How can I disable TLSv1.0 with spring boot and embedded tomcat?

Question

I want to de-activate TLSv1.0 with spring boot(release 1.3.3), but it doesn\'t work if application.yml as below:

ssl: protocol: TLSv1.2 key-store: /E:/

Answer 1

The answers so far only show how to lock-down TLS to a set of versions not yet considered broken. Since the question was how to de-activate a specific version, here's how using at least java 8:

  String algs = Security.getProperty("jdk.tls.disabledAlgorithms");

  // TODO: null/empty check on algs

  Set disabled =
      Arrays.stream(algs.split(","))
          .map(String::trim)
          .collect(Collectors.toSet());

  // TODO: inject these algs as properties for configurability

  disabled.add("TLSv1");

  algs = String.join(", ", disabled);
  Security.setProperty("jdk.tls.disabledAlgorithms", algs);

Do this early on in your context initialisation before the Tomcat server is created and to be thorough you should catch SecurityException in case there's a policy in place that blocks the setProperty() call.

Using this method you benefit from new versions included in the JDK in the future.