How do you enable TLS 1.2 on Spring-boot?

Question

I am trying to enable TLS 1.2 on Tomcat on Spring-boot 1.2.1. Android 5.0 is failing to connect to the default SSL settings, due to an SSL handshake failure. Android 4.4, iO

Answer 1

You may experience an SSL handshake error due to the default ciphers that spring boot includes. It is recommended that you define a set of ciphers. We had a similar issue, and the way we fixed it was by using SSLScan on the caller and then scanning our system to see if there were any matches. This lead us to find out that there were no matches and helped us define a list of ciphers we should support.

Using SSLScan these are the default ciphers spring boot will use:

Preferred TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA256       Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-GCM-SHA256     DHE 1024 bits
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA256         DHE 1024 bits
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA            DHE 1024 bits

To enable TLS 1.2 and to define the cipher list please do the following:

#enable/diable https
server.ssl.enabled=true

#ssl ciphers
server.ssl.ciphers=TLS_RSA_WITH_AES_128_CBC_SHA256, INCLUDE_ANY_OTHER_ONES_YOU_NEED_TO_SUPPORT

# SSL protocol to use.
server.ssl.protocol=TLS

# Enabled SSL protocols.
server.ssl.enabled-protocols=TLSv1.2

For a list of of ciphers you can use https://testssl.sh/openssl-rfc.mapping.html and https://msdn.microsoft.com/en-us/library/windows/desktop/mt813794(v=vs.85).aspx

Answer 2

TLS 1.2 is enabled by default in spring-boot 1.2.1. This can be verified by running the following from the command line

openssl s_client -connect serverAddress:port

which outputs

SSL-Session:
Protocol  : TLSv1.2
Cipher    : ECDHE-RSA-AES256-SHA384

So my problem must be something separate.