Using TLS 1.2 from java 6

2
votes

We have a legacy web application that runs in a tomcat under java 6, upgrading to 7 or 8 is infeasible as the application needs significant work to allow this and the fixes required are too large to implement in a legacy application. We now have a requirement to connect outbound (i.e. as a client) over TLS 1.2 however java 6 only supports 1.0. We use Apache as our web-server and OpenSSL for incoming connections and this happily supports TLS 1.2 etc.

Has anyone had to address a similar issue, or can you comment on the following potential work arounds:

  • Loopback to localhost (or otherwise redirect) and use OpenSSL to create a TLS 1.2 connection,
    • effectively an internal proxy
    • can openssl be a client?
    • do we need s_client?
  • Use our current the firewall to upgrade the connection
    • this would need to be selective
    • Obviously implementing this will depend on the firewall
  • Use “Bouncy Castle” (https://www.bouncycastle.org/)
1
ssljavatomcat
It is unlikely an application running under Java 6 won't run with JRE 7. Have you tried? Bouncy Castle can be a good option as it can transparently replace the security provider from the JRE, but you have to do a lot of testing to ensure compatibility.billc.cn
We tried java 7 and it broke. Regression testing is largely automated so that will be less of an issue.Nate
AFAIK, JDK 6 doesn't receive security updates anymore, so using it is not a good idea. Even of it does get updates, due to the many issues with Java's TLS implementation, I would not use Java for a TLS server. Put nginx as a reverse proxy / TLS terminator in front of the Tomcat, let nginx handle the TLS.Z.T.

1 Answers

1
votes

Don't use openssl's s_client for this - it's slow, and intended more for debugging/testing.

Try using stunnel. It's designed for use cases like yours, and you can find plenty of example configs to get you started. You'd want to make sure to include the sslVersion = TLSv1.2 directive in your configuration to force use of TLS 1.2.