1

I have a Tomcat8 instance running behind an Apache server which takes care of SSL offloading. The Java webapp deployed on Tomcat needs to connect to an external service which only supports TLSv1.2.

I added -Dhttps.protocols=TLSv1.2 to setenv.sh of Tomcat. But still I see Tomcat trying to negotiate[2] with TLSv1 as the highest supported TLS version while connecting to the external service. So, I end up getting error[1] while connecting.

How do I get this to work? Do I need to change any configuration on Apache webserver?

PS: Adding the above flag works (TLS gets upgraded to v1.2) on my local machine where I have only Tomcat8.

[1]

Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
        at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:421)
        at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
        at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572)
        at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180)
        at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294)
        at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:641)
        at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:480)
        at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906)
        at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:1066)
        at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:1044)
        at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:1035)

[2]

%% No cached client session
*** ClientHello, TLSv1
....
....
ajp-nio-8009-exec-10, READ: TLSv1.2 Alert, length = 2
ajp-nio-8009-exec-10, RECV TLSv1 ALERT:  fatal, protocol_version
ajp-nio-8009-exec-10, called closeSocket()
ajp-nio-8009-exec-10, handling exception: javax.net.ssl.SSLException: Received fatal alert: protocol_version
ajp-nio-8009-exec-10, IOException in getSession():  javax.net.ssl.SSLException: Received fatal alert: protocol_version
flipcoin
  • 11
  • 2

0 Answers0