Is there any property in Spring Boot that could be used for setting allowed version of TLS for Redis?
I have found properties for host and password spring.redis.host=${HOST} spring.redis.password=${PASSWORD} and I'd like a way to set minimum allowed version of TLS to 1.2.
I don't think there is such configuration property in Spring, but there is one in Java itself. You can use
-Djdk.tls.client.protocols=TLSv1.2
The value of the property should be a comma-delimited list of allowed protocols. All other protocols are disabled.
I created a very simple project for you to demonstrate.
Here is the traffic with the server without any configuration:
Here is the traffic when running with only the TLSv1.2 enabled:
Beware! Java versions from 12 to 14 do not respect this property!
There are more options how to configure this behavior.
Related
I am new to spring-boot and JPA.
I have successfully connected my spring application to MySQL database using JPA.
However, I see the following warning being printed:
WARN: This connection is using TLSv1.1 which is now deprecated and will be removed in a future release of Connector/J.
How can I upgrade the TLS connection to use either TLS 1.2 or 1.3?
I found a fix for the problem. I added enabledTLSProtocols=TLSv1.2 to the connection URL.
For example:
spring.datasource.url=jdbc:mysql://localhost:3306/mydb?enabledTLSProtocols=TLSv1.2
I have a Spring Boot application running on 2.5.3.
I have configured (hopefully) secure ciphers using:
server:
port: 8443
servlet:
context-path: /somepath
ssl:
enabled-protocols: [ TLSv1.2,TLSv1.3 ]
ciphers: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
Funny thing is, when I now run SSLyze against my server I just get:
* TLS 1.2 Cipher Suites:
Attempted to connect using 156 cipher suites.
The server accepted the following 2 cipher suites:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Still runs fine and browsers can connect. But now we would like to connect a different server and call a REST endpoint on my server. That external server doesn't support either of those two suites.
I am wondering, in Spring Boot, why are only two of my requested suites accepted?
Where can I configure this (if I can)?
Thanks in advance!
Sascha
Yeah, it was more obvious than anticipated.
I requested some ciphers in the yaml file, Spring Boot can handle some suites (probably though the JVM). What I saw is the intersection of suites supported by Spring and suites that I requested. And that came out to two.
I removed the ciphers restriction. Got the full list of supported ciphers (around 12). Then we picked one secure cipher that they support and that I can do. And added that back to the "ciphers".
I'm trying to get ActiveMQ to support a TLSv1.2. I'm using activemq v5.14.5. The fix talked about in Create ActiveMQ Connection on TLS1.2 did not work. When I stepped through the code I see that the
context.setSSLContext(sslContext);
SslContext.setCurrentSslContext(context);
Connection connection = factory.createConnection(loginName, pwd);
call to factory.createConnection() actually doesn't use the value that was just set, but instead creates a new SSL context using the hard coded default of "TLS". I observed this in the debugger.
Any other suggestions are welcome. I think the topic "configuring transports" at http://activemq.apache.org/configuring-transports.html may hold the solution but I haven't tried it yet.
The default embedded ActiveMQ broker configuration does not create an SSL transport connector. If you manually added an SSL transport connector, then you may have restricted the SSL protocols supported by the broker using the option transport.enabledProtocols:
<transportConnector name="ssl" uri="ssl://localhost:61617?transport.enabledProtocols=TLSv1.2"></transportConnector>
This configuration restricts the SSL connector of ActiveMQ to only support TLSv1.2. Other TLSv1, TLSv1.1, SSLv3 will not be supported.
We have an application using Mule standalone 3.5 (I know...) and need to force it to use TLS 1.1 or 1.2 for HTTPS.
We have upgraded to the latest Java 8 (8u112).
We have modified the mule's tls-default.conf to include the following:
enabledProtocols=SSLv2Hello,
TLSv1.1
TLSv1.2
Our HTTPS GET request results in the exception:
No appropriate protocol (protocol is disabled or cipher suites are
inappropriate) (javax.net.ssl.SSLHandshakeException)
Is there anyway to get Mule 3.5's https connector to use TLS 1.1 or 1.2 for HTTPS?
Our application also uses a Salesforce connector <sfdc:...> which works correctly using TLS 1.2 after our Java upgrade and configuration changes.
Note that Mule 3.5 still has a separate connector for HTTPS (not the combined connector for HTTP/HTTPS that was introduced in 3.6).
We are looking to avoid upgrading to a newer version of Mule since we intended to replace our use of Mule in the near future anyway, and our investigations into upgrading do not indicate that it will be easy.
UPDATE:
In addition to using the fix in Ryan Carter's answer, I also had to fix the mistake in the tls-default.conf by escaping the newlines:
enabledProtocols=SSLv2Hello, \
TLSv1.1 \
TLSv1.2
Yes the Salesforce connector automatically uses JDK's default TLS version.
But for the https connector you need to add a property to your https connector:
<https:connector name="https">
<spring:property name="sslType" value="TLSv1.2"/>
</https:connector>
I'm using Spring Boot 1.3.1 and I can auto-configure my JMS components through application.properties.
As I'm using Artemis as my message broker, I'm using spring-boot-starter-artemis, and as states the documentation in this link, all I have to do is replace the spring.hornetq.* properties and place spring.artemis.* instead.
The problem is that it doesn't show how to configure the username, password and SSL configuration for HornetQ/Artemis. I configured Artemis to use SSL and user/pass authentication like it's shown in here.
Does anyone know what properties can I state to add SSL and user/pass?
Thanks!
Okay, currently the Artemis Spring Boot starter is very basic, it really doesn't support clusters, SSL or client authentication.
Doing a quick look at the starter's source code in GitHub, in the ArtemisConnectionFactoryFactory.java file, at lines 127 and onwards, I will have to add the TransportConstants necessary to configure SSL, authentication, etc.
An example of a more complete connection configuration is in Artemis' test source code, in CoreClientOverTwoWaySSLTest.java, on lines 178 and onwards, there is a really complete connection setup, so to contribute, I have to change the Artemis auto-configuration properties to take the new property options, and add them all to ArtemisConnectionFactoryFactory.java following the example in CoreClientOverTwoWaySSLTest.java
I'll do a fork on the starter, make the modifications, and figure out what bureaucracy is needed to submit a pull request and get it accepted on spring-boot.
Spring Boot does not support such arrangement. Not everything should happen via properties if you ask me but in any case a good way to find out is asking your IDE to auto-complete the keys for that namespace (you'll quickly find out there is nothing related to SSL and security in there). If you don't use an IDE, this appendix should help