2

I am working on a credit card support module on a Java-based Web application, for security, we want to have the users use TLS v1.2 supported browsers while viewing the credit card pages How do I make sure they are compatible? Note: We don't want to restrict users to other pages if they are not compatible.

Kashif Ibrahim
  • 183
  • 1
  • 8
  • Is this a Spring app? – Dan Aug 06 '18 at 19:58
  • @Dan yes, this is spring based. – Kashif Ibrahim Aug 06 '18 at 20:47
  • @Andreas: I have changed my question, and this question is not a Duplicate. The other question doesn't solve my problem. – Kashif Ibrahim Aug 06 '18 at 21:11
  • You can write a filter and somehow access https://docs.oracle.com/javase/7/docs/api/javax/net/ssl/SSLSession.html#getProtocol() to programatically verify the page and the session's TLS version. – rodrigoap Aug 06 '18 at 21:20
  • Link to duplicate "[How to force java server to accept only tls 1.2 and reject tls 1.0 and tls 1.1 connections](https://stackoverflow.com/q/32466407/5221149)" removed – Andreas Aug 06 '18 at 23:08
  • @rodrigoap Please explain how do I get session's TLS version from the session/request object? Thank you for all the help here. – Kashif Ibrahim Aug 07 '18 at 13:29
  • 1
    Not sure this is a great idea? Session can be compromised at lower encryption in advance of reaching the secure area. If attacker can compromise in advance, then they can run MITM, establish TLS 1.2 with server, and maintain lower, compromised encryption with victim user. Not sure your usecase, so not sure if this applies, but be careful when being "clever" with encryption, lots of alpha-nerds puts tons of work into devising current schemes, getting "creative" with them is perilous. – Taylor Aug 08 '18 at 03:47

1 Answers1

1

This is an old question. Here's some information

How do I detect the TLS version of an HttpServletRequest?

Can I detect the SSL version that a browser supports?

https://gist.github.com/SamuelChristie/13a2a29e74c189bcfd9b - Gracefully Deprecating TLS 1.0

John
  • 446
  • 6
  • 16
  • thanks, @John. We have an f5 server and we will be adding a header variable so that we could check the same while loading the page. For future views to this page: This is the code: when HTTP_REQUEST { HTTP::header insert X-SSL-Protocol [SSL::cipher version] HTTP::header insert X-SSL-Cipher [SSL::cipher name] } – Kashif Ibrahim Aug 08 '18 at 13:41