Migrate Spring application to TLS v. 1.3

Recently, we had to migrate our project - a Spring Rest backend, not a Spring Boot one – from the default TLS v. 1.2 to TLS v. 1.3. This project is deployed on a Weblogic server 12c.

There are several requirements to support TLS v. 1.3 :

• usage of Java SE 11 or JDK 8 u261+
• bouncycastle dependencies should be at version 1.68+
• kafka-clients dependency should be at version 2.5.0+
• spring dependencies should be at version 5.x
• upgrade of spring-kafka dependency so that it will be compatible with the version of kafka-clients dependency (Optional – we could done the migration without updating spring-kafka version)

Project use-case

1.  Updating dependencies

The following dependencies were updated:

• as the project was using Spring 4.3.10.RELEASE, we migrated Spring to version 5.3.6
• org.apache.kafka:kafka-clients has been migrated from version 2.2.0 to 2.6.1

In <root_directory>/pom.xml the kafka-clients's version has been changed and the library has been added as a separate dependency.

The existing kafka-clients version 2.2.0 has been excluded in all maven modules from org.springframework.kafka:spring-kafka, etc… and the version 2.6.1 has been added as a separate dependency.

If you are using bouncycastle dependencies (prior v. 1.68) exclude them and add them as separated dependencies.

In <root_directory>/pom.xml the bouncycastle's version has been added as a property with the value of 1.68 and bouncycastle libs were added as separated dependencies.

In <root_directory>/pom.xml com.fasterxml.jackson.core:jackson-databind version 2.10.1 dependency has been excluded and we migrated to version 1.12.1.

2. The following properties were added as application properties

ssl.enabled.protocols=TLSv1.3,TLSv1.2

ssl.protocol=TLSv1.3

ssl.provider=SunJSSE

3. These properties have been included in Kafka client's configuration - KafkaClusterConfig.java

 import org.apache.kafka.common.config.SslConfigs;

public static final String SSL_ENABLED_PROTOCOLS = "ssl.enabled.protocols";

public static final String SSL_PROTOCOL = "ssl.protocol";

public static final String SSL_PROVIDER = "ssl.provider";

................................................................................................................................................

config.put(

   SslConfigs.SSL_PROVIDER_CONFIG, PropertiesHolder.getProperty(SSL_PROVIDER));

config.put(

   SslConfigs.SSL_ENABLED_PROTOCOLS_CONFIG,

   PropertiesHolder.getProperty (SSL_ENABLED_PROTOCOLS));

config.put(

   SslConfigs.SSL_PROTOCOL_CONFIG, PropertiesHolder.getProperty(SSL_PROTOCOL));

................................................................................................................................................

These properties/options will be used in kafka producer's configuration ( hierarchy of classes - new KafkaTemplate<>(new DefaultKafkaProducerFactory<>( Map<String, Object> props)) ).

4. Enabling TLS v.1.3 in Weblogic 12c

For enabling TLS v. 1.3 in Weblogic server, it should :

·    Run using Java SE 11 or JDK 8 u261+

·    Have the following startup parameters

-Djdk.tls.ephemeralDHKeySize=2048

-Djdk.tls.rejectClientInitiatedRenegotiation=true

-Dweblogic.security.SSL.ignoreHostnameVerification=false

-DUseSunHttpHandler=true

-Dhttps.protocols=TLSv1.3,TLSv1.2

-Djdk.tls.client.protocols=TLSv1.3,TLSv1.2

-Djdk.tls.server.protocols=TLSv1.3,TLSv1.2 

5. Debugging the communication

In order to enable the SSL debug, the following startup parameters should be added to

Weblogic start command line

-Djavax.net.debug=ssl:handshake 

-Dweblogic.security.SSL.enforceConstraints=off 

-Dssl.debug=true 

-Dweblogic.StdoutDebugEnabled=true

6. Verification

Search in the application’s log for SSL handshake messages and see what protocol has been chosen in communication

Example:

javax.net.ssl|FINE|91|org.springframework.kafka.KafkaListenerEndpointContainer#0-0-C-1|2021-09-16 14:45:55.455 CEST|ClientHello.java:567|Produced ClientHello handshake message (

"ClientHello": {

 "client version"   : "TLSv1.2",

 ....................................

  "supported_versions (43)": {

   "versions": [TLSv1.3, TLSv1.2]

  },

 ....................................

javax.net.ssl|FINE|91|org.springframework.kafka.KafkaListenerEndpointContainer#0-0-C-1|2021-09-16 14:45:55.519 CEST|ServerHello.java:867|Consuming ServerHello handshake message (

"ServerHello": {

 "server version"   : "TLSv1.2",

.....................................

  "supported_versions (43)": {

   "selected version": [TLSv1.3]

  }

.....................................

javax.net.ssl|FINE|91|org.springframework.kafka.KafkaListenerEndpointContainer#0-0-C-1|2021-09-16 14:45:55.521 CEST|ServerHello.java:958|Negotiated protocol version: TLSv1.3

or

javax.net.ssl|FINE|01 F7|kafka-producer-network-thread | producer_ <DOMAIN_NAME>|2021-09-16 15:06:38.334 CEST|ClientHello.java:567|Produced ClientHello handshake message (

"ClientHello": {

 "client version"   : "TLSv1.2",

..........................................

  "supported_versions (43)": {

   "versions": [TLSv1.3, TLSv1.2]

  }

..........................................

javax.net.ssl|FINE|01 F7|kafka-producer-network-thread | producer_ <DOMAIN_NAME>||2021-09-16 15:06:38.392 CEST|ServerHello.java:867|Consuming ServerHello handshake message (

"ServerHello": {

 "server version"   : "TLSv1.2",

..........................................

  "supported_versions (43)": {

   "selected version": [TLSv1.3]

  },

..........................................

javax.net.ssl|FINE|01 F7|kafka-producer-network-thread | producer_<DOMAIN_NAME>||2021-09-16 15:06:38.394 CEST|ServerHello.java:958|Negotiated protocol version: TLSv1.3

References

https://docs.confluent.io/platform/current/kafka/authentication_ssl.html

https://docs.confluent.io/2.0.0/kafka/ssl.html

https://askmiddlewareexpert.com/how-to-change-configure-tls-ssl-protocols-in-weblogic/