Enable TLS 1.1 and 1.2 for Clients on Java 7



Java 7 disables TLS 1.1 and 1.2 for clients. From Java Cryptography Architecture Oracle Providers Documentation:

Although SunJSSE in the Java SE 7 release supports TLS 1.1 and TLS 1.2, neither version is enabled by default for client connections. Some servers do not implement forward compatibility correctly and refuse to talk to TLS 1.1 or TLS 1.2 clients. For interoperability, SunJSSE does not enable TLS 1.1 or TLS 1.2 by default for client connections.

I'm interested in enabling the protocols on a system wide setting (perhaps through a config file), and not a per-Java-application solution.

How do I administratively enable TLS 1.1 and 1.2 system wide?

Note: since POODLE, I would like to administratively disable SSLv3 system wide. (The problems with SSLv3 predate POODLE by at least 15 years, but Java/Oracle/Developers did not respect basic best practices, so users like you and me are left with cleaning up the mess).

Here's the Java version:

$ /Library/Java/JavaVirtualMachines/jdk1.7.0_07.jdk/Contents/Home/bin/java -version
java version "1.7.0_07"
Java(TM) SE Runtime Environment (build 1.7.0_07-b10)
Java HotSpot(TM) 64-Bit Server VM (build 23.3-b01, mixed mode)


Posted 2014-04-29T04:57:20.543

Reputation: 1

Only thing that worked for me was setting the default SSLContext as described here: https://stackoverflow.com/questions/39157422/how-to-enable-tls-1-2-in-java-7

– shmert – 2018-02-08T20:53:24.573



You could just add the following property -Dhttps.protocols=TLSv1.1,TLSv1.2 which configures the JVM to specify which TLS protocol version should be used during https connections.

Tomasz Rebizant

Posted 2014-04-29T04:57:20.543

Reputation: 429

6Please explain more of what this does. Otherwise, this is vague and potentially damaging in the wrong hands. – studiohack – 2015-06-16T15:31:44.633

1@Thomasz - I kind of agree with others here... How do I do it administratively on a system wide basis? Does it get added to a machine's configuration file? If so, what is the file and where do I add it? – jww – 2015-06-17T01:02:57.937


maybye this link will help : https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_and_https

you can add -Dhttps.protocols property as a param in the command line example :

java -jar yourapplication.jar -Dhttps.protocols=TLSv1.2

or somewhere in the application (server) configuration files.

You can verify if it works by adding additional param:


after that, when application will negotiation https connection, it will print all negotiation information, including protocol version which have been used

– Tomasz Rebizant – 2015-07-10T09:26:10.047

This param (https.protocols) is configuring java virtual machine which protocol version should be used during https connection. – Tomasz Rebizant – 2015-07-10T09:38:34.377

3@TomaszRebizant, yes, you're correct. For example, adding export JAVA_OPTS="-Dhttps.protocols=TLSv1.1,TLSv1.2" in Tomcat's setenv.sh enables both TLSv1 & TLSv2 for all SSL connections made from apps on the application server. – Zaki – 2015-10-20T14:53:42.173


You could try adding something like the following to your startup script, assuming Java 1.7:

JAVACMD="$JAVACMD -Ddeployment.security.SSLv2Hello=false -Ddeployment.security.SSLv3=false -Ddeployment.security.TLSv1=false -D\ deployment.security.TLSv1.1=true -Ddeployment.security.TLSv1.2=true"

Some other suggestions: https://blogs.oracle.com/java-platform-group/entry/java_8_will_use_tls


Posted 2014-04-29T04:57:20.543

Reputation: 1 857

where you found these propeties documentation , I dont see anywhere they mention in JAVA7 docs for "-D deployment.security.{ProtocolName} = True/False;" – runcode – 2014-10-22T20:35:59.767

@runcode, not exactly sure, but it is mentioned in the oracle.com blog that is referenced above – cnst – 2014-10-24T05:22:12.217

1@cnst - the problem here is I need to contact every developer of every piece of Java software, and tell them to do this. Hence the reason I want to do it administratively once on my machine. – jww – 2015-06-17T00:54:00.147

Didn't work for me. – Sridhar Sarnobat – 2018-07-13T18:37:34.940


For Java 7 on Mac OS X, you go to System Preferences > Java, and the Java Control Panel opens in a separate window. Then you go to the Advanced tab and scroll down to the Advanced Security Settings section and check the Use TLS 1.1 and Use TLS 1.2 checkboxes.

enter image description here


Posted 2014-04-29T04:57:20.543

Reputation: 84 656

2This only works for WebStart Clients and Applets. It does not affect application servers started with java executable. – eckes – 2017-01-24T16:54:36.557

Thanks Spiff. I'm already set up for TLS 1.0 and above as you have shown. However, when I create a SSLSocket (and I assume this happens to other Java programs), TLS 1.0 is enabled (and TLS 1.1 and 1.2 are available). – jww – 2014-04-29T08:51:14.593


You can test this on your system, too (if interested). Download ProtocolTest.java from this bug report and execute it. To compile and execute, run javac ProtocolTest.java && java ProtocolTest in a terminal. See what shows up under Enabled Protocols.

– jww – 2014-04-29T09:30:15.120


I just recently researched this and i want to add - this will not work for JDK , the deployment.properties only relevant to Applets and other stuff running in the JRE.

for JDK applications (a server which needs to connect to LDAP for example) the server is a client but the deployment.security. would not work.

no way to change it unless you write some code like SSLContext.getInstance("TLSv1.2");


Posted 2014-04-29T04:57:20.543

Reputation: 81


It looks like deployment.security.* settings work for Java Applets and Java Web Start programs running on a desktop. As others mention here you can edit deployment.properties to specify that.

Here is an article that shows how to use a group policy to deploy the same deployment.properties file for all users: http://www.darkoperator.com/blog/2013/1/12/pushing-security-configuration-for-java-7-update-10-via-gpo.html

Unfortunately there is no way to turn this on for all java programs on a computer that directly call java.exe or javaw.exe. You have to find each program that uses java, find the config file where you specify the parameters to pass to java and change it.

For Tomcat we had to pass this so that connections from Tomcat to other servers use TLS 1.1+: -Dhttps.protocols=TLSv1.1,TLSv1.2. On Linux this can be done by editing bin/catalina.sh or by creating bin/setenv.sh.

I don't know what it takes to make Tomcat use only TLS 1.2 on the server side. We front with Apache HTTP.


Posted 2014-04-29T04:57:20.543

Reputation: 677


If you are stuck with Java 7, you can add -Djdk.tls.client.protocols=TLSv1.1,TLSv1.2 to the arguments of the JVM.

Note that this has several caveats:

In spite of these shortcomings, I think that this could be useful, especially when the protocol one is interested in uses TLS but is not HTTPS, e.g. LDAPS.

[UPDATE] In my company, which runs its pool of servers on Ubuntu, we've realized that even update 121 of OpenJDK 7 was not enough to implement this correctly. We've updated all servers to update 181 before it worked.


Posted 2014-04-29T04:57:20.543

Reputation: 521