Unable to force TLSv1.2 for SSL

T

tbr666

New Member
I have been trying to force TLSv1.2 for Flashphoner manager (port 8888) and for streaming certificate (port 8443). I tried to adjust it by changing the following directive in wcs-core.properties:


from


-Djdk.tls.client.protocols = “TLSv1,TLSv1.1,TLSv1.2”


to


-Djdk.tls.client.protocols = “TLSv1.2”


Once I restart webcallserver, flashphoner manager logs even show that the manager is started with

-Djdk.tls.client.protocols = “TLSv1.2”

option


However, vulnerability test of my server still shows that ports 8443 and 8888 allow TLSv1.0 connection which is not very secure

and also I can access Flashphoner manager using old Windows Safari browser, which should not be possible because that browser doesn’t support TLSv1.2 and must use some older version like TLSv1.0.


Is it even possible to force TLSv1.2 or at least TLSv1.1 on Flashphoner web call server 5.1 by changing this directive or can it be forced in some other configuration file?
 
Max

Max

Administrator
Staff member
Good day.
We will check your case and inform you in this thread.
 
Max

Max

Administrator
Staff member
To enable specific TLS protocols you must do this on the server side, not client side. See the security property jdk.tls.disabledAlgorithms in java.security file.
On JDK 8, edit the
Code: 
<JAVA home>/jre/lib/security/java.security
On JDK higher version 8, edit the
Code: 
<JAVA home>/conf/security/java.security
For example, property appending new value (more information in the documentation):
Code: 
jdk.tls.disabledAlgorithms= SSLv2Hello, TLSv1, TLSv1.1
These values must be added to the current value is:
JDK 8
Code: 
dk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC
JDK >8
Code: 
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL
Besides, for example you want to enable some crypto options (TLS/SSL) in nginx. Nginx provides a convenient reverse proxy mode, in this nginx mode, you can configure the necessary restrictions.
 
Last edited:
T

tbr666

New Member
Hello,

thank you for your help.
I have followed your instructions and the result is that connections to both of those websocket services are only allowed for protocol TLSv1.2 and the connection to Flashphoner doesn't work from my old Safari browser anymore.
The security analysis no longer complains about deprecated TLS versions allowed and the only allowed version is now TLSv1.2 for all my Java based services on my streaming servers.
 
You must log in or register to reply here.
Top