I am using SpringBoot based app on Java 17. I need to restrict TLS protocol to a specific version for all the clients that connect to my spring boot based Java app.
I know by default TLS protocols SSLv3, TLSv1, TLSv1.1 are disabled on java 17.
Refer jdk.tls.disabledAlgorithms property in <<JAVA_HOME>>/conf/security/java.security
I am assuming, if required setting the property jdk.tls.disabledAlgorithms is sufficient to make sure my java web application doesn't allow client connections using TLS protocol version less than the configured one.
But I am not fully sure of impact of other java system properties:
jdk.tls.client.protocols: I assume this java system property allows us to enable specific TLS protocols on the client. I am assuming we need to specify this property while starting java client application to make sure client application uses specific TLS version. So setting this property is responsibility of client app. But from my server application point of view, setting jdk.tls.disabledAlgorithms is enough. Is this right assumption?https.protocols: This allows us to control the protocol version used by Java clients which obtain https connections through use of the HttpsURLConnection class. I assume, setting this is again the responsibility of client app.server.ssl.enabled-protocols: Spring also has its own property where we can specify TLS version. I am not sure whether this overrides any default setting of underlying java applicatio`
I did try out with combination of these properties on my client & server sample app. But I am not fully sure about how all these properties interplay with each other.
I appreciate any more explanations on these settings..