How do I allow Java client TLS10 connections?

Asked 18/10, 2021 at 23:33 Answered 13/9, 2022 at 11:57

While attempting to do a hello world MSSQL JDBC connection in Eclipse with Java 16, I'm getting this error:

"...server selected protocol version TLS10 is not accepted by client preferences [TLS13, TLS12]..."

Upon searching, it appears my Java client is not allowing this TLS version while trying to connect to my deprecated MSSQL instance. How do I enable it?

Here's how I added the MSSQL JDBC driver:

Download jar driver: https://learn.microsoft.com/en-us/sql/connect/jdbc/download-microsoft-jdbc-driver-for-sql-server?view=sql-server-ver15
Add jar to build path, under Class path, jar for java version (version listed above)

Amandy answered 18/10, 2021 at 23:33 Comment(2)

Wow, TLS 1.1 was introduced 16.5 years ago. Uh, you're kinda lacking when it comes to upgrades, but kudo's for keeping that server running for that long :P – Robbyrobbyn 18/10, 2021 at 23:55

True, but it's the only mssql I have a license for & it's only a sandbox. No point fixing a "security issue" that's not even open to the public. Besides, just wanted to spend time developing java, not down a mssql rabbit hole as we all know this turns into! Thx for feedback – Amandy 20/10, 2021 at 3:36

TLS 1.0 and 1.1 are disabled by default in latest Java versions (OpenJDK 11.0.11 onwards). Because these versions of TLS have weakened over time and lack support for stronger, more modern algorithms.

Solution:

Patch your MSSQL server and enable TLS1.2 on your MSSQL Server as per the Microsoft KB article: https://support.microsoft.com/en-us/topic/kb3135244-tls-1-2-support-for-microsoft-sql-server-e4472ef8-90a9-13c1-e4d8-44aad198cdbe

Alternate Solutions: (Prone to security risks)

Enabling them by doing modification in existing java.security file of installed JDK as mentioned in Kevin's answer.
Or by overriding java.security for your specific application as given below.(preferred)

Create a file named enableLegacyTLS.security.
In that file, add an entry for jdk.tls.disabledAlgorithms with the same contents as the jdk.tls.disabledAlgorithms property in the java.security file.

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
 DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL,...

Remove TLSv1, TLSv1.1, from the list on the enableLegacyTLS.security.
Start your application with -Djava.security.properties=path/to/enableLegacyTLS.security

Note: In last point, When you use a double equals sign (==), you tell the JVM to ignore the default java.security file and load only this file. But if a single equals sign (=) is used, it loads both your copy and superimposes it over the default java.security file

Espinosa answered 13/9, 2022 at 11:57 Comment(2)

You can even hand the modified value to your JVM on startup, using -Djdk.tls.disabledAlgorithms=<list of modified algorithms>. – Genvieve 5/6, 2023 at 15:46

I also needed to add deployment.security.TLSv1=true to my deployment.properties file in %USERPROFILE%\AppData\LocalLow\Sun\Java\Deployment – Theall 6/5, 2024 at 21:17

Solution (though be aware of security risks):

C:\Program Files\Java\jdk-16.0.1\conf\security\java.security
Or C:\Program Files\Java\jre7\lib\security\java.security
Remove "TLSv1, TLSv1.1, " from this line:

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \

DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL

Amandy answered 18/10, 2021 at 23:33 Comment(0)

Recommended topics

Hot tags