How to solve Client requested protocol TLSv1 is not enabled or supported in server context

francisco.lopez · 2024-12-23 12:22:19 UTC

1. Introduction

In case the following error arises:

javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1 is not enabled or supported in server context
at ronda.tcp.SSLProtocolEngine.unwrapData(SSLProtocolEngine.scala:262)
at ronda.tcp.TcpConnection.getBytesFromProtocolEngine(TcpConnection.scala:621)
at ronda.tcp.TcpConnection.ronda$tcp$TcpConnection$$processBytesReceivedAux(TcpConnection.scala:665)
at ronda.tcp.TcpConnection$$anonfun$receive$1.$anonfun$applyOrElse$7(TcpConnection.scala:285)
at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.scala:18)

You can use the following notes to configure/restore security settings to leave them as they were but also as a starting point if you are deploying a Java/Scala application on a different/newer java engine.

2. Locate java.security file

This is the file that controls what protocols are enabled/disabled, what hashing algorightm are approved, etc.

To locate those installed in your system, you can use something like:

root@node02:~# ls -la -tr /usr/local/java/*/jre/lib/security/java.security
-rw-r–r-- 1 root root 41530 mar 29 2018 /usr/local/java/jdk1.8.0_172/jre/lib/security/java.security
-rw-r–r-- 1 root root 42151 jun 3 2019 /usr/local/java/jdk8u212-b04/jre/lib/security/java.security
-rw-r–r-- 1 root root 56028 dic 27 2023 /usr/local/java/jdk8u392-b08/jre/lib/security/java.security
-rw-r–r-- 1 root root 55317 jul 18 15:42 /usr/local/java/jdk8u422-b05/jre/lib/security/java.security

3. Check differences that might be interesting

Use diff tool to find working settings for java working versions with something like:

root@node02:~# diff /usr/local/java/jdk8u392-b08/jre/lib/security/java.security /usr/local/java/jdk8u422-b05/jre/lib/security/java.security | less

< # BEGIN: ASPL
< # jdk.disabled.namedCurves = secp112r1, secp112r2, secp128r1, secp128r2,
< # secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1,
< # secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2,
< # sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1,
< # sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1,
< # sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2,
< # X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3,
< # X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3,
< # X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1,
< # brainpoolP320r1, brainpoolP384r1, brainpoolP512r1
< # END: ASPL

4. Once located, remember to backup

Remember to create a backup before applying any change to working java.security file. That way to can diff or revert back.

root@node02:~# cp /usr/local/java/jdk8u422-b05/jre/lib/security/java.security /usr/local/java/jdk8u422-b05/jre/lib/security/java.security.backup

5. Here are some changes recommended

23/12:2024: The following changes are recommended for those systems wanting to provide support to older systems (TLSv1.0 and TLSv1.1) and also to provide default encoding for certain operations using UTF-8:

# BEGIN: ASPL
# jdk.disabled.namedCurves = secp112r1, secp112r2, secp128r1, secp128r2, \
# secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, \
# secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, \
# sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, \
# sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, \
# sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, \
# X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, \
# X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, \
# X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, \
# brainpoolP320r1, brainpoolP384r1, brainpoolP512r1
# END: ASPL

# BEGIN: ASPL
# jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
# RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \
# SHA1 usage SignedJAR & denyAfter 2019-01-01, \
# include jdk.disabled.namedCurves
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
# END: ASPL

# BEGIN: ASPL
# jdk.security.legacyAlgorithms=SHA1, \
# RSA keySize < 2048, DSA keySize < 2048
jdk.security.legacyAlgorithms=
# END: ASPL

# BEGIN: ASPL
# jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
# DSA keySize < 1024, SHA1 denyAfter 2019-01-01, \
# include jdk.disabled.namedCurves
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
# END: ASPL

# BEGIN: ASPL
# jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
# DSA keySize < 1024, SHA1 denyAfter 2019-01-01, \
# include jdk.disabled.namedCurves
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
# END: ASPL

# BEGIN: ASPL
# jdk.tls.alpnCharset=ISO_8859_1
jdk.tls.alpnCharset=UTF-8
# END: ASPL