Skip to main content

Enabling TLSv1.2 in Glassfish3

5 replies [Last post]
momaison
Offline
Joined: 2008-09-29
Points: 0

Hello glassfish users,

We used https with GF-2.1 and Java6 and it worked fine, until we got TLS-1.2 clients. We upgraded to JDK 7, which supports TLSv1.2, and this solved our problem.
However, after an upgrade to GF-3.1.2, this does not work anymore.
I have googled a lot, tried to set https.protocols=TLSv1.2 in system properties, but this does not work.

Looking into sources, I have found in com.sun.enterprise.web.connector.coyote.PECoyoteConnector.configureSSL() that the list of protocols is set, depending of flags ssl2/ssl3/tls enabled.
But if tls is enabled, it appears that the only appended string is "TLSv1", and we observed that TLSv1.2 is actually not used by server when speaking to a TLS-1.2 only compliant client.

So how can we enable TLS-1.2 with glassfish 3.1.2 (we use latest JDK 7) ?

Regards,

M. Maison

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
oleksiys
Offline
Joined: 2006-01-25
Points: 0

Hi,

pls. file an issue, I'll try to provide you a patch for testing asap.

WBR,
Alexey.

On 07/25/2012 05:51 PM, Maison Mo wrote:
> Hello glassfish users,
>
> We used https with GF-2.1 and Java6 and it worked fine, until we got TLS-1.2 clients. We upgraded to JDK 7, which supports TLSv1.2, and this solved our problem.
> However, after an upgrade to GF-3.1.2, this does not work anymore.
> I have googled a lot, tried to set https.protocols=TLSv1.2 in system properties, but this does not work.
>
> Looking into sources, I have found in com.sun.enterprise.web.connector.coyote.PECoyoteConnector.configureSSL() that the list of protocols is set, depending of flags ssl2/ssl3/tls enabled.
> But if tls is enabled, it appears that the only appended string is "TLSv1", and we observed that TLSv1.2 is actually not used by server when speaking to a TLS-1.2 only compliant client.
>
> So how can we enable TLS-1.2 with glassfish 3.1.2 (we use latest JDK 7) ?
>
> Regards,
>
> M. Maison
>

momaison
Offline
Joined: 2008-09-29
Points: 0

Hello,

Thank you for your attention. I've just filled :
http://java.net/jira/browse/GLASSFISH-18949
which also explains some of our experiments.

We are using glassfish 3.1.2.2, in case the patch is version dependent.

M.

--- En date de : Mer 25.7.12, Oleksiy Stashok a écrit :

> De: Oleksiy Stashok
> Objet: Re: Enabling TLSv1.2 in Glassfish3
> À: users@glassfish.java.net
> Date: Mercredi 25 juillet 2012, 21h13
> Hi,
>
> pls. file an issue, I'll try to provide you a patch for
> testing asap.
>
> WBR,
> Alexey.
>
> On 07/25/2012 05:51 PM, Maison Mo wrote:
> > Hello glassfish users,
> >
> > We used https with GF-2.1 and Java6 and it worked fine,
> until we got TLS-1.2 clients. We upgraded to JDK 7, which
> supports TLSv1.2, and this solved our problem.
> > However, after an upgrade to GF-3.1.2, this does not
> work anymore.
> > I have googled a lot, tried to set
> https.protocols=TLSv1.2 in system properties, but this does
> not work.
> >
> > Looking into sources, I have found in
> com.sun.enterprise.web.connector.coyote.PECoyoteConnector.configureSSL()
> that the list of protocols is set, depending of flags
> ssl2/ssl3/tls enabled.
> > But if tls is enabled, it appears that the only
> appended string is "TLSv1", and we observed that TLSv1.2 is
> actually not used by server when speaking to a TLS-1.2 only
> compliant client.
> >
> > So how can we enable TLS-1.2 with glassfish 3.1.2 (we
> use latest JDK 7) ?
> >
> > Regards,
> >
> >     M. Maison
> >
>
>

oleksiys
Offline
Joined: 2006-01-25
Points: 0

Hi,

pls. try the patch attached to the issue.

Thanks.

WBR,
Alexey.

On 07/26/2012 11:36 AM, Maison Mo wrote:
> Hello,
>
> Thank you for your attention. I've just filled :
> http://java.net/jira/browse/GLASSFISH-18949
> which also explains some of our experiments.
>
> We are using glassfish 3.1.2.2, in case the patch is version dependent.
>
> M.
>
> --- En date de : Mer 25.7.12, Oleksiy Stashok a écrit :
>
>> De: Oleksiy Stashok
>> Objet: Re: Enabling TLSv1.2 in Glassfish3
>> À: users@glassfish.java.net
>> Date: Mercredi 25 juillet 2012, 21h13
>> Hi,
>>
>> pls. file an issue, I'll try to provide you a patch for
>> testing asap.
>>
>> WBR,
>> Alexey.
>>
>> On 07/25/2012 05:51 PM, Maison Mo wrote:
>>> Hello glassfish users,
>>>
>>> We used https with GF-2.1 and Java6 and it worked fine,
>> until we got TLS-1.2 clients. We upgraded to JDK 7, which
>> supports TLSv1.2, and this solved our problem.
>>> However, after an upgrade to GF-3.1.2, this does not
>> work anymore.
>>> I have googled a lot, tried to set
>> https.protocols=TLSv1.2 in system properties, but this does
>> not work.
>>> Looking into sources, I have found in
>> com.sun.enterprise.web.connector.coyote.PECoyoteConnector.configureSSL()
>> that the list of protocols is set, depending of flags
>> ssl2/ssl3/tls enabled.
>>> But if tls is enabled, it appears that the only
>> appended string is "TLSv1", and we observed that TLSv1.2 is
>> actually not used by server when speaking to a TLS-1.2 only
>> compliant client.
>>> So how can we enable TLS-1.2 with glassfish 3.1.2 (we
>> use latest JDK 7) ?
>>> Regards,
>>>
>>> M. Maison
>>>
>>

momaison
Offline
Joined: 2008-09-29
Points: 0

Well done ! The patch does the job, thank you.
Do you think this will be included in a future version of GF ?

Regards,

M. Maison

Le 27/07/2012 23:29, Oleksiy Stashok wrote :
> Hi,
>
> pls. try the patch attached to the issue.
>
>

oleksiys
Offline
Joined: 2006-01-25
Points: 0

Sure, it will be available w/ the next Grizzly integration.

Thanks.

WBR,
Alexey.

On 07/31/2012 10:27 PM, Mo Maison wrote:
> Well done ! The patch does the job, thank you.
> Do you think this will be included in a future version of GF ?
>
> Regards,
>
> M. Maison
>
> Le 27/07/2012 23:29, Oleksiy Stashok wrote :
>> Hi,
>>
>> pls. try the patch attached to the issue.
>>
>>