Hi, I have a written a webapplication deployed in Tomcat 8.5.31 that sends mail
using Apache-commons email client. This is working fine but the mail server
will be configured to accept only TLSv1.2 in the future so I have to make sure
the client can open a TLSv1.2 connection. Tomcat is configured to use Java 8
(version 1.8.0_241-b07) so as far as I can understand TLS1.2 should be enabled
by default (as would 1.0 and 1.1). I've search the web and there is a lot of
information on how to enable SSL/TLS for incoming requests but little is found
on outgoing calls. The only explicit finding basically said that outgoing
requests are independent of the configurationof the HTTPS connector for
incoming requests, only the Java version and its security configuration affects
this.
Using Wireshark I've been testing all scenarios I could think of
different Java implementations (Oracle JDK 1.8.0_241-b07, OpenJDK 8
[1.8.0_192], adoptopenjdk-8)
setting the property crypto.policy=unlimited in the java.security file
of the jre (for all alternatives above)
setting the application argument -Djdk.tls.client.protocols="TLSv1.2"
(seems to be ignored)
configuring a HTTPS connector with secure="true" SSLEnabled="true"
(just in case)
the server accepts "strict" TLS on port 465 and STARTTLS sessions on
another port and I tried them both
programatically added Bouncy Castle security provider as preferred
added Bouncy Castle security provider as preferred by configuration
replaced the list of default security providers with Bounch Castle
and they all result in the same clientHello message beeing sent requesting a
TLS1.0 session. The cipher suits are only 15 (including the renegotiation
suite) and
there are only SHA suites.
I wrote a simple standalone client with the same email code and the same java
version and this works as expected (strict TLS and STARTTLS), generating a
clientHello message requesting a TLSv1.2 session with 29 cipher suites
including SHA256 and SHA384 based suites.
I enabled the logging of TLS and got a heap of information which I briefly
scanned but my impression was that I got the same (or similar) information from
the Wireshark output.
I've debugged the code down through the layers to where the SUN specific code
creates the connection but I couldn't step into that code to figure things out.
Before I try to find the source for the connection creation maybe someone with
a better insight can see some obvious way to analyse and solve this problem. As
the code works outside of Tomcat
and the Java part is the same it seem to me that there is something in the
configuration of Tomcat that affects what TLS-version that is available.
Thanks in advance
Curt J
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
