We are using Adopt OpenJDK 1.8. We want to enable OCSP Stapling on the server but it looks like it is introduced in OpenJDK 1.9.
Does anyone know if there is any plan to backport OCSP Stapling in 1.8 as it is LTS release?
Or are there any other option to enable it with Java 1.8. We do not want to upgrade the Java version.
Related
I am having Windows Server 2012 R2 and I need to access a website whose SSL Certificate is using TLS 1.3 (Screenshot below)
But I get this error in my browser (IE 11)
This page can’t be displayed
Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to [WEBSITE] again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator.
Is there a way to access this website in IE 11 on Windows Server 2012 R2 ?
Thanks,
Seems, no. There is no way currently because IE 11 does not support TLS1.3.
Please try to use another browser.
Last updated on : 2022-06-30
Browser Compatibility:
TLS 1.3 on IE is fully supported on None of the versions, partially supported on None of the versions, and not supported on 5.5-11 IE versions.
TLS 1.3 on Edge is fully supported on 79-103, partially supported on None of the versions, and not supported on 12-18 Edge versions.
TLS 1.3 on Firefox is fully supported on 63-104, partially supported on 60-62, and not supported on 2-59 Firefox versions.
TLS 1.3 on Chrome is fully supported on 70-106, partially supported on None of the versions, and not supported on 4-69 Chrome versions.
TLS 1.3 on Safari is fully supported on 14.1-16, partially supported on 12.1-13, and not supported on 3.2-12 Safari versions.
TLS 1.3 on Opera is fully supported on 57-87, partially supported on None of the versions, and not supported on 9.5-56 Opera versions.
TLS 1.3 on Safari on iOS is fully supported on 12.2-16, partially supported on None of the versions, and not supported on 3.2-12 Safari on iOS versions.
TLS 1.3 on Android Browser is fully supported on 97-103, partially supported on None of the versions, and not supported on 2.3-4 Android Browser versions.
TLS 1.3 on Opera Mobile is fully supported on 64-64, partially supported on None of the versions, and not supported on 10-12 Opera Mobile versions.
TLS 1.3 on Chrome for Android is fully supported on 97-103, partially supported on None of the versions, and not supported on below 97 Chrome for Android versions.
TLS 1.3 on Firefox for Android is fully supported on 95-101, partially supported on None of the versions, and not supported on below 95 Firefox for Android versions.
TLS 1.3 on Samsung Internet is fully supported on 10.1-17, partially supported on None of the versions, and not supported on 4-9.2 Samsung Internet versions.
I recently upgraded a server based on Python 3.8.6 to Python 3.10.5
The Twisted listener in it allows various devices to connect
Some of those devices only have TLSv1.
The server code specifically enables TLSv1/1.1/1.2/1.3 but only 1.2 and 1.3 work.
According to this issue https://bugs.python.org/issue43998 Python SSL no longer supports less than v1.2. But twisted uses pyOpenSSL, and I cannot find any documentation that states it only supports v1.2 and later.
Can anybody please supply some information on this.
I am running Hazelcast as a cache service, it seems I can improve perf with BoringSSL and this is simpler because I don't need to install additional software
Reading their doc: https://docs.hazelcast.com/imdg/4.1.2/security/integrating-openssl.html
I see that I just need two jars, but I don't see any mention of config settings. Do I just use the Java SSL settings with BasicSSLContextFactory?
I see I can use com.hazelcast.nio.ssl.BasicSSLContextFactory as mentioned here https://docs.hazelcast.com/imdg/4.1.2/security/tls-ssl.html#tlsssl-for-hazelcast-members for the Java SSL implementation
They also provide com.hazelcast.nio.ssl.OpenSSLEngineFactory for OpenSSL integration (https://docs.hazelcast.com/imdg/4.1.2/security/integrating-openssl.html#using-openssl)
BoringSSL is the library to use OpenSSL. So this link is a good source. However, if you not bound to the old Java versions, then nowadays Java TLS is faster than OpenSSL, so no need for BoringSSL.
Since SSL is a Hazelcast Enterprise feature, feel free to raise a Hazelcast Zendesk Ticket if you need some more detailed help.
Starting with Hazelcast version 4.0, there is the following logic deciding which TLS engine is used:
when Java version<11 and a netty-tcnative package (wrapping OpenSSL, BoringSSL, ...) is on the classpath: Use the OpenSSLEngineFactory;
in all other cases: Use the BasicSSLContextFactory.
Surely, you don't need to use the defaults, but you can specify the factory-class-name configuration attribute with the factory of your choice.
You can use the same properties in OpenSSLEngineFactory like the ones in BasicSSLContextFactory (e.g. keyStore*, trustStore*). Nevertheless, the native way of configuring the OpenSSLEngineFactory is by using keyFile and other properties mentioned in the documentation section about OpenSSL.
Why the Java 11 check
As mentioned above, the OpenSSLEngineFactory is not used for Java 11 and newer by default. This decision was based on Hazelcast performance testing which shows OpenSSL performance benefits when used with Java 8, but not with Java 11 (or newer).
Here are throughput graphs from those tests (performed in 2019).
TLSv1.2
TLSv1.3
I have Virtualmin installed on my CentOS7 server and few websites are currently running on this server. There's no separate Apache installation because it is using Virtualmin. However I need to install / enable HTTP/2 on my server but current resources on the internet are not helpful enough to learn how to do this since I have a Virtualmin installation on which few sites are hosted. How can I do this?
HTTP/2 support was only added with Apache 2.4.17, therefore the only way to make it work on CentOS 7 is to rebuild it manually. OpenSSL version 1.0.2 is already available with CentOS 7 though.
Perhaps the easiest way would be is to upgrade to the distro that already ships needed version of Apache.
I cannot recommend CentOS 8 due to recent events, however Ubuntu 20.04 LTS and Debian 10 are both supported with Virtualmin and have latest versions of Apache. In the future we will support any 1:1 compatible forks/clones of RHEL; recently we fixed RHEL 8 support as well and CentOS 8 Stream is also supported.
I have to support an Android device that uses Android API <20 (KitKat and older). We use AWS for our APIs and want to support TLSv1.3 and beyond, but these devices may not be upgraded for some time. Android API <20 doesn't natively support TLSv1.3+, but is it possible to use a third-party TLS library to support TLSv1.3? If so, how? Googling around has not turned up anything apart from "upgrade your device".
It's possible to do this using the Conscrypt Library which goes all the way back to Android 2.x
You can reference that library and then make use of it by:
Security.insertProviderAt(Conscrypt.newProvider(), 1);
I don't think Android device will support TLS 1.3 because TLS 1.3 is too new and almost all the browser cannot support TLS 1.3. The most of theme they use the older version TLS 1.2, TLS 1.2 compatible with all the IDE and Web platforms such as chrome or firefox. Also TLS 1.3 is very hard to create because there is almost no info about encryption with TLS 1.3.