Often a requirement comes to secure the application as well as the connections made to that application.
Prior to TLS 1.2, many versions of SSL and TLS came into existence to enforce transport layer security. Those previous versions were vulnerable to some sort of attacks\threats and those were fixed in their next version.
In order to enforce security, you may just want to accept connections over TLS v1.2 and thus only enable TLSv1.2 while disabling all other versions- SSLv3, TLS 1.0, TLS 1.1 etc
The purpose of this article is to list down the steps required to enable only TLS 1.2 and disable all other versions in a Springboot Application.
PRE-REQUISITES
- JRE
- IDE of your choice
- Springboot Application
- Certificates – be it Self Signed or from Public CA
This article assumes that your application has already enabled SSL in your application and configured certificates and secure HTTP Connectors either programmatically or through configuration.
HOW IT WORKS?
Before we look into the steps, lets first understand how things work. Basically, an application sets up a virtual host/container – Jetty or Tomcat or Undertow etc as well as HTTP Listener(s).
In a Springboot application, embedded containers can be setup using
EmbeddedServletContainerFactory
during bootstrapping.
For tomcat,
TomcatEmbeddedServletContainerFactory
is initialized and likewise. These containers set up Connectors (HTTP) and configure connectors for
- Port
- URI Encoding
- SSL Settings optionally
- Compression optionally
- Protocol Handler etc
HOW TO DISABLE SSL or < TLS 1.2 ?
-
In < Springboot v1.4.x versions
For Springboot applications with versions < 1.4.x, there is not any support to disable protocols through configuration. APP YAML configuration has few properties to enable SSL but it does not provide a mechanism to set SSL enabled-protocols
Thus, changes have to be done programmatically.
But how?
Do i need to initialize Tomcat Factory and Connector and stitch everything ?
Luckily, not. Springboot allows to customize the existing Container and further customize Connector.
Does that mean i just need to create Customizer and somehow attach it to the existing initialized container?
Yes, that’s right.
Add the below code and Your Problem will be solved. What we are doing is that during Service bootstrapping process, we are injecting a
EmbeddedServletContainerCustomizer
and
TomcatConnectorCustomizer
beans and this way Spring IoC Container will stitch them out for you.
@Bean
public EmbeddedServletContainerCustomizer containerCustomizer(TomcatConnectorCustomizer connectorCustomizer) {
return new EmbeddedServletContainerCustomizer() {
public void customize(ConfigurableEmbeddedServletContainer container) {
if (container instanceof TomcatEmbeddedServletContainerFactory) {
TomcatEmbeddedServletContainerFactory tomcat = (TomcatEmbeddedServletContainerFactory) container;
tomcat.addConnectorCustomizers(connectorCustomizer);
}
}
};
}
/**
* Sets up the Tomcat Connector Customizer to enable ONLY TLSv1.2
* @return Reference to an instance of TomcatConnectorCustomizer
*/
@Bean
public TomcatConnectorCustomizer connectorCustomizer() {
return new TomcatConnectorCustomizer {
@Override
public void customize(Connector connector) {
connector.setAttribute("sslEnabledProtocols", "TLSv1.2");
}
}<span data-mce-type="bookmark" id="mce_SELREST_start" data-mce-style="overflow:hidden;line-height:0" style="overflow:hidden;line-height:0" ></span>;
}
-
-
In < Springboot v1.4.x versions
For Springboot applications > 1.4.x, things have been made much simpler and can be done through YAML configuration.
-
server:
ssl:
enabled: true
key-store: classpath:Keystore.jks
key-store-password: <storepassword>
key-password: <password>
key-alias: <yourKeyAlias>
enabled-Protocols: [TLSv1.2]
port: 8443
enabled-Protocols: [TLSv1.2] is the trick here.
Simple. Isn’t it?
Sharing ideas, Sharing experiences 