Tuesday, July 17, 2018

Domino with Java 6 and TSL 1.2

Recently I have faced an issue where one of our provider changed SSL and they disabled supporting of TLS 1.0 (as far as I understand it's non secure ourdays) and TLS 1.2 should be used instead. As a result our java agents (which used HttpsURLConnection) could not connect anymore to provider.

Error message looked like this:
Caused by: java.security.AccessControlException: Access denied (javax.net.ssl.SSLPermission setHostnameVerifier)
I have found 2 possible solutions:

Enable TLS 1.2 on Domino (applicable only for 9.0.1 FP3 IF2 and higher)

The Domino JVM is based on Java 1.6 and default settings configured in a way to use TLS 1.0. Luckily our Domino servers had version 9.0.1 FP4 (and TSL 1.2 support has been added since FP3 IF2). So our version was capable to work with 1.2 (in theory) but it took some time to make it work.

In order to configure Domino JVM to use TLS 1.2 you need to:
  1. Create JVM settings file, f.x. C:\Domino\jvmOptions.ini
  2. Add parameter in jvmOptions.ini
  3. Add path to jvmOptions.ini file in notes.ini
After you added settings don't forget to restart Domino server. Keep in mind that setting is global meaning all agents that will start to use TLS1.2 therefore it is definitely worth to verify everything before and after this fix.

Java library solution

If that is not a way you can go with (f.x. Domino has lower version or something won'f work if you switch to TLS 1.2) then it's still possible to make custom Java Library that will make it possible, see link: How to use TLS 1.2 in Java 6.

It worked for me as well, but it requires to give permission in java policy on Domino server.


Daniel Nashed said...

Java 1.6 has a very limited set of Ciphers for TLS 1.2
You are lucky to get a common cipher with a server.

The workaround is good if you cannot upgrade.
But you could install a later Feature Pack and get Java 1.8 with full TLS 1.2 support and current ciphers

Dmytro said...

> But you could install a later Feature Pack and get Java 1.8 with full TLS 1.2 support and current ciphers

Yes, fully agree, most proper way would be to update Java to 1.8 instead of doing work-around. That's most nice solution, but quite often it would be another story for customer to update their environment.

Daniel Nashed said...

If you have to stay with the older JVM, there is a way to use better ciphers. Specially important for TLS 1.2.

Here is another info from what I found out.
I am not sure which ciphers you are getting with your changes.
But you might need to use "Java Cryptography Extension" .. See details here...