Enable TLS 1.1 and 1.2 for Clients on Java 7

javaprotocolssl

Java 7 disables TLS 1.1 and 1.2 for clients. From Java Cryptography Architecture
Oracle Providers Documentation:

Although SunJSSE in the Java SE 7 release supports TLS 1.1 and TLS
1.2, neither version is enabled by default for client connections. Some servers do not implement forward compatibility correctly and
refuse to talk to TLS 1.1 or TLS 1.2 clients. For interoperability,
SunJSSE does not enable TLS 1.1 or TLS 1.2 by default for client
connections.

I'm interested in enabling the protocols on a system wide setting (perhaps through a config file), and not a per-Java-application solution.

How do I administratively enable TLS 1.1 and 1.2 system wide?

Note: since POODLE, I would like to administratively disable SSLv3 system wide. (The problems with SSLv3 predate POODLE by at least 15 years, but Java/Oracle/Developers did not respect basic best practices, so users like you and me are left with cleaning up the mess).

Here's the Java version:

$ /Library/Java/JavaVirtualMachines/jdk1.7.0_07.jdk/Contents/Home/bin/java -version
java version "1.7.0_07"
Java(TM) SE Runtime Environment (build 1.7.0_07-b10)
Java HotSpot(TM) 64-Bit Server VM (build 23.3-b01, mixed mode)

Best Answer

You could just add the following property -Dhttps.protocols=TLSv1.1,TLSv1.2 which configures the JVM to specify which TLS protocol version should be used during https connections.

Related Solutions

Windows – Enable TLS 1.0 using registry

I have found the way to enable TLS 1.0 in the client computer using registry using the method shown below.

Go to the registry location HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

Add new DWORD named SecureProtocols and assign a value of 170 (decimal).

Checking all protocols (PCT1.0 + SSL2.0 + SSL3.0 + TLS1.0) present in the internet explorer will yield a new value of 170 .Value is based on the following calculation .

Ex: PCT1.0 + SSL2.0 + SSL3.0 + TLS1.0

2 + 8 + 32 + 128 = 170 Decimal or "aa" in Hex

SSLCipherSuite settings in Apache for supporting TLS 1.0, 1.1 and 1.2

The following configuration is (or used to be) the best configuration according to SSLLabs:

SSLProtocol +TLSv1.2 +TLSv1.1 +TLSv1
SSLCompression off
SSLHonorCipherOrder on
SSLCipherSuite "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA"

It will, however, exclude all older browsers (including Opera Mini!), because it lacks non-PFS and RC4 cipher suites. You can append the following (before the closing quote, of course) to enable RC4, including a fallback (last entry) to RC4 without PFS:

:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:RC4-SHA

You should encourage users to upgrade ASAP. RC4 is broken and should no longer be used, especially without PFS.

To achieve better grades, also send a HSTS header (for this to work, you need to enable mod_header):

Header always set Strict-Transport-Security "max-age=63072000;"

This configuration will not work for Apache <2.2.26, because it does not support Elliptic-curve cryptography.

Update:
Just checked, it’s still good for A+. :) I believe this requires a certificate with SHA256, though.

Update Oct 2015:
I recently found another generator for SSL configurations, provided by Mozilla. It orders ciphers so that Chrome doesn’t say you’re using a deprecated cipher suite.

Related Question

SSL connection on Java 7 based server fails with RECV TLSv1 ALERT: fatal, handshake_failure