1

Sorry if my question seems redundant. I found tons of Q&As on stackoverflow and a bunch of other resources about enabling TLSv1.1+ for Tomcat, for Java Clients, for OSes..., but still I can't enable it on my local env on Win10/Tomcat7/Java7. Probably, I'm just getting something wrong.

So, to be clear, I have a java web app deployed on tomcat. This web app makes requests to remote services via https. Previously these remote services supported TLSv1.0, and my app worked fine. Now these remote services support only TLSv1.1+, and I'm getting an error/actually a simple html page response saying:

To access this website, update your web browser or upgrade your operating system to support TLSv1.1 or TLSv1.2

I tried to enable TLSv1.1+ outbound communication support for my webapp in a number of ways, but still it doesn't work. So, I tried:

set CATALINA_OPTS=-Dhttps.protocols=TLSv1.1,TLSv1.2

set CATALINA_OPTS=-Ddeployment.security.TLSv1.1=true -Ddeployment.security.TLSv1.2=true

And the same stuff for JAVA_OPTS. I tried it both by adding to system enviroment variables and simply setting in cmd before starting tomcat. Also, I set TLSv1.1 and TLSv1.2 support at Control Panel\Programs\Java Control Panel Advanced Tab.

Here are details about my env:

Windows version: 

Microsoft Windows [Version 10.0.14393]

Tomcat startup log (first n lines):

c:\Program Files\apache-tomcat-7.0.72\bin>catalina.bat run
Using CATALINA_BASE:   "C:\Program Files\apache-tomcat-7.0.72"
Using CATALINA_HOME:   "C:\Program Files\apache-tomcat-7.0.72"
Using CATALINA_TMPDIR: "C:\Program Files\apache-tomcat-7.0.72\temp"
Using CATALINA_OPTS:    "-Dhttps.protocols=TLSv1.1,TLSv1.2 -Xms1024m -Xmx2048m -XX:MaxPermSize=256m"
Using JRE_HOME:        "C:\Program Files\Java\jdk1.7.0_80\jre"
Using CLASSPATH:       "C:\Program Files\apache-tomcat-7.0.72\bin\bootstrap.jar;C:\Program Files\apache-tomcat-7.0.72\bin\tomcat-juli.jar"
Jan 12, 2017 3:40:54 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Server version:        Apache Tomcat/7.0.72
Jan 12, 2017 3:40:54 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Server built:          Sep 14 2016 12:12:26 UTC
Jan 12, 2017 3:40:54 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Server number:         7.0.72.0
Jan 12, 2017 3:40:54 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: OS Name:               Windows 8.1
Jan 12, 2017 3:40:54 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: OS Version:            6.3
Jan 12, 2017 3:40:54 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Architecture:          amd64
Jan 12, 2017 3:40:54 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: Java Home:             C:\Program Files\Java\jdk1.7.0_80\jre
Jan 12, 2017 3:40:54 PM org.apache.catalina.startup.VersionLoggerListener log
INFO: JVM Version:           1.7.0_80-b15
Jan 12, 2017 3:40:54 PM org.apache.catalina.startup.VersionLoggerListener log
...

I can't get what I'm doing wrong.

UPDATED:

If I'm switching JRE_HOME for tomcat to JAVA 8, it works fine

For now I fixed it by adding this code to configure apache HttpClient:

SSLContext sslContext = null;
        try {
            sslContext = SSLContexts.custom().useTLS().build();
        } catch (KeyManagementException | NoSuchAlgorithmException e1) {
            // TODO Auto-generated catch block
            e1.printStackTrace();
        }

        SSLConnectionSocketFactory f = new SSLConnectionSocketFactory(sslContext, new String[] { "TLSv1.1", "TLSv1.2" }, null,
                new AllowAllHostnameVerifier());

        httpclient = HttpClients.custom().setSSLSocketFactory(f).build();

But, still can't it be done without code modifications? By configuring tomcat java or system somehow? Cause with JAVA 8 everything works without code modifications.

Sergei Sirik
  • 1,249
  • 1
  • 13
  • 28
  • You're barking up the wrong tree here. Java 7 [already supports both TLS 1.1 and 1.2](https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#SSLContext). You don't have to 'enable' anything. – user207421 Jan 13 '17 at 04:41
  • @EJP, Probably I'm missing something. Yes, Java 7 supports both TLS 1.1 and 1.2, but they are not enabled by default, as I know(can't find good link to support it). So, I'm trying to enable it. For now I fixed it by configuring apache HttpClient in the code, but still can't it be done without code modifications, cause with JAVA 8 everything works without code modifications? – Sergei Sirik Jan 13 '17 at 21:00
  • So you need to find your good link, if it exists. – user207421 Jan 14 '17 at 00:13
  • 1
    https.protocols only works for HttpsURLConnection and deployment.* or ControlPanel only works for javaws or applet (if anyone still allows applet); see http://superuser.com/questions/747377/enable-tls-1.1-and-1.2-for-clients-on-java-7 . @EJP: see the link there to j7 doc for SunProviders at the section Protocols; also http://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html describes client default enable for 1.1 and 1.2 as _new_ in j8, confirming it wasn't in j7. But note 7u75 and up default disables SSLv3 because POODLE, contrary to base-7 doc. – dave_thompson_085 Jan 14 '17 at 02:56

1 Answers1

0

to enable Tls in tomcat, add this parameter sslEnabledProtocols="TLSv1.X" in Connector section of server.xml file of tomcat at tomcat/conf/ folder. for eg: to configure TLSv1.1 follow the below configuration.

    <Connector port="8443" 
 protocol="org.apache.coyote.http11.Http11Protocol"
 maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
 keystoreFile="ssl/.keystore" keystorePass="changeit"
 clientAuth="false" sslProtocol="SSL" sslEnabledProtocols="TLSv1.1" />

restart the server

Mohammed Irfan Tirupattur
  • 1,509
  • 18
  • 9