How to upgrade TLS 1.0 to TLS 1.2 on wso2product
We are trying to upgrade TLS 1.0 in WSO2 BPS to TLS 1.2. The procedure to upgrade the latest version of TLS using this link is as follows: Reference Link From WSO2 Our JAVA application runs in JDK 1.8.
Open
<PRODUCT_HOME>/repository/conf/tomcat/catalina-server.xml
File.The sslProtocol=”TLS” attribute was removed and replaced
sslEnabledProtocols=”TLSv1.2″ is shown below.
> <Connector SSLEnabled="true" port="9443" > protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" > secure="true" server="WSO2 Carbon Server" > sslEnabledProtocols="TLSv1.2" > svns:secretAlias="Server.Service.Connector.keystorePass"/>
- Start the server.
- To verify that everything is set correctly, we execute the following command,
java -jar TestSSLServer.jar localhost 9443and respond TLS configuration as TLSv1.2 only
Supported versions: TLSv1.2 Deflate compression: no Supported cipher suites (ORDER IS NOT SIGNIFICANT): TLSv1.2 DHE_RSA_WITH_AES_128_CBC_SHA DHE_RSA_WITH_AES_256_CBC_SHA DHE_RSA_WITH_AES_128_CBC_SHA256 DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ---------------------- Server certificate(s): 501fc1432d87155dc431382aeb843ed558ad61b1: CN=localhost, O=WSO2, L=Mountain View, ST=CA, C=US ---------------------- Minimal encryption strength: strong encryption (96-bit or more) Achievable encryption strength: strong encryption (96-bit or more) BEAST status: protected CRIME status: protected
- However, when we capture the pcap file and show it as TLSv1.0 in Wireshark, it still looks like this:
Update:
We changed jre/lib/security/java.security based on @user7294900 instructions.
When we set the configuration in that java.security file, we encountered this error message in wso2BPMN. But we can look at TLS version 1.2 in a Wireshark capture with a handshake failure notification.
Wso2BPMN,
Caused by: org.apache.commons.mail.EmailException: Sending the email to the following server failed : smtp.office365.com:587
at org.apache.commons.mail.Email.sendMimeMessage(Email.java:1398)
at org.apache.commons.mail.Email.send(Email.java:1423)
at org.activiti.engine.impl.bpmn.behavior.MailActivityBehavior.execute(MailActivityBehavior.java:102)
... 192 more
Caused by: javax.mail.MessagingException: Can't send command to SMTP host;
nested exception is:
javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
at com.sun.mail.smtp.SMTPTransport.sendCommand(SMTPTransport.java:1420)
at com.sun.mail.smtp.SMTPTransport.sendCommand(SMTPTransport.java:1408)
at com.sun.mail.smtp.SMTPTransport.ehlo(SMTPTransport.java:847)
at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:384)
at javax.mail.Service.connect(Service.java:297)
at javax.mail.Service.connect(Service.java:156)
at javax.mail.Service.connect(Service.java:105)
at javax.mail.Transport.send0(Transport.java:168)
at javax.mail.Transport.send(Transport.java:98)
at org.apache.commons.mail.Email.sendMimeMessage(Email.java:1388)
... 194 more
So, is there any configuration required for TLSv1.2 upgrade?
Solution
You need to disable TLS below 1.2
set the
jdk.tls.disabledAlgorithms= SSLv2Hello, SSLv3, TLSv1, TLSv1.1in the file jre/lib/security/java.security on the server.
Also try reducing the password to @Dimtri suggested
set ciphers that are supported only by TLSv1.2
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256