JDK11 Exception; The server selected protocol version TLS10 is not accepted by client preferences [TLS13, TLS12, TLS11] [duplicate]

Question

We have a Java desktop product that our customers (small businesses) use (among other things) to communicate with larger insurers via a few different SOAP protocols. (We are the SOAP client). The point here is that the insurers are the gorillas in the room - we just enable the communication between the insurers and our customers.

We use AXIS1 as our SOAP client library. Ordinarily is works perfectly and it has for years.

One major insurer is still using TLS1.0 for their SOAP server. We have no influence over this any more than the international space station affects the orbit of the earth.

Unfortunately (for us) the latest Java version 8u60 automatically disables TLS1.0. see JDK-8076221 : Disable RC4 cipher suites at http://bugs.java.com/view_bug.do?bug_id=8076221

So now we have customers who cannot connect via 8u60. We can revert them to 8u51, but that is short term at best.

JDK-8076221 gives a few clues on how to re-enable TLS1.0 as follows ...

These cipher suites can be reactivated by removing "RC4" form "jdk.tls.disabledAlgorithms" security property in the java.security file or by dynamically calling Security.setProperty(), and also readding them to the enabled ciphersuite list using the SSLSocket/SSLEngine.setEnabledCipherSuites() methods.

Unfortunately for someone like me (who has relied on the security layer being abstracted away) this is not enough information.

Comments

• TLS level control is not my thing - we have relied on AXIS etc to do all of that behind the scenes so there is a large body of knowledge that is not familiar to me.
• We have no control on the insurer using a TLS1.0 interface.
• If we don't get a work around here our customers will simply be forced to use other products that will use TLS1.0 - so we can't play hard ball and save anyone here. They will be using TLS1.0 until the insurer decides otherwise.
• A dynamic (code based) solution is preferred to any command line solution because we are a desktop application that will find command line deployment extremely problematic.

Can anyone provide some more detailed clues on how to programatically enable TLS1.0 in Java 8u60?

Perhaps something like ...

Security.setProperty("jdk.tls.disabledAlgorithms", "SSLv3");
SSLContext sslCtx = SSLContext.getInstance("TLS");
SSLSocket.setEnabledCipherSuites("please help me!");
SSLEngine.setEnabledCipherSuites("please help me!");

Many thanks for your time, -Damian

Answer 1

Check http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html for algorithm names.

TLS 1.0 is matched by "TLSv1" (section SSLContext Algorithms), hence something similar to the following will enable TLS 1.0 (note that this applies for the instance of SSLEngine returned by createEngine()).

SSLContext.getDefault().createSSLEngine().setEnabledCipherSuites(new String[] {"TLSv1"});

For enabling a cipher suite you must overwrite the current value with something differently. You code disables SSLv3 which is already disabled. Instead you would need something similar to

Security.setProperty("jdk.tls.disabledAlgorithms", "");

However before doing that check how these properties actually work. It would expect the Security property to contain the names of ciphersuites for example as comma separated list. So you should do something like

String disabledAlgorithms = Security.getProperty("jdk.tls.disabledAlgorithms");
Security.setProperty("jdk.tls.disabledAlgorithms", disabledAlgorithms .replace("RC4,", ""));