0

We are currently hosting a web service using basic Java EE framework and https security is one of our main concern. We periodically check our configuration using SSL labs: https://www.ssllabs.com/ssltest/analyze.html?d=www.google.com&s=216.58.195.68&hideResults=on making sure we are in the A+ range all the time.

Recently we noticed there's a notice about TLS version:

This server supports TLS 1.0 and TLS 1.1. Grade will be capped to B from January 2020.

We are using Apache 2.4 and is well aware of how to turn off TLS 1..0 and 1.1, however we would like to inform our all our clients beforehand. We wish to filter out those who's already using 1.2 and 1.3, but we believe most of them wouldn't know which version they are using anyway.

Is there any method in HttpServletRequest where we can check the version of TLS they are using? That way we can filter out the updated clients and only notify those who are still using older frameworks.

Thank you.

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
Chor Wai Chun
  • 3,226
  • 25
  • 41
  • I don't think [How do I detect the TLS version of an HttpServletRequest?](https://stackoverflow.com/q/41813852/2985643) is really a duplicate, but it may be worth a look anyway. – skomisa Oct 22 '19 at 07:46
  • I'd say you'll most likely need to do that in Apache assuming that's where the ssl/tls connection is terminated. That might help you: https://serverfault.com/questions/727638/logging-tls-version-used-by-clients-connecting-to-apache – Thomas Oct 22 '19 at 09:34

0 Answers0