do I need to upgrade our JDK to later versions ? even when I provide '-Dhttps.protocols = TLSv1.2' in eclipse runtime env. or 'https.protocols = TLSv1.2' in catalina properties - it's not working!! – whoami - fakeFaceTrueSoul Aug 02 '18 at 20:37
I feel your pain. I understand that upgrading is not possible in all situations. It does work for me on java 7 but I needed my architect to find out this unwanted jar. – Sridhar Sarnobat Aug 03 '18 at 04:56
Yes thanks for suggestion, but somehow it didn't work for me, same happens each time it defaults to TLSv1. – whoami - fakeFaceTrueSoul Aug 03 '18 at 18:52

score 2 · Answer 7 · answered Nov 16 '18 at 09:45

To force enable TLSv1.2 in JRE7u_80 I had to use following code snippet before creating JDBC connection.

import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import javax.net.ssl.SSLContextSpi;
import sun.security.jca.GetInstance;
import sun.security.jca.ProviderList;
import sun.security.jca.Providers;

public static void enableTLSv12ForMssqlJdbc() throws NoSuchAlgorithmException
{
    ProviderList providerList = Providers.getProviderList();
    GetInstance.Instance instance = GetInstance.getInstance("SSLContext", SSLContextSpi.class, "TLS");
    for (Provider provider : providerList.providers())
    {
        if (provider == instance.provider)
        {
            provider.put("Alg.Alias.SSLContext.TLS", "TLSv1.2");
        }
    }
}

Able to connect to Windows 10 with SQL server 2017 & TLSv1.2 enabled OS.

score 0 · Answer 8 · answered Jul 18 '18 at 21:06

0

You should probably be looking to the configuration that controls the underlying platform TLS implementation via -Djdk.tls.client.protocols=TLSv1.2.

answered Jul 18 '18 at 21:06

Filip

1,154
9
18

6

Seems like it will only work with JDK 1.7.0_95 or later, but issue here is last public release/update on JDK 1.7 is JDK 1.7.0_80, So technically this works for who ever using a version of JDK having Oracle Support or an Oracle customer!! Please let me know if it works for JDK 1.7.0_80 – whoami - fakeFaceTrueSoul Aug 05 '18 at 00:47

score 0 · Answer 9 · answered Aug 07 '19 at 13:09

0

I solved this issue by using

Service.setSslSecurityProtocol(SSLSecurityProtocol.TLSv1_2);

answered Aug 07 '19 at 13:09

Omar

43
1
10

score 0 · Answer 10 · answered Feb 17 '20 at 12:22

I had similar issue when connecting to RDS Oracle even when client and server were both set to TLSv1.2 the certs was right and java was 1.8.0_141 So Finally I had to apply patch at Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files

After applying the patch the issue went away and connection went fine.