-
Notifications
You must be signed in to change notification settings - Fork 0
Springb boot enable TLS 1.2
-
The PRF in TLS 1.1 is based on a combination of MD5 and SHA-1. Both MD5 and SHA-1 are, as cryptographic hash functions, broken. However, the way in which they are broken does not break the PRF of TLS 1.1. There is no known weakness in the PRF of TLS 1.1 (nor, for that matter, in the PRF of SSL 3.0 and TLS 1.0). Nevertheless, MD5 and SHA-1 are "bad press". TLS 1.2 replaces both with SHA-256 (well, actually it could be any other hash function, but in practice it is SHA-256).
-
TLS 1.2 allows the use of authenticated encryption modes like GCM. This can replace the more traditional CBC encryption mode, which has historically been a source of many flaws. Properly implemented CBC encryption is still fine; however, it appears that properly implementing CBC encryption is easier said than done. Getting GCM right seems a more readily achievable goal.
-
TLS 1.2 mandates support for TLS_RSA_WITH_AES_128_CBC_SHA whereas TLS 1.1 required only TLS_RSA_WITH_3DES_EDE_CBC_SHA. Thus, if you use TLS 1.2 then you have a "guarantee" that AES encryption will be available. (This is not in fact completely true: the guarantee holds only as long as no "application specific profile" mandates otherwise. Also, you will get AES only if both client and server support it, and if they both support it, then it is available, regardless of whether TLS 1.1 or 1.2 is used.)
-
https://security.stackexchange.com/questions/87283/is-tls-1-0-more-secure-than-tls-1-2
-
https://security.stackexchange.com/questions/106310/should-i-disable-tls-1-0-on-my-servers
- HTTP Secure (HTTPS) is basically HTTP over a TLS connection.
- Secure Sockets Layer (SSL) is the predecessor of TLS and as such is deprecated and insecure. All SSL versions (1.0, 2.0, 3.0) are vulnerable and should not be used any more.
- Transport Layer Security (TLS) as the successor of SSL is the protocol that should be used for HTTPS. Currently TLS 1.0 is old ,TLS 1.2 is the one to use with TLS 1.3 being just around the corner.
Sring-boot versions 2 support TLS 1.2(Spring Boot default is TLS1.2) You can determine your version with the command:
openssl s_client -connect serverAddress:port
set the version of TLS with VM args
-Djdk.tls.client.protocols=TLSv1.2
To enable TLS 1.2 and to define the cipher list please do the following:
enable/diable https
server.ssl.enabled=true
#ssl ciphers
server.ssl.ciphers=TLS_RSA_WITH_AES_128_CBC_SHA256, INCLUDE_ANY_OTHER_ONES_YOU_NEED_TO_SUPPORT
# SSL protocol to use.
server.ssl.protocol=TLS
# Enabled SSL protocols.
server.ssl.enabled-protocols=TLSv1.2
Example : Spring boot embedded tomcat configuration in properties
server.port=8443
server.ssl.key-store=classpath:security/keystore.p12
server.ssl.key-store-password=springboot
server.ssl.key-store-type=PKCS12
server.ssl.key-alias=tomcat
server.ssl.protocol=TLSv1.2
server.ssl.enabled=true
security.require-ssl=true
server.ssl.ciphers=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE-RSA-AES256-GCM-SHA384,TLS_ECDHE-ECDSA-
CHACHA20-POLY1305,TLS_ECDHE-RSA-CHACHA20-POLY1305,TLS_ECDHE-ECDSA-AES128-GCM-SHA256,TLS_ECDHE-RSA-AES128-GCM-
SHA256,TLS_ECDHE-ECDSA-AES256-SHA384TLS_ECDHE-RSA-AES256-SHA384,TLS_ECDHE-ECDSA-AES128-SHA256,TLS_ECDHE-RSA-
AES128-SHA256
Code : @Bean public EmbeddedServletContainerFactory servletContainerFactory() { TomcatEmbeddedServletContainerFactory factory = new TomcatEmbeddedServletContainerFactory();
factory.addConnectorCustomizers(new TomcatConnectorCustomizer()
{
@Override
public void customize(Connector connector)
{
connector.setAttribute("sslProtocols", "TLSv1.1,TLSv1.2");
connector.setAttribute("sslEnabledProtocols", "TLSv1.1,TLSv1.2");
}
});
return factory;
}
YAML
server.ssl.enabled-protocols=TLSv1.1,TLSv1.2