dermot-hardy
commented
4 years ago That's interesting. Only TLS 1.1 has been disabled as it's obviously no longer secure and we wouldn't have expected any of our products to be still using it. We were actually considering going further and disabling TLS 1.2 now that 1.3 is well established. I guess we should hold off on that consideration for now.
With the following applied: https://github.com/CAFapi/opensuse-java8-images/blob/develop/src/main/docker/disableWeakTlsAlgorithms.patch
We are experiencing different connection issues from our applications to external sites (which we can not control).
With one site we receive: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate) at sun.security.ssl.Handshaker.activate(Handshaker.java:509) at sun.security.ssl.SSLSocketImpl.kickstartHandshake(SSLSocketImpl.java:1474) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1346) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:275) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:254) %more-stack%
The other issue is that a connection is not able be created to certain email servers which causes notifications from our product to fail.
Manually modifying the java.security file and putting back to the default (as it comes) resolves both of these issues.
In general, we specify the sslEnabledProtocols and sslProtocol levels in the server.xml of tomcat.