sslwso2wso2-api-managertls1.1

How to enable TLS 1.1 in wso2 APIM 4.2


I am trying to enable TLSv1.1 version in WSO2 APIM 4.2 by following this documentation, but it does not seem to be working.

To test the configuration, I am using the testsslserver.jar tool:

 java -jar testsslserver.jar localhost 9443 
 java -jar testsslserver.jar localhost 8243 
java -jar TestSSLServer.jar localhost 8243
Supported versions: TLSv1.2
Deflate compression: no
Supported cipher suites (ORDER IS NOT SIGNIFICANT):
  TLSv1.2
     RSA_WITH_AES_128_CBC_SHA
     DHE_RSA_WITH_AES_128_CBC_SHA
     RSA_WITH_AES_256_CBC_SHA
     DHE_RSA_WITH_AES_256_CBC_SHA
     RSA_WITH_AES_128_CBC_SHA256
     RSA_WITH_AES_256_CBC_SHA256
     DHE_RSA_WITH_AES_128_CBC_SHA256
     DHE_RSA_WITH_AES_256_CBC_SHA256
     TLS_RSA_WITH_AES_128_GCM_SHA256
     TLS_RSA_WITH_AES_256_GCM_SHA384
     TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
     TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
----------------------
Server certificate(s):
  817cfa10c038e0f202c9bdddddddd8b2fe15a7a: CN=localhost, OU=WSO2, O=WSO2, L=Mountain View, ST=CA, C=US
----------------------
Minimal encryption strength:     strong encryption (96-bit or more)
Achievable encryption strength:  strong encryption (96-bit or more)
BEAST status: protected
CRIME status: protected
      WARN - SourceHandler I/O error: Client requested protocol SSLv3 is not enabled or supported in server context
      WARN - SourceHandler I/O error: Client requested protocol TLSv1 is not enabled or supported in server context
      WARN - SourceHandler I/O error: Client requested protocol TLSv1.1 is not enabled or supported in server context

Solution

  • First, you need to check whether TLSv1.1 is enabled in your JDK. In latest jdk versions, TLSv1.1 is disabled by default. In order to enable it, you can follow below steps.

    If the TLSv1.1 is disabled in the JDK, APIM server will not be able to use TLSv1.1 even if you configured the HttpsProtocols.