0

We use UnboundID (unfortunately the old version that should be upgraded soon).

I want to configure multiple TLS protocols for LDAP over SSL connection: TLSv1, TLSv1.1, TLSv1.2.

Unfortunately, com.unboundid.util.ssl.SSLUtil#createSSLContext(java.lang.String, java.lang.String) supports only a single value:

  public SSLSocketFactory createSSLSocketFactory(final String protocol)
         throws GeneralSecurityException
  {
    return createSSLContext(protocol).getSocketFactory();
  }

How to configure multiple TLS protocols?

user207421
  • 305,947
  • 44
  • 307
  • 483
Michael
  • 10,063
  • 18
  • 65
  • 104

2 Answers2

1

If you put "TLSV1.2" it will use any protocol version from there back as far as the JDK supports. What you are doing is configuring the highest TLS protocol version to use.

user207421
  • 305,947
  • 44
  • 307
  • 483
  • How can I configure the lowest TLS protocol? I want to ensure that SSLv3 is not used. Is it enough we use JDK higher than 8u31 http://www.oracle.com/technetwork/java/javase/8u31-relnotes-2389094.html? Should we configure any protocol in this case? – Michael Sep 11 '17 at 06:20
  • Yes, that JRE version is sufficient, as long as you don't do what's mentioned in your link to re-enable it, and you aren't adding other security providers that support it. – user207421 Sep 11 '17 at 07:34
1

Specific settings for unboundid-ldap-sdk are controlled by:

com.unboundid.util.SSLUtil.setDefaultSSLProtocol("TLSv1");
com.unboundid.util.SSLUtil.setEnabledSSLProtocols(Arrays.asList("TLSv1"));

As shown in Documentation.

jwilleke
  • 10,467
  • 1
  • 30
  • 51