We are trying to validate what TLS version our web client application is using. We can run nmap --script ssl-enum-ciphers -p 443 www.example.com as we see TLS version 1.2 (That's the version we want.) However we are wanting to validate what version of TLS is being used from web application client directly? Not the server. This is a 1.6 java application that is deployed on Weblogic. Is this request possible to validate on the application directly? I see a lot of threads validating at the server level or the or validating what the server end, not the client application level.
Related
I am using Twilio sandbox environment for testing WhatsApp integration with my application. As I moved application to different server twilio API is sending Error 20426 Upgrade Required.
Application was working fine on previous server. TLS version on both the server is 1.2 and SSL version is 3. Cipher Suits are also present on both servers as List provided in Twilio document. The only difference between two servers is the OS. On server where application is working OS installed is Linux and where application is not working OS is AIX 7.
We have a Tomcat based Infra monitoring application which will connect to other servers and monitor / alert etc.
However , some of our servers are using TLSv1.2 only and seems that the monitoring application is only using the TLSv1 to connect which is having a slight issue.
We are currently doing a workaround by using http port to mornitor but for long term we would like to use the TLSv1.2.
Is there a way to force Tomcat to connect to other applications via TLSv1.2 only?
Thanks
Using Tomcat 7 and Java 1.7.
The documentation for the SunJSSEProvider says:
Although SunJSSE in the Java SE 7 release supports TLS 1.1 and TLS
1.2, neither version is enabled by default for client connections. Some servers do not implement forward compatibility correctly and
refuse to talk to TLS 1.1 or TLS 1.2 clients. For interoperability,
SunJSSE does not enable TLS 1.1 or TLS 1.2 by default for client
connections.
So TLS 1.2 is there, it just isn't enabled. To enable it add something like
-Dhttps.protocols=TLSv1.1,TLSv1.2
to the startup-parameters of your tomcat. Then it should be able to speak TLS 1.2 as well as TLS 1.1. If you need any older protocols you can also add them as described in the linked documentation.
I have a client application communicating with external party application. The client application is up and running for long time.
Recently, I received a request from the third party asking about the allowed SSL/TLS protocols from the application server where my client application is running and calling their application.
Questions
How to tell what SSL/TLS protocols allowed from my client application ?
What has been done so far
1 - I checked SSL configration at the server's browser where my client application is running, See below screen shot. Is this what the third party team trying to know?
2 - The client application is running from weblogic 10.3.6. I cheked weblogic configuration in the following but I could not find any thing about the SSL/TLS protoclos used:
2.1 - Summary of Servers >Server_1 >Protocols
2.2 - Summary of Servers >Server_1 >Configuration >SSL
------ Update ------
I am using Java 7 for the client application. For that I checked the Java™ Secure Socket Extension (JSSE) documentation online. In the online documentation I found the following
Engine Class Implemented : SSLContext
Algorithm or Protocol: SSLv3 (a.k.a. SSL), TLSv1 (a.k.a. TLS), TLSv1.1, TLSv1.2
See documentation Java Cryptography Architecture Oracle Providers Documentation for Java Platform Standard Edition 7, The SunJSSE Provider for more information.
So is this the allowed SSL/TLS protocols from my client application? Further if Java has its own allowed Protocols, then how is that related to protocols setting in the browser ( Point 1 above )?
See http://docs.oracle.com/cd/E24329_01/web.1211/e24422/ssl.htm#SECMG634 (there are similar settings for 11G)
The browser settings are a red herring - the third-party app will connect to weblogic, not your browser, and negotiate a secure protocol based on what WLS + the third party app can mutually support.
Java7's default settings are acceptable, although if you need PCI-DSS compliance, you should probably set TLS1.1 as the minimum.
I can't find any documentation on how to run CAS SSO client application on HTTP. I've installed CAS server, it is running on HTTPS, that is OK. But I don't want my client applications to be running on HTTPS. The reason is because they are internal application, there is no need for them to run on HTTPS.
When I am trying to run my client applications on HTTP I am getting the exceptions of SSL handshake, because CAS expecting my application to be running over HTTPS.
Is this even possible to run client application integrated with CAS over HTTP? And if it is how to make this happen?
Specifications:
Tomcat 6.0.35
JDK 1.6
CAS 3.5.1
The CAS server knows the CAS client applications by the urls patterns defined in its back office and these urls patterns can be HTTP based.
We are calling a web service (jaxws) running on JBoss 4 from one of our .NET, C#, web services clients. It is working just fine on our local network, but as soon as we connect to our VPN to test on the production environment it throws a 505 error (HTTP version not supported). On both our local and production machines, we have tested the services from a Java client while still connecting to VPN and it's working fine for the java client
Any hint regarding this issue?
I would guess that your production web server is not configured the same as your test web server; it is more restrictive and not allowing the HTTP version that you want. Ask the server admin for your production server what versions of HTTP are supported.
Another possibility is that on the VPN you have an intermediate proxy that is converting your request from one version of HTTP to another. Ask a network admin for help.