Skip to main content
Version: 2.2

TLS upgrade

Overview

This security feature is only available on Waratek Elevate, is not supported on Waratek Secure

Java applications that run on legacy Java platforms (such as Java 6) that use SSL/TLS communications are vulnerable to numerous critical attacks. This is because legacy Java platforms do not implement or support the latest and more stable stack of TLS protocols and cipher suites. The TLS-Upgrade rule ensures that Java applications running on Java 6 will take advantage of the latest TLS protocols and cipher suites without requiring any code modifications. By enabling this rule all SSL/TLS connections will be upgraded to the latest version of TLS supported by the host JVM.

The TLS-Upgrade rule will only upgrade SSL/TLS server sockets when using the default SSLContext. The upgrade of an SSL/TLS server socket is completely transparent to the application. This is achieved by replacing the old and untrusted cryptographic protocols (such as SSL) with the latest and trusted ones (such as TLSv1.2). Therefore, it provides protection for common vulnerabilities related to cryptography such as CWE-327 and CWE-326.

This rule is aimed at versions of Java 6 up to and including 6u21. The rule does not support versions of Java that are newer than 6u21. This rule will only upgrade SSL/TLS server sockets. Sockets on the client-side will not be upgraded.

In case there is a specific Java configuration required for SSL/TLS the host java.security file should be updated accordingly.

When (Event)

acceptIP address and portWhen a specific protect action acting on connections is enforced (e.g. enforcing TLS upgrade by specifying connection: upgrade-tls key-value), only wildcard IP and port are supported

Then (Action)

protectUpgrade SSL/TLS server sockets. If configured, a log message is generated with details of the event.

Example

Upgrade TLS connections for connections.

app("myapp"):
requires(version: ARMR/2.2)
    socket("Upgrade TLS connections for connections"):
        accept("0.0.0.0:0")
        protect(connection: upgrade-tls, message: "TLS connection upgraded", severity: High)
    endsocket
endapp

Logging

When the above TLS upgrade rule is triggered a log entry similar to the following is generated:

<13>1 2020-06-17T15:42:50.264+01:00 l-qa02 java 12190 - - CEF:0|ARMR:Walter|Walter|2.2|forced TLS on every connection|Execute Rule|Unknown|rt=Jun 17 2020 15:42:50.263 +0100 dvchost=l-qa02 procid=12190 outcome=success act=protect msg=TLS connection upgraded dst=0 SocketInfo={"port":0,"upgraded":true,"SupportedProtocols":"[SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]"}