Hello Bryan, Thanks for your answer. I already saw the property and issue DERBY-6764 and tried the suggestions but they did not lead to just one enabled protocol.
For peerAuthentication there should be a way to provide the SSLSocketFactorywhere one could try to overload getEnabledProtocols of SSLSocket without changing any code of Derby but I wasn't able to manage this. Also in SSLSocketFactory.getDefault the fallback is SSLContext.getDefault().getSocketFactory() and so something like this: SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); sslContext.init(null, null, null); SSLContext.setDefault(sslContext); could be used (or the method used in NaiveTrustManager) ... but again in my case it still printed the 3 enabled protocols. I think for future it might be wise to support this out of the box as TLS1.3 is already supported in the JDK 11 https://bugs.openjdk.java.net/browse/JDK-8196584 and the older two are deprecated. Kind Regards Peter Am 09.07.2018 um 18:39 schrieb Bryan Pendleton: > There was a similar, but not identical, discussion around these topics > four years ago, when the code was changed to remove SSLv3 and SSLv2 > support. See DERBY-6764 for the full details. > > I think it would certainly be possible to change the code in a similar way > to allow more configurability, but I am not sure of the implications, and if > it is similar to the DERBY-6764 work, a fair amount of testing is required. > > According to this article: > https://blogs.oracle.com/java-platform-group/jdk-8-will-use-tls-12-as-default > you might investigate using the deployment.security.TLSvX.Y=false > system property. > > Perhaps you could investigate whether the referenced blog article > allows a configuration that suits your needs? > > Please let us know what you learn! > > thanks, > > bryan > > > On Mon, Jul 9, 2018 at 3:25 AM, Peter <tableyourt...@gmail.com> wrote: >> Hello, >> >> I cannot find a way to force the server to just use TLSv1.2. Currently >> it says: >> >> Apache Derby Network Server - 10.13.1.1 - (1765088) Enabled Protocols >> are TLSv1, TLSv1.1, TLSv1.2 >> >> even when using >> >> -Dhttps.protocols=TLSv1.2 >> >> or similar settings found on the internet. Then I saw in the source: >> >> SSLContext ctx = SSLContext.getInstance("TLS"); >> >> https://github.com/apache/derby/blob/f16c46cbdd5be8dd9bdcee935ec1f68970146478/java/org.apache.derby.commons/org/apache/derby/shared/common/drda/NaiveTrustManager.java#L73 >> >> that it seems to ignore command line settings. Is it possible to add >> such a property or a different workaround to avoid older TLS versions? >> >> Regards >> Peter >>