I am trying to enable TLS 1.2 in my web app which uses Tomcat 5.5 and Java 1.7. I am checking the website TLS version on both chrome and IE. Things I have tried:
adding -Dhttp.protocols = TLSv1.2 to JAVA_OPTS in setenv.bat. (still shows TLS 1)
setting ssLENabledProtocols to TLSV1.2 in the server.conf file. (still shows TLS 1)
setting ssLProtocol to TLSV1.2 in server conf file. (website does not open)
setting JAVA_HOME to JDK 8 in setenv.bat file. (still shows TLS 1)
Is there anything I could do to enable TLS 1.2?
There is a website hosted using IIS with TLSV1.2 on the same server.
Related
I'm hosting at Digital Ocean with Ubuntu 18.04, Nginx version 1.17.6, OpenSSL version 1.1.1 . - I believe those satisfy requirements for TLS 1.3.
In my /etc/nginx/nginx.conf file I added TLSv1.3 like so:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
I have not changed anything in /etc/nginx/sites-available/website.com .
When I test my site in SSL Labs and elsewhere, TLSv1.3 is not working. It's still using TLSv1.2.
I checked nginx -V, and --with-openSSL argument is not listed. Not sure if I have to rebuild my nginx with that flag.
Any pointers would be appreciated
UPDATE:
I rebuilt Nginx from source with OpenSSL 1.1.1. Still not working.
Found the solution after much digging. I had to update /etc/letsencrypt/options-ssl-nginx.conf and add ssl protocols TLSv1.3 there, as well as add to ssl_ciphers TLS 1.3 ciphers TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:
I've got a web application with nginx supporting https with TLSv1, TLSv1.1, TLSv1.2 protocols. We'd like to stop supporting TLSv1 and TLSv1.1 due to well known security vulnerabilities. Unfortunately, we have some legacy clients running very old OSes that cannot be upgraded to connect over TLSv1.2. As a solution would it be possible to place a proxy in front of our web app that takes traffic solely from these legacy clients and have that proxy support decrypting TLSv1 but re-encrypt that traffic using TLSv1.2 before proxying it forward? Is this something that nginx can do? Would the responses returned to the client be encrypted with TLSv1?
Is it possible if i only enabled TLS 1.2 in the IIS Application?
It keeps showing the below errors when i applied only TLS 1.2.
If there are TLS 1.0, 1.1, 1.2, the IIS application did work. but the properties shown are TLS 1.0 and not TLS 1.2
In the TLS handshake the server will choose the best protocol supported by the client. Given that the connection only results in TLS 1.0 if your client is connecting to a server which support TLS 1.0...TLS 1.2 it looks like your (unknown) client only supports TLS 1.0. In this case it is no surprise that it will fail if the server has only TLS 1.2 enabled.
I need to update apache 2.2.22 to support TLSv1.2. I have tried the below command but it is not working
SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1
But when I put this command it displays an error in windows event viewer
SSLProtocol: Illegal protocol 'TLSv1.2'
Support for TLSv1.1 and TLSv1.2 was added in httpd 2.2.23. You will need to upgrade httpd itself, and also have OpenSSL 1.0.1 available at build-time and at run-time.
TLS for Apache is provided by OpenSSL. If TLS 1.2 is supported in your installation depends on the installed OpenSSL version, see About TLS 1.2 support in openssl.
Judging from the changelog, you will need at least OpenSSL 1.0.1.
You can't do this. You need OpenSSL 1.0.1 at least, and the API of OpenSSL 1.0.1 is not compatible with Apache 2.2.22. You will need to upgrade Apache HTTPD.
I am trying to enable TLS 1.2 on Tomcat on Spring-boot 1.2.1. Android 5.0 is failing to connect to the default SSL settings, due to an SSL handshake failure. Android 4.4, iOS, Firefox, and Chrome all connect to the default version. I think this is because of a mismatch in the TLS protocols supported in Android 5.0 and the spring boot tomcat defaults (TLS v1?).
I imagine I want to change this application.properties setting:
server.ssl.protocol=TLS
but I have not located the other acceptable strings (or if there are any, even). There is no enumeration that I can find by searching on "protocol" in spring boot github.
I have tried "TLSv1.2", but this appears to have no effect.
The current SSL configuration in application.properties is:
server.ssl.key-store = chainedcertificates.p12
server.ssl.key-store-password = secret
server.ssl.key-store-type = PKCS12
How do you enable TLS 1.2 in spring boot?
If it matters, I am using Java 1.7. The documentation for this seems to indicate it should support TLS 1.2.
Tomcat 8 seems to have support present. I am not sure how to check exactly which version is running in spring boot.
You may experience an SSL handshake error due to the default ciphers that spring boot includes. It is recommended that you define a set of ciphers. We had a similar issue, and the way we fixed it was by using SSLScan on the caller and then scanning our system to see if there were any matches. This lead us to find out that there were no matches and helped us define a list of ciphers we should support.
Using SSLScan these are the default ciphers spring boot will use:
Preferred TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256 Curve P-256 DHE 256
Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 1024 bits
Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256 DHE 1024 bits
Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA DHE 1024 bits
To enable TLS 1.2 and to define the cipher list please do the following:
#enable/diable https
server.ssl.enabled=true
#ssl ciphers
server.ssl.ciphers=TLS_RSA_WITH_AES_128_CBC_SHA256, INCLUDE_ANY_OTHER_ONES_YOU_NEED_TO_SUPPORT
# SSL protocol to use.
server.ssl.protocol=TLS
# Enabled SSL protocols.
server.ssl.enabled-protocols=TLSv1.2
For a list of of ciphers you can use https://testssl.sh/openssl-rfc.mapping.html and https://msdn.microsoft.com/en-us/library/windows/desktop/mt813794(v=vs.85).aspx
TLS 1.2 is enabled by default in spring-boot 1.2.1. This can be verified by running the following from the command line
openssl s_client -connect serverAddress:port
which outputs
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
So my problem must be something separate.