Unable to force TLSv1.2 for SSL

Discussion in 'Web Call Server 5' started by tbr666, Oct 24, 2019.

  1. tbr666

    tbr666 New Member

    I have been trying to force TLSv1.2 for Flashphoner manager (port 8888) and for streaming certificate (port 8443). I tried to adjust it by changing the following directive in wcs-core.properties:


    from


    -Djdk.tls.client.protocols = “TLSv1,TLSv1.1,TLSv1.2”


    to


    -Djdk.tls.client.protocols = “TLSv1.2”


    Once I restart webcallserver, flashphoner manager logs even show that the manager is started with

    -Djdk.tls.client.protocols = “TLSv1.2”

    option


    However, vulnerability test of my server still shows that ports 8443 and 8888 allow TLSv1.0 connection which is not very secure

    and also I can access Flashphoner manager using old Windows Safari browser, which should not be possible because that browser doesn’t support TLSv1.2 and must use some older version like TLSv1.0.


    Is it even possible to force TLSv1.2 or at least TLSv1.1 on Flashphoner web call server 5.1 by changing this directive or can it be forced in some other configuration file?
  2. Max

    Max Administrator Staff Member

    Good day.
    We will check your case and inform you in this thread.
  3. Max

    Max Administrator Staff Member

    To enable specific TLS protocols you must do this on the server side, not client side. See the security property jdk.tls.disabledAlgorithms in java.security file.
    On JDK 8, edit the
    Code:
    <JAVA home>/jre/lib/security/java.security
    
    On JDK higher version 8, edit the
    Code:
    <JAVA home>/conf/security/java.security
    
    For example, property appending new value (more information in the documentation):
    Code:
    jdk.tls.disabledAlgorithms= SSLv2Hello, TLSv1, TLSv1.1
    
    These values must be added to the current value is:
    JDK 8
    Code:
    dk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC
    
    JDK >8
    Code:
    jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL
    
    Besides, for example you want to enable some crypto options (TLS/SSL) in nginx. Nginx provides a convenient reverse proxy mode, in this nginx mode, you can configure the necessary restrictions.
    Last edited: Oct 25, 2019
  4. tbr666

    tbr666 New Member

    Hello,

    thank you for your help.
    I have followed your instructions and the result is that connections to both of those websocket services are only allowed for protocol TLSv1.2 and the connection to Flashphoner doesn't work from my old Safari browser anymore.
    The security analysis no longer complains about deprecated TLS versions allowed and the only allowed version is now TLSv1.2 for all my Java based services on my streaming servers.
  5. Max

    Max Administrator Staff Member

    Hello,
    Glad it works for you.

Share This Page