How to force java server to accept only tls 1.2 and reject tls 1.0 and tls 1.1 connections

Question

I have a HTTPS web service running on Java 7. I need to make changes so that this service only accepts TLS1.2 connection and reject SSL3, TLS1.0 and TLS1.1.

I have ad

Answer 1

Just a small remark;

In the question you stated that you generated a 2048 size certificate with MD5. But in the cert path alg you disabled MD5 so this normally should not work. Secondly Server certificates generated with a MD5 hash are banned from modern browsers such as Internet Explorer 10/Edge.

I would like to advice you to generate your Server certificate at least with a SHA256 or < hash.

Answer 2

I have also done the same changes in "/java/jdk1.7.0_79/jre/lib/security"-java.security file but some of clients are still able to call my services with SSL protocol.

----Changes jdk.tls.disabledAlgorithms=SSL,SSLv2,SSLv3, TLSv1, TLSv1.1,MD5, SSLv3, DSA, RSA keySize < 2048

Answer 3

I found a solution for this. I set the

jdk.tls.disabledAlgorithms= SSLv2Hello, SSLv3, TLSv1, TLSv1.1

in the file jre/lib/security/java.security on the server.

After setting this, server only accepts the TLS1.2 connection and reject lower security protocol versions.