Update-crypto to LEGACY doesnt seem to be working properly

My nice Rocky Linux 8.6 box is performing nicely. But I am unable to integrate with legacy systems that use TLSv1. My Rocky box and Java 8 update 321 is set to allow TLSv1 but for some reason it keeps reverting to TLSv1.3.

update-crypto-policies --show

And java.security file removed the TLSv1 from the blacklist of protocols. However, I still get TLSv1.3 used when my Springboot App makes a client SOAP call to a SOAP server. HTTPS is used hence TLSv1 required.
Is there any extra config I need to do to make TLSv1 to happen? Firewall-cmd is my firewall of choice. The server returns TCP RST packets each time as it doesnt like TLSv1.3.

Is there any particular reason why you are still connecting to an obsolete TLS protocol? Pretty much all web browsers now don’t allow such a connection (I know because I had to find an old Windows install with Internet Explorer just to connect to an old IBM Storwize storage array that hasn’t been updated).

This is only going to get harder for you, Ideally you want to be moving whatever it is from TLSv1 to a more up-to-date and supported version of TLS.

I unfortunately have the same issue you have with the IBM storage array. The northbound interface I have to integrate with will only be updated in the next 2 years. And I hate to make these security compromises. But I have no choice for now but to support them until our security auditors enforce the upgrade of the northbound system.

When I play with openssl, I am able to get TLSv1 communication and download the SSL certificate. But it seems like I need to get the java.security settings correct to get this to work.

Yes, crypto-policies does not remove TLS v1.3 for java. It sets jdk.tls.disabledAlgorithms, but does not seem to recognize that lack of TLS1.3 would translate to addition of TLSv1.3 to that list. This is further strengthened by the fact that RHEL’s version of openjdk contains a patch that disables TLS v.1.3 explicitly if FIPS mode is enabled (instead of relying on FIPS crypto-policy).

You can control this behavior by explicitly setting allowed protocol in java.security file, e.g. jdk.tls.client.protocols=TLSv1.

1 Like

Thank you @anthyve. On the retired CentOS 6.x server I was using the tls.client switch worked well. But on Rocky Linux I managed to only get to TLSv1.2.

It seems TLSv1.2 is sufficient for use in this case and it works even if crypto-policies = DEFAULT. I am now pushing to make sure no integration uses TLSv1 since it is part of the protocols that will be phased out soon. This should save me trouble.

1 Like