Tag Archives: Enable TLSv1.2 springboot

How to disable SSL TLS protocols in Springboot?

Often a requirement comes to secure the application as well as the connections made to that application.

Prior to TLS 1.2, many versions of SSL and TLS came into existence to enforce transport layer security. Those previous versions were vulnerable to some sort of attacks\threats and those were fixed in their next version.

In order to enforce security, you may just want to accept connections over TLS v1.2 and thus only enable TLSv1.2 while disabling all other versions- SSLv3, TLS 1.0, TLS 1.1 etc

The purpose of this article is to list down the steps required to enable only TLS 1.2 and disable all other versions in a Springboot Application.


  • JRE
  • IDE of your choice
  • Springboot Application
  • Certificates – be it Self Signed or from Public CA

This article assumes that your application has already enabled SSL  in your application and configured certificates and secure HTTP Connectors either programmatically or through configuration.


Before we look into the steps, lets first understand how things work. Basically, an application sets up a virtual host/container – Jetty or Tomcat or Undertow etc as well as HTTP Listener(s).

In a Springboot application, embedded containers can be setup using


during bootstrapping.

For tomcat,


is initialized and likewise.  These containers set up Connectors (HTTP) and configure connectors for

  • Port
  • URI Encoding
  • SSL Settings optionally
  • Compression optionally
  • Protocol Handler etc


  1. In < Springboot v1.4.x versions

    For Springboot applications with versions < 1.4.x, there is not any support to disable protocols through configuration. APP YAML configuration has few properties to enable SSL but it does not provide a mechanism to set SSL enabled-protocols

    Thus, changes have to be done programmatically.

  But how?

  Do i need to initialize Tomcat Factory and Connector and stitch everything ?

Luckily, not. Springboot allows to customize the existing Container and further customize Connector.

Does that mean i just need to create Customizer and somehow attach it to the existing initialized container?

Yes, that’s right.

Add the below code and Your Problem will be solved. What we are doing is that during Service bootstrapping process, we are injecting a




beans and this way Spring IoC Container will stitch them out for you.

    public EmbeddedServletContainerCustomizer containerCustomizer(TomcatConnectorCustomizer connectorCustomizer) {
        return new EmbeddedServletContainerCustomizer() {
            public void customize(ConfigurableEmbeddedServletContainer container) {
                if (container instanceof TomcatEmbeddedServletContainerFactory) {
                    TomcatEmbeddedServletContainerFactory tomcat = (TomcatEmbeddedServletContainerFactory) container;

     * Sets up the Tomcat Connector Customizer to enable ONLY TLSv1.2
     * @return Reference to an instance of TomcatConnectorCustomizer
    public TomcatConnectorCustomizer connectorCustomizer() {
        return new TomcatConnectorCustomizer {
        public void customize(Connector connector) {
            connector.setAttribute("sslEnabledProtocols", "TLSv1.2");
    }<span 				data-mce-type="bookmark" 				id="mce_SELREST_start" 				data-mce-style="overflow:hidden;line-height:0" 				style="overflow:hidden;line-height:0" 			></span>;

    1. In < Springboot v1.4.x versions

      For Springboot applications > 1.4.x, things have been made much simpler and can be done through YAML configuration.

     enabled: true
     key-store: classpath:Keystore.jks
     key-store-password: <storepassword>
     key-password: <password>
     key-alias: <yourKeyAlias>
     enabled-Protocols: [TLSv1.2]
   port: 8443

enabled-Protocols: [TLSv1.2] is the trick here.

Simple. Isn’t it?