How do you enable TLS 1.2 on Spring-boot?

ssl spring-boot android-5.0-lollipop tomcat8
mattm picture mattm · Jan 16, 2015 · Viewed 50.6k times · Source

I am trying to enable TLS 1.2 on Tomcat on Spring-boot 1.2.1. Android 5.0 is failing to connect to the default SSL settings, due to an SSL handshake failure. Android 4.4, iOS, Firefox, and Chrome all connect to the default version. I think this is because of a mismatch in the TLS protocols supported in Android 5.0 and the spring boot tomcat defaults (TLS v1?).

I imagine I want to change this application.properties setting:

server.ssl.protocol=TLS

but I have not located the other acceptable strings (or if there are any, even). There is no enumeration that I can find by searching on "protocol" in spring boot github. I have tried "TLSv1.2", but this appears to have no effect.

The current SSL configuration in application.properties is:

server.ssl.key-store = chainedcertificates.p12
server.ssl.key-store-password = secret
server.ssl.key-store-type = PKCS12

How do you enable TLS 1.2 in spring boot?

If it matters, I am using Java 1.7. The documentation for this seems to indicate it should support TLS 1.2.

Tomcat 8 seems to have support present. I am not sure how to check exactly which version is running in spring boot.

Answer

Dot Batch picture Dot Batch · Feb 3, 2018

You may experience an SSL handshake error due to the default ciphers that spring boot includes. It is recommended that you define a set of ciphers. We had a similar issue, and the way we fixed it was by using SSLScan on the caller and then scanning our system to see if there were any matches. This lead us to find out that there were no matches and helped us define a list of ciphers we should support.

Using SSLScan these are the default ciphers spring boot will use:

Preferred TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA256       Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-GCM-SHA256     DHE 1024 bits
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA256         DHE 1024 bits
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA            DHE 1024 bits

To enable TLS 1.2 and to define the cipher list please do the following: 

#enable/diable https
server.ssl.enabled=true

#ssl ciphers
server.ssl.ciphers=TLS_RSA_WITH_AES_128_CBC_SHA256, INCLUDE_ANY_OTHER_ONES_YOU_NEED_TO_SUPPORT

# SSL protocol to use.
server.ssl.protocol=TLS

# Enabled SSL protocols.
server.ssl.enabled-protocols=TLSv1.2

For a list of of ciphers you can use https://testssl.sh/openssl-rfc.mapping.html and https://msdn.microsoft.com/en-us/library/windows/desktop/mt813794(v=vs.85).aspx

Related questions

Specifying trust store information in spring boot application.properties

I am using springBootVersion 1.2.0.RELEASE. I'm trying to have my keystore and truststore configured through application.properties. When I add the following settings, I can get the keystore to work, but not the truststore. server.ssl.key-store=classpath:foo.jks …

Read More
Implementing 2 way SSL using spring boot

I'm creating some restful web services and am using Spring-Boot to create an embedded tomcat container. One of the requirements is that this implements 2 way SSL. I've been looking at the HttpSecurity object and can get it to only run …

Read More
How can I set up a letsencrypt SSL certificate and use it in a Spring Boot application?

I'm new to securing a server so I don't really know much about this but I need to get my Spring Boot Application that is running on a Digital Ocean Droplet to use HTTPS. My idea is to register a …

Read More