I am using a spring boot 2.0.2 app to make REST api calls to an external api via HTTPS.

I am new to the world of TLS and SSL. My understanding is TLS is the more secure way of communicating secure sensitive data.

My questions are:

1. How do I determine what version of TLS my app is using ?
2. As a consumer of an API what should I do to ensure I am communicating using a particular version of TLS ?
3. Is TLS a client side thing or a server side thing or is it both ?

To answer your questions:

1. Newer spring-boot versions support TLS 1.2 but you can determine your version with the command: openssl s_client -connect serverAddress:port

2. You can use the command in 1. or SSLScan

3. TLS is a client AND a server side touching protocol. It defines the way both of them are securely communicating with each other. The communication gets secured at the beginning of each client-server communication with the help of the so called TLS handshake:

For the TLS handshake the server has to provide a certificate and the client has to verify this certificate somehow.

You can verify the TLS version running the below in command line:

openssl s_client -connect serverAddress:port

You can set the version of TLS with VM args, which ones to use vary on what version of Java is used. If it is Java 8, try:

-Djdk.tls.client.protocols=TLSv1.2

TLS is a protocol, it is what is between the client and server.