There was a similar, but not identical, discussion around these topics four years ago, when the code was changed to remove SSLv3 and SSLv2 support. See DERBY-6764 for the full details.
I think it would certainly be possible to change the code in a similar way to allow more configurability, but I am not sure of the implications, and if it is similar to the DERBY-6764 work, a fair amount of testing is required. According to this article: https://blogs.oracle.com/java-platform-group/jdk-8-will-use-tls-12-as-default you might investigate using the deployment.security.TLSvX.Y=false system property. Perhaps you could investigate whether the referenced blog article allows a configuration that suits your needs? Please let us know what you learn! thanks, bryan On Mon, Jul 9, 2018 at 3:25 AM, Peter <[email protected]> wrote: > Hello, > > I cannot find a way to force the server to just use TLSv1.2. Currently > it says: > > Apache Derby Network Server - 10.13.1.1 - (1765088) Enabled Protocols > are TLSv1, TLSv1.1, TLSv1.2 > > even when using > > -Dhttps.protocols=TLSv1.2 > > or similar settings found on the internet. Then I saw in the source: > > SSLContext ctx = SSLContext.getInstance("TLS"); > > https://github.com/apache/derby/blob/f16c46cbdd5be8dd9bdcee935ec1f68970146478/java/org.apache.derby.commons/org/apache/derby/shared/common/drda/NaiveTrustManager.java#L73 > > that it seems to ignore command line settings. Is it possible to add > such a property or a different workaround to avoid older TLS versions? > > Regards > Peter >
