0

Looking for an example to open HttpsURLConnection with SSLContext and restricted to TLSv1.2. The context is built using trust store and trust key and after I added the custom() call - the TLS setting seem to be changed to just "TLS" vs. "TLSv1.2"

my code is:

SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
sslContext = SSLContexts.custom()
                .loadTrustMaterial(getKeyStore(trustStoreURL, trustStorePassword), new TrustSelfSignedStrategy())
                .loadKeyMaterial(getKeyStore(keyStoreUrl, keyStorePassword), keyStorePassword.toCharArray()).build();

So after the custom() I see "TLS" in sslContext properties.

user17736003
  • 1
  • It's not 'changed'; you create two different contexts, one with 'protocol' `TLSv1.2` and one with `TLS` (by default) and use only the latter. By 'restricted to 1.2' do you mean 'not below 1.2', 'not above 1.2' or 'exactly 1.2', and on what Java and with or without nonstandard provider(s)? In Oracle/OpenJDK JSSE, 'protocol' `TLSv1.2` is actually coded as 'not above 1.2' -- but recent Java versions (7u301 8u291 11.0.11 13.0.8 15.0.3 and 16 up) default disable 1.0 and 1.1 (and SSL3 which is coded-in unless FIPS mode), so that actually produces 'exactly 1.2'. ... – dave_thompson_085 Dec 22 '21 at 04:54
  • ... `TLS` on current 8 and 11 up is coded as the value of a sysprop if set and otherwise 'up to 1.3' but for the same reason on recent versions produces '1.2 or 1.3'. – dave_thompson_085 Dec 22 '21 at 04:55
  • i need the context to be set exactly as TLSv1.2 for my HttpsURLConnection that i'm opening further in the code. We use java 1.8, JDE is RAD9.6 (Eclipse-based) and WebSphere8.5 as the runtime. – user17736003 Dec 23 '21 at 14:51
  • _If_ you use 8u291 up (and don't change or override the java.security settings) and call the misleadingly-named [`SSLContextBuilder.setProtocol`](https://hc.apache.org/httpcomponents-core-4.4.x/current/httpcore/apidocs/org/apache/http/ssl/SSLContextBuilder.html#setProtocol(java.lang.String)) it will actually create a TLSv1.2 context that does 1.2 only. Otherwise you can't accomplish this by setting the context, but you might be able to create a factory wrapper that calls `SSLSocket.setEnabledProtocols`/ – dave_thompson_085 Dec 27 '21 at 04:28
  • Please clarify your specific problem or provide additional details to highlight exactly what you need. As it's currently written, it's hard to tell exactly what you're asking. – Community Dec 29 '21 at 13:35

1 Answers1

0

Why do you want to use only a single version, is there any restriction on your server host ? Most modern servers use TLSv1.2 which is backward compatible to one or two versions. When you use TLSv1.2 while creating socket factory like below,

SSLSocketFactory.getInstance("TLSv1.2")

the default allowed protocols would be SSL, TLS, TLSv1.1, TLSv1.2.

With that being said, to answer your question, You can set your SSLSocket to enable just a few protocols using the setEnabledProtocols method. Please check this doc for more on this. Once done, your SSL connection will allow only the specified protocol.

apgautham
  • 9
  • 2