Hi, I have a written a webapplication deployed in Tomcat 8.5.31 that sends mail using Apache-commons email client. This is working fine but the mail server will be configured to accept only TLSv1.2 in the future so I have to make sure the client can open a TLSv1.2 connection. Tomcat is configured to use Java 8 (version 1.8.0_241-b07) so as far as I can understand TLS1.2 should be enabled by default (as would 1.0 and 1.1). I've search the web and there is a lot of information on how to enable SSL/TLS for incoming requests but little is found on outgoing calls. The only explicit finding basically said that outgoing requests are independent of the configurationof the HTTPS connector for incoming requests, only the Java version and its security configuration affects this.
Using Wireshark I've been testing all scenarios I could think of different Java implementations (Oracle JDK 1.8.0_241-b07, OpenJDK 8 [1.8.0_192], adoptopenjdk-8) setting the property crypto.policy=unlimited in the java.security file of the jre (for all alternatives above) setting the application argument -Djdk.tls.client.protocols="TLSv1.2" (seems to be ignored) configuring a HTTPS connector with secure="true" SSLEnabled="true" (just in case) the server accepts "strict" TLS on port 465 and STARTTLS sessions on another port and I tried them both programatically added Bouncy Castle security provider as preferred added Bouncy Castle security provider as preferred by configuration replaced the list of default security providers with Bounch Castle and they all result in the same clientHello message beeing sent requesting a TLS1.0 session. The cipher suits are only 15 (including the renegotiation suite) and there are only SHA suites. I wrote a simple standalone client with the same email code and the same java version and this works as expected (strict TLS and STARTTLS), generating a clientHello message requesting a TLSv1.2 session with 29 cipher suites including SHA256 and SHA384 based suites. I enabled the logging of TLS and got a heap of information which I briefly scanned but my impression was that I got the same (or similar) information from the Wireshark output. I've debugged the code down through the layers to where the SUN specific code creates the connection but I couldn't step into that code to figure things out. Before I try to find the source for the connection creation maybe someone with a better insight can see some obvious way to analyse and solve this problem. As the code works outside of Tomcat and the Java part is the same it seem to me that there is something in the configuration of Tomcat that affects what TLS-version that is available. Thanks in advance Curt J --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org