We have an application using Mule standalone 3.5 (I know...) and need to force it to use TLS 1.1 or 1.2 for HTTPS.
We have upgraded to the latest Java 8 (8u112).
We have modified the mule's tls-default.conf to include the following:
enabledProtocols=SSLv2Hello,
TLSv1.1
TLSv1.2
Our HTTPS GET request results in the exception:
No appropriate protocol (protocol is disabled or cipher suites are
inappropriate) (javax.net.ssl.SSLHandshakeException)
Is there anyway to get Mule 3.5's https connector to use TLS 1.1 or 1.2 for HTTPS?
Our application also uses a Salesforce connector <sfdc:...> which works correctly using TLS 1.2 after our Java upgrade and configuration changes.
Note that Mule 3.5 still has a separate connector for HTTPS (not the combined connector for HTTP/HTTPS that was introduced in 3.6).
We are looking to avoid upgrading to a newer version of Mule since we intended to replace our use of Mule in the near future anyway, and our investigations into upgrading do not indicate that it will be easy.
UPDATE:
In addition to using the fix in Ryan Carter's answer, I also had to fix the mistake in the tls-default.conf by escaping the newlines:
enabledProtocols=SSLv2Hello, \
TLSv1.1 \
TLSv1.2
Yes the Salesforce connector automatically uses JDK's default TLS version.
But for the https connector you need to add a property to your https connector:
<https:connector name="https">
<spring:property name="sslType" value="TLSv1.2"/>
</https:connector>
Related
I am new to spring-boot and JPA.
I have successfully connected my spring application to MySQL database using JPA.
However, I see the following warning being printed:
WARN: This connection is using TLSv1.1 which is now deprecated and will be removed in a future release of Connector/J.
How can I upgrade the TLS connection to use either TLS 1.2 or 1.3?
I found a fix for the problem. I added enabledTLSProtocols=TLSv1.2 to the connection URL.
For example:
spring.datasource.url=jdbc:mysql://localhost:3306/mydb?enabledTLSProtocols=TLSv1.2
Is there any property in Spring Boot that could be used for setting allowed version of TLS for Redis?
I have found properties for host and password spring.redis.host=${HOST} spring.redis.password=${PASSWORD} and I'd like a way to set minimum allowed version of TLS to 1.2.
I don't think there is such configuration property in Spring, but there is one in Java itself. You can use
-Djdk.tls.client.protocols=TLSv1.2
The value of the property should be a comma-delimited list of allowed protocols. All other protocols are disabled.
I created a very simple project for you to demonstrate.
Here is the traffic with the server without any configuration:
Here is the traffic when running with only the TLSv1.2 enabled:
Beware! Java versions from 12 to 14 do not respect this property!
There are more options how to configure this behavior.
Following Jetty documentation of enabling HTTP/2,
I reached till the following step,
2015-06-17 14:16:12.549:INFO:oejs.ServerConnector:main: Started
ServerConnector#6f32cd1e{HTTP/1.1,[http/1.1, h2c]}{0.0.0.0:8080}
From the docs,
No major browser currently supports plain text HTTP/2, so the 8080
port will only be able to use HTTP/2 with specific clients (eg curl)
that use the upgrade mechanism or assume HTTP/2.
The documentation mentions "specific clients", but what client I can use for overcoming this issue? I tried okHttp and apache-httpclient, okHttp doesn't support the upgrade mechanism (AFAIK, Would be great if it is otherwise), and apache-httpClient doesn't support h2.
I basically need to make GET/POST request from my program to this endpoint(Obviously, using HTTP/2).
To put in a simple words, Please suggest any Java client which support non-encrypted http/2 (h2c)
Thanks!
Apache HttpCore and HttpClient 5.0 support h2 as well as h2c but presently do not support the http/1.1 to h2c upgrade mechanism. I am not sure they ever will given it is unclear how useful this upgrade mechanism is in the first place.
For code examples please refer to
http://hc.apache.org/httpcomponents-client-5.0.x/examples-async.html
For HttpClient 4.5.x to HttpClient 5.0 upgrade guide please refer to:
https://ok2c.github.io/httpclient-migration-guide/
The Jetty Project has a HTTP client library that can be used as HTTP client and supports HTTP/2, both clear text and encrypted.
You want to look at this documentation.
See also how the Jetty Project uses that same client for tests.
I'm trying to get ActiveMQ to support a TLSv1.2. I'm using activemq v5.14.5. The fix talked about in Create ActiveMQ Connection on TLS1.2 did not work. When I stepped through the code I see that the
context.setSSLContext(sslContext);
SslContext.setCurrentSslContext(context);
Connection connection = factory.createConnection(loginName, pwd);
call to factory.createConnection() actually doesn't use the value that was just set, but instead creates a new SSL context using the hard coded default of "TLS". I observed this in the debugger.
Any other suggestions are welcome. I think the topic "configuring transports" at http://activemq.apache.org/configuring-transports.html may hold the solution but I haven't tried it yet.
The default embedded ActiveMQ broker configuration does not create an SSL transport connector. If you manually added an SSL transport connector, then you may have restricted the SSL protocols supported by the broker using the option transport.enabledProtocols:
<transportConnector name="ssl" uri="ssl://localhost:61617?transport.enabledProtocols=TLSv1.2"></transportConnector>
This configuration restricts the SSL connector of ActiveMQ to only support TLSv1.2. Other TLSv1, TLSv1.1, SSLv3 will not be supported.
JBoss AS 7.0.1 SSL connector Protocol to use TLS 1.2 only and disable SSL v2, V3 and TLS v1, V1.1.
We can set value for Protocol attribute as "TLSv1.2".
But this wont work for JDK 1.6. We have to use JDK 1.7 or later.