TLS 1.2 on Java 6

Question

I have a legacy application running on java 6. However , we need to upgrade to TLS 1.2 due to certain security factors. For this I have tried the following code :

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.URL;
import java.net.UnknownHostException;
import java.security.KeyManagementException;
 import java.security.NoSuchAlgorithmException;
 import java.util.Arrays;
 import javax.net.ssl.HttpsURLConnection;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLParameters;

public class TlsCheck {

/**
 * test whether this client can connect to TLS v1.2 or not
 */

public static boolean isSuccessfulTLS12connection(){
    try{
        SSLContext sslContext = SSLContext.getInstance("TLS");
        sslContext.init(null, null, null);
        HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());

        URL url = new URL("https://tlstest.paypal.com");
        HttpsURLConnection httpsConnection = (HttpsURLConnection)url.openConnection();
        httpsConnection.connect();
        BufferedReader reader = new BufferedReader(new InputStreamReader(httpsConnection.getInputStream()));
        StringBuilder body = new StringBuilder();
        while(reader.ready()){
            body.append(reader.readLine());
        }
        httpsConnection.disconnect();
        System.out.println("The body is::"+body.toString());
        if(body.toString().equals("PayPal_Connection_OK")){
            return true;
        }
    }catch(NoSuchAlgorithmException ne){
        ne.printStackTrace();
    }catch(UnknownHostException ue){
        ue.printStackTrace();
    }catch(IOException ioe){
        ioe.printStackTrace();
    }catch(KeyManagementException ke){
        ke.printStackTrace();
    }
    return false;
}

public static void main(String args[]){
    try{
        SSLParameters sslParams = SSLContext.getDefault().getSupportedSSLParameters();
        System.setProperty("https.protocols", "TLSv1,TLSv1.1,TLSv1.2");
        sslParams.setProtocols(new String[] { "TLSv1.2"});
        String[] protocols = sslParams.getProtocols();
        System.out.println("The Supported Protocols are::"+Arrays.asList(protocols));

    }catch(NoSuchAlgorithmException ne){
        ne.printStackTrace();
    }

    if(isSuccessfulTLS12connection()){
        System.out.println("The connection to TLS v1.2 endpoint is succesful");
    }else{
        System.out.println("The connection to TLS v1.2 failed!");
    }
}

}

But i get the following error:

  The Supported Protocols are::[TLSv1.2]
  javax.net.ssl.SSLException: Received fatal alert: protocol_version
  The connection to TLS v1.2 failed!
  at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
  at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(Unknown Source)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
  at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
  at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
  at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source)
  at TlsCheck.isSuccessfulTLS12connection(TlsCheck.java:30)
  at TlsCheck.main(TlsCheck.java:65)

Can anyone suggest a better way rather than setting property? I have also tried setting JVM arguments, but no luck!

Answer 1

The real fix? Upgrade to Java 1.7 or later. Continuing to run Java 1.6 Update 45 and connecting it to the internet is professionally reckless.

How reckless? Very.

Because Oracle released a critical patch update for Java 1.6 Update 45 that fixed over 40 security vulnerabilities over four years ago.

Among those fixed four years ago:

• CVE-2013-2462 Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
• CVE-2013-2463 Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
• CVE-2013-2464 Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
• CVE-2013-2465 Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
• CVE-2013-2466 Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.
• CVE-2013-2468 Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution.

And SIX more that have a vulnerability rating of 10.0 - that means it's an easily exploitable remote vulnerability.

That's just a list of the critical security vulnerabilities Oracle actually fixed in Java 1.6 Update 45 four years ago. There are more that weren't fixed in that one patch that still exist.

And you don't have any of them fixed.

To reiterate: those vulnerabilities - and a whole lot more - still exist in Java 1.6 Update 45.

Again: continuing to use Java 1.6 Update 45 and connecting it to the internet is reckless. Java 1.6 Update 45 has at least 25(!!!) known remotely exploitable security vulnerabilities with a CVE score of 9.3 or higher.

Answer 2

The latest public Java 6 SE build is 6u45, which is not supporting TLS 1.2. To use TLS 1.2 with Java 6, I see two possibilities:

• Oracle offers a paid Java SE Advance program. In this, the build 6u141 is available with TLS 1.2 support: http://www.oracle.com/technetwork/java/javase/overview-156328.html#R160_141
• Try the Bouncy Castle library. You can find an example implementation in this answer: https://stackoverflow.com/a/33122393/7059880

Answer 3

As Marcel already mentioned, there is no TLS support for Java 6. Perhaps you can use an external software like curl as a workaround to make your request with System.exec() ?