IE TLS block how to move from TLS 1.0 to TLS 1.2 in tomcat 6 and java 6

1
votes

I am having a problem where explorer does not display a web site: "This page can't be displayed. Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings".

I debugged the certificate in chrome and says "the connection is encrypted using aes_128_cbc" which I think is the problem and should be aes_256_cbnc

I am comparing with other server that is working and that uses aes_256_cbc which IE supports. However don't know how to force the communication to use TLS 1.2 instead of TLS 1.0 (as with the connection against the server that works in IE).

Both servers have the same version of java. It may be something setup in the load balancer but is something i cannot look at.

What would be the best and/or quickest ways to change the tomcat connection to use TLS 1.2 instead of TLS 1.0 ?

IE settings seem fine , simply won't accept https connections using aes_128_cbc. Tried to regenerate the certificate (using keytool) to use a key size of 2048 but had no effect.

1
internet-explorerssljava-6java-securitytls1.2
The key size of the certificate is not related to the cipher you could choose. Apart from that aes_128_cbc is supported by IE. This means your problem is something different.Steffen Ullrich
thanks. using ie 11 which only gives two cipher suites TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA, in other computers same browser give me much more cipher suites and that seems problem. i dont know how to fix in IE so seems only upgrading to jave 7 may be the option.kandan
I have no idea how you measure which ciphers can be used with which browser and how you determine that IE11 supports only these 2 ciphers (it supports way more). To see which ciphers are supported by a browser you might use SSLLabs Client test.Steffen Ullrich
used howsmyssl.com to determine the ciphers and got only those two, dont know why. probably some setting somewhere. tried ssllabs.com/ssltest/viewMyClient.html bug gives same error "turn on TLS 1.0 ... " guess the same reason as before. probably better modify server side to support any of the two methods our IE 11 supports. Thank you.kandan
I have the feeling that something is doing SSL interception and supports only a few ciphers. This might be some security software on your system or some middlebox/firewall in the network. IE 11 can definitely support more than these two ciphers, see ssllabs.com/ssltest/….Steffen Ullrich

1 Answers

2
votes

TLS 1.1 and 1.2 are only supported since Java 7. It might also be worth looking at the cipher suite table to see which version supports the cipher suite you want (you're only giving a partial name).

That said, if there is a load balancer in between, it's likely that it's handling the SSL/TLS connection (depending on the type of load balancer), which would mean that the Java settings are going to be irrelevant.