Tomcat 6 and TLSv1.2 In Java

Question

I have a Java app deployed in tomcat 6. The app sends messages to another service via socket and it needs to use ONLY TLSv1.2 protocol. In my tomcat6.conf file I put this configuration:

JAVA_HOME=/usr/lib/jvm/jre1.7.0_75
JAVA_OPTS="${JAVA_OPTS} -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -Dhttps.protocols=TLSv1.2"

But stll use the older tls version.

It there any configuration to apply in java or tomcat to force use TLSv1.2?

Edit 1: The answer provided by @Peter Walser is good and could work. The problem is I can't modify the code because is a jar provided by third party, and I can only configure the enviroment, not the code.

From a security standpoint: TLS restrictions (supported protocols and cipher suites) should be lead by the server. The client may apply restrictions as well (by limiting the protocols and cipher specs to an acceptable secure set, i.e no longer supporting SSLv3 and TLSv1.0), but should be more lenient than the server. So you could argue that you expect the limitation to TLSv1.2 from the server (making your TLSv1.2 restriction optional). — Peter Walser, Jul 12 '18 at 15:29
If you can upgrade to java 8 or higher, that will do TLS1.2 (and 1.1) automatically. Or 7u95 with a sysprop setting or 7u131 without -- see http://www.oracle.com/technetwork/java/javase/documentation/javase7supportreleasenotes-1601161.html -- but if you are using Oracle Java, versions of 7 above u80 require you pay for 'advanced' support. Prob dupe https://stackoverflow.com/questions/50052456/ . — dave_thompson_085, Jul 12 '18 at 18:11
@dave_thompson_085 thanks, that's true, but not an option here, they won't upgrade to java 1.8. Perhaaaaaps to 7u95... I could give a try — developer_hatch, Jul 12 '18 at 19:43

score 3 · Accepted Answer · edited Jun 20 '20 at 09:12

The https.protocols system property is only considered for HttpsURLConnection and URL.openStream(), as stated in Diagnosing TLS, SSL, and HTTPS

Controls the protocol version used by Java clients which obtain https connections through use of the HttpsURLConnection class or via URL.openStream() operations. ...

For non-HTTP protocols, this can be controlled through the SocketFactory's SSLContext.

You can configure the SSLSocket as follows:

SSLSocketFactory factory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket socket = (SSLSocket) factory.createSocket(host, port);
socket.setEnabledProtocols(new String[] {"TLSv1.2"});

When working with REST-clients, most of them support configuring the protocols over the SSLContext. Example (JAX-RS client):

Client client = ClientBuilder.newBuilder()
    .sslContext(SSLContext.getInstance("TLSv1.2"))
    // more settings, such as key/truststore, timeouts, logging
    .build();

thanks so much, it could work, by as my edit says, I cannot touch the code, thanks for the time anyway! — developer_hatch, Jul 12 '18 at 15:18

Roshana Pitigala · Answer 2 · 2018-07-16T14:42:56.390

If you are trying to force the server to use TLSv1.2 the following link may provide what you need.

The Apache Tomcat 5.5 Servlet/JSP Container - SSL Configuration HOW-TO

As the doc specifies edit the Tomcat Configuration File as below,

The implementation of SSL used by Tomcat is chosen automatically unless it is overridden as described below. If the installation uses APR - i.e. you have installed the Tomcat native library - then it will use the APR SSL implementation, otherwise it will use the Java JSSE implementation.

To avoid auto configuration you can define which implementation to use by specifying a classname in the protocol attribute of the Connector. To define a Java (JSSE) connector, regardless of whether the APR library is loaded or not do:

<Connector protocol="org.apache.coyote.http11.Http11AprProtocol" port="8443" .../>

Configure the Connector in the $CATALINA_BASE/conf/server.xml file, where $CATALINA_BASE represents the base directory for the Tomcat 6 instance. An example <Connector> element for an SSL connector is included in the default server.xml file installed with Tomcat. For JSSE, it should look something like this:

<!--
<Connector 
   port="8443" maxThreads="200"
   scheme="https" secure="true" SSLEnabled="true"
   SSLCertificateFile="/usr/local/ssl/server.crt" 
   SSLCertificateKeyFile="/usr/local/ssl/server.pem"
   clientAuth="optional" SSLProtocol="TLSv1"/>
-->

You will note that the example SSL connector elements are commented out by default. You can either remove the comment tags from around the the example SSL connector you wish to use or add a new Connector element of your own. In either case, you will need to configure the SSL Connector for your requirements and environment.

The port attribute (default value is 8443) is the TCP/IP port number on which Tomcat will listen for secure connections. You can change this to any port number you wish (such as to the default port for https communications, which is 443). However, special setup (outside the scope of this document) is necessary to run Tomcat on port numbers lower than 1024 on many operating systems.

After completing these configuration changes, you must restart Tomcat as you normally do, and you should be in business. You should be able to access any web application supported by Tomcat via SSL.

Try changing the SSLProtocol attribute in <Connector> element to SSLProtocol="TLSv1.2".

<Connector 
   port="8443" maxThreads="200"
   scheme="https" secure="true" SSLEnabled="true"
   SSLCertificateFile="/usr/local/ssl/server.crt" 
   SSLCertificateKeyFile="/usr/local/ssl/server.pem"
   clientAuth="optional" SSLProtocol="TLSv1.2"/>

This is for connections from clients (browsers, etc) _to_ Tomcat; it has no effect on outgoing connections by the app. — dave_thompson_085, Jul 29 '18 at 18:30

Tomcat 6 and TLSv1.2 In Java

2 Answers2