SSL Config

Configuring Protocols

By default, WS SSL will use the most secure version of the TLS protocol available in the JVM.

  • On JDK 1.7 and later, the default protocol is “TLSv1.2”.
  • On JDK 1.6, the default protocol is “TLSv1”.

The full protocol list in JSSE is available in the Standard Algorithm Name Documentation.

Defining the default protocol

If you want to define a different default protocol, you can set it specifically in the client:

# Passed into SSLContext.getInstance()
ssl-config.protocol = "TLSv1.2"

If you want to define the list of enabled protocols, you can do so explicitly:

# passed into sslContext.getDefaultParameters().setEnabledProtocols()
ssl-config.enabledProtocols = [
  "TLSv1.2",
  "TLSv1.1",
  "TLSv1"
]

If you are on JDK 1.8, you can also set the jdk.tls.client.protocols system property to enable client protocols globally.

WS recognizes “SSLv3”, “SSLv2” and “SSLv2Hello” as weak protocols with a number of security issues, and will throw an exception if they are in the ssl-config.enabledProtocols list. Virtually all servers support TLSv1, so there is no advantage in using these older protocols.

Debugging

The debug options for configuring protocol are:

ssl-config.debug = {
  ssl = true
  sslctx = true
  handshake = true
  verbose = true
  data = true
}

Next: Configuring Cipher Suites