I have a client application communicating with external party application. The client application is up and running for long time.
Recently, I received a request from the third party asking about the allowed SSL/TLS protocols from the application server where my client application is running and calling their application.
Questions
How to tell what SSL/TLS protocols allowed from my client application ?
What has been done so far
1 - I checked SSL configration at the server's browser where my client application is running, See below screen shot. Is this what the third party team trying to know?
2 - The client application is running from weblogic 10.3.6. I cheked weblogic configuration in the following but I could not find any thing about the SSL/TLS protoclos used:
2.1 - Summary of Servers >Server_1 >Protocols
2.2 - Summary of Servers >Server_1 >Configuration >SSL
------ Update ------
I am using Java 7 for the client application. For that I checked the Java™ Secure Socket Extension (JSSE) documentation online. In the online documentation I found the following
Engine Class Implemented : SSLContext
Algorithm or Protocol: SSLv3 (a.k.a. SSL), TLSv1 (a.k.a. TLS), TLSv1.1, TLSv1.2
See documentation Java Cryptography Architecture Oracle Providers Documentation for Java Platform Standard Edition 7, The SunJSSE Provider for more information.
So is this the allowed SSL/TLS protocols from my client application? Further if Java has its own allowed Protocols, then how is that related to protocols setting in the browser ( Point 1 above )?
See http://docs.oracle.com/cd/E24329_01/web.1211/e24422/ssl.htm#SECMG634 (there are similar settings for 11G)
The browser settings are a red herring - the third-party app will connect to weblogic, not your browser, and negotiate a secure protocol based on what WLS + the third party app can mutually support.
Java7's default settings are acceptable, although if you need PCI-DSS compliance, you should probably set TLS1.1 as the minimum.
Related
We are trying to validate what TLS version our web client application is using. We can run nmap --script ssl-enum-ciphers -p 443 www.example.com as we see TLS version 1.2 (That's the version we want.) However we are wanting to validate what version of TLS is being used from web application client directly? Not the server. This is a 1.6 java application that is deployed on Weblogic. Is this request possible to validate on the application directly? I see a lot of threads validating at the server level or the or validating what the server end, not the client application level.
I'm running a grpc server behind an AWS NLB. The NLB terminates SSL and the connection works from a go client. However a java/scala client connects with ALPN agent (at the moment I'm using conscrypt after failing with jetty), and it seems like at the end of the handshake the nlb does not return h2 as supported protocol which fails the negotiation. Is it just not supported in which case what is the alternative for akka grpc in java/scala with SSL? if it is supported what could the issue?
I'll post some code if it's the latter.
Thanks.
NLB does not support ALPN. See discussion of workaround/hack in: https://github.com/grpc/grpc-java/issues/5543.
Just launched - Network Load Balancer now supports TLS ALPN Policies
https://aws.amazon.com/about-aws/whats-new/2020/05/network-load-balancer-now-supports-tls-alpn-policies/
We have a Tomcat based Infra monitoring application which will connect to other servers and monitor / alert etc.
However , some of our servers are using TLSv1.2 only and seems that the monitoring application is only using the TLSv1 to connect which is having a slight issue.
We are currently doing a workaround by using http port to mornitor but for long term we would like to use the TLSv1.2.
Is there a way to force Tomcat to connect to other applications via TLSv1.2 only?
Thanks
Using Tomcat 7 and Java 1.7.
The documentation for the SunJSSEProvider says:
Although SunJSSE in the Java SE 7 release supports TLS 1.1 and TLS
1.2, neither version is enabled by default for client connections. Some servers do not implement forward compatibility correctly and
refuse to talk to TLS 1.1 or TLS 1.2 clients. For interoperability,
SunJSSE does not enable TLS 1.1 or TLS 1.2 by default for client
connections.
So TLS 1.2 is there, it just isn't enabled. To enable it add something like
-Dhttps.protocols=TLSv1.1,TLSv1.2
to the startup-parameters of your tomcat. Then it should be able to speak TLS 1.2 as well as TLS 1.1. If you need any older protocols you can also add them as described in the linked documentation.
I am trying to evaluate Hazel Cast for a distributed lock and a Session management within our web application. Our PCI environment needs all the components to run on Secure Port.I recently found that the Hazelcast needs Enterprise version to enable SSL,In our case it might not be cost effective as the only enterprise feature i use will be SSL.
So the question is
Can i create a small spring war file that brings up hazelcast,deploy it on tomcat and further enable SSL on tomcat?.
Does this approach has any pitfalls?.
Please let me know the thoughts. Any pointers are appreciated.
You could do so, but the ports opened by Hazelcast would not run over the connection opened by Tomcat. Hazelcast opens its own connections which are independent of the http connectors of Tomcat.
The protocol used by Hazelcast is not http based, it supports the memcache ascii protocol.
Even the new binary client protocol designed for Hazelcast does not change this: http://docs.hazelcast.org/docs/protocol/1.0-developer-preview/client-protocol.html
So if you need secure connections you either have to buy the enterprise edition or secure those connections in the network layer (Vpn, tunnels, ...) which might be difficult depending on if you use multicast and ephemeral ports or not.
I want to make a large number of small HTTP requests from a client machine running Java 7 to an external web server over TLS and I would like to use session resumption to make this as efficient as possible.
The web server, however, only appears to support session resumption via the TLS session ticket extension, and so far, I have not seen any documented way of enabling this feature in the javax.net.ssl package.
Does the Java 7 TLS implementation support TLS session tickets on the client side? And if not, could anyone suggest a 3rd party library which does?
Many thanks
It looks as if this isn't even supported on Java 8 and has not been explicitly listed for Java 9.