How to find what SSL/TLS version is used in Java

Question

I have a java based client (using java 1.6.30) that opens an SSL connection to my server deployed on Tomcat 7.0.26. Tomcat is using Java 6 and in the server.xml I configured the connector to use sslProtocol="TLS".

I wonder what is the SSL version being used? Is it TLS1.0? TLS1.1? Something else?

score 36 · Answer 1 · edited May 23 '17 at 12:09

36

Get the SSLSession from your SSLSocket on your client and use its getProtocol() method.

Oracle JRE/OpenJDK 6 supports SSLv3 and TLS 1.0. You would need at least the IBM JRE 6/7 or Oracle JRE/OpenJDK 7 to get support for TLS 1.1 and TLS 1.2. (This is also related to the available cipher suites, as mentioned in this question.)

edited May 23 '17 at 12:09

Community

1
1

answered May 08 '12 at 14:31

Bruno

119,590
31
270
376

Oracle Java 6 suports TLS 1.1 (http://docs.oracle.com/javase/6/docs/technotes/guides/security/StandardNames.html#SSLContext) – emstol Dec 09 '15 at 10:39
Hm.. on the other hand here oracle tells that TLS 1.1 is not supported in Java 6 https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_and_https – emstol Dec 09 '15 at 11:24
4

@emstol The [Standard Names](http://docs.oracle.com/javase/6/docs/technotes/guides/security/StandardNames.html#SSLContext) document is just about the official names (essentially, it's planned in advance). Oracle's [SunJSSE provider (the one that's shipped with the "normal" Oracle JRE)](http://docs.oracle.com/javase/6/docs/technotes/guides/security/SunProviders.html#SunJSSEProvider) doesn't not support TLS 1.1 in Oracle JRE 6. – Bruno Dec 09 '15 at 12:59
1

There is support for TLS 1.1 since [JDK 6u111](http://www.oracle.com/technetwork/java/javase/overview-156328.html). But it is a paid update - not freely available. – G. Demecki Feb 17 '16 at 09:47
And to add, since I ended up here also looking, [JDK 6u121](http://www.oracle.com/technetwork/java/javase/overview-156328.html#R160_121) added support for tls 1.2 client connections. – REW Feb 22 '17 at 21:23

score 21 · Answer 2 · answered Aug 23 '19 at 23:50

21

You can use the following snippet to get an array of the supported protocols:

SSLContext.getDefault().getSupportedSSLParameters().getProtocols()

If you want it as a whitespace delimited string, e.g. for SMTP negotiation, pass the array to String.join(), i.e.:

String.join(" ", SSLContext.getDefault().getSupportedSSLParameters().getProtocols())

The latter snippet shows in Java 8 on Windows:

SSLv2Hello SSLv3 TLSv1 TLSv1.1 TLSv1.2

And in Java 11 on Windows:

TLSv1.3 TLSv1.2 TLSv1.1 TLSv1 SSLv3 SSLv2Hello

answered Aug 23 '19 at 23:50

isapir

21,295
13
115
116

7

Supported protocols >= enabled protocols >= the actual protocol used for the connection. – user207421 Oct 05 '19 at 03:06
Is there is a way know supported TLS/SSL protocol version for JDK 5? – jatin Goyal Oct 06 '20 at 05:29

score 9 · Answer 3 · answered May 28 '21 at 22:48

9

This gets the active protocols:

  private static String getActiveProtocols() {
    try {
      return Arrays.toString(SSLContext.getDefault().createSSLEngine().getEnabledProtocols());
    } catch (Exception e) {
      StringWriter stringWriter = new StringWriter();
      e.printStackTrace(new PrintWriter(stringWriter));
      return "Unable to get enabled protocols: " + e.getMessage() + LINE_SEPARATOR + stringWriter;
    }
  }

answered May 28 '21 at 22:48

user12027997

91
2
2

Great answer! Works down to Java 5, where static imports (needed for `LINE_SEPARATOR`) and `Arrays.toString()` were added. But you could have mentioned wether you got inspired by other answers in this question or not, and linked them if it's the case. – J.A.I.L. Apr 13 '22 at 11:29
This worked for me better than eg. isapir's answer where for some reason eg. Temurin 1.8.0_322 did return TLSv1.3 but actually did not work. This code did not return TLSv1.3 as 'supported' for exact same java version, and thus worked for me better. – Jokkeri Feb 22 '23 at 10:04

score 3 · Answer 4 · edited Oct 05 '19 at 03:19

3

for tomcat 8.5.38 and 8.5.46 (and probably tomcat 7.0x and newer) adding this to the AccessLogValve pattern (in server.xml) - and enabling that Valve - will show the TLS version in use:

%{org.apache.tomcat.util.net.secure_protocol_version}r

eg
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log" suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" %{org.apache.tomcat.util.net.secure_protocol_version}r />

edited Oct 05 '19 at 03:19

Trenton McKinney

56,955
33
144
158

answered Oct 05 '19 at 02:58

John Palmer

31
1

Edit request queue is full, but there's a misplaced " here. The %{org.apache.tomcat.util.net.secure_protocol_version}r part should be inside the pattern="" instead of after. – Elliott Jan 13 '21 at 03:38

How to find what SSL/TLS version is used in Java

4 Answers4

Linked

Related