Security Top

I just announced the new Learn Spring course, focused on the fundamentals of Spring 5 and Spring Boot 2:

>> CHECK OUT THE COURSE

Java Top

I just announced the new Learn Spring course, focused on the fundamentals of Spring 5 and Spring Boot 2:

>> CHECK OUT THE COURSE

1. Overview

When it comes to SSL connections, we should be using TLSv1.2. Indeed, it’s the default SSL protocol for Java 8.

And while Java 7 supports TLSv1.2, the default is TLS v1.0, which is too weak these days.

In this tutorial, we’ll discuss various options to configure Java 7 to use TLSv1.2.

2. Using Java VM Arguments

If we are using Java 1.7.0_95 or later, we can add the jdk.tls.client.protocols property as a java command-line argument to support TLSv1.2:

java -Djdk.tls.client.protocols=TLSv1.2 <Main class or the Jar file to run>

But Java 1.7.0_95 is available only to the customers who purchased support from Oracle. So, we’ll review other options below to enable TLSv1.2 on Java 7.

3. Using SSLSocket

In this first example, we’ll enable TLSv1.2 using SSLSocketFactory.

First, we can create a default SSLSocketFactory object by calling the SSLSocketFactory#getDefault factory method.

Then, we simply pass our host and port to SSLSocket#createSocket:

SSLSocketFactory socketFactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket sslSocket = (SSLSocket) socketFactory.createSocket(hosturl, port);

The default SSLSocket created above doesn’t have any SSL protocols associated with it. We can associate the SSL protocols to our SSLSocket in a couple of ways.

In the first approach, we can pass an array of supported SSL protocols to the setEnabledProtocols method on our SSLSocket instance:

sslSocket.setEnabledProtocols(new String[] {"TLSv1.2"});

Alternatively, we can use SSLParameters, using the same array:

SSLParameters params = new SSLParameters();
params.setProtocols(new String[] {"TLSv1.2"});
sslSocket.setSSLParameters(params);

4. Using SSLContext

Setting the SSLSocket directly changes only the one connection. We can use SSLContext to change the way we create the SSLSocketFactory.

So, instead of using SSLSocketFactory#getInstance, let’s do SSLContext#getInstance, giving it “TLSv1.2” as a parameter. We can just get our SSLSocketFactory from that now:

SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
sslContext.init(null, null, new SecureRandom());
SSLSocketFactory socketFactory = sslContext.getSocketFactory();
SSLSocket socket = (SSLSocket) socketFactory.createSocket(url, port);

As a quick side note, always remember to use SecureRandom when working with SSL.

5. Using HttpsURLConnection

Of course, we aren’t always creating sockets directly. Oftentimes, we are at the application protocol level.

So, finally, let’s see how to enable TLSv1.2 on HttpsURLConnection.

First, we’ll need an instance of URL. Let’s imagine that we are connecting to https://example.org:

URL url = new URL("https://" + hosturl + ":" + port);

Now, we can set up our SSLContext as before:

SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); 
sslContext.init(null, null, new SecureRandom());

Then, our last steps are to create the connection and supply it with an SSLSocketFactory:

HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();
connection.setSSLSocketFactory(sslContext.getSocketFactory());

6. Conclusion

In this quick article, we showed a few ways to enable TLSv1.2 on Java 7.

The code samples used in this article are available over on GitHub.

Security bottom

I just announced the new Learn Spring course, focused on the fundamentals of Spring 5 and Spring Boot 2:

>> CHECK OUT THE COURSE

Java bottom

I just announced the new Learn Spring course, focused on the fundamentals of Spring 5 and Spring Boot 2:

>> CHECK OUT THE COURSE