Skip to main content
Version: 2.8

TLS upgrade

Overview

This security feature is only available on Waratek Elevate, is not supported on Waratek Secure

Java applications that run on legacy Java platforms (such as Java 6) that use SSL/TLS communications are vulnerable to numerous critical attacks. This is because legacy Java platforms do not implement or support the latest and more stable stack of TLS protocols and cipher suites. The TLS-Upgrade rule ensures that Java applications running on Java 6 will take advantage of the latest TLS protocols and cipher suites without requiring any code modifications. By enabling this rule all SSL/TLS connections will be upgraded to the latest version of TLS supported by the host JVM.

The TLS-Upgrade rule will only upgrade SSL/TLS server sockets when using the default SSLContext. The upgrade of an SSL/TLS server socket is completely transparent to the application. This is achieved by replacing the old and untrusted cryptographic protocols (such as SSL) with the latest and trusted ones (such as TLSv1.2). Therefore, it provides protection for common vulnerabilities related to cryptography such as CWE-327 and CWE-326.

This rule is aimed at versions of Java 6 up to and including 6u21. The rule does not support versions of Java that are newer than 6u21. This rule will only upgrade SSL/TLS server sockets. Sockets on the client-side will not be upgraded.

In case there is a specific Java configuration required for SSL/TLS the host java.security file should be updated accordingly.

When (Event)

acceptIP address and portWhen a specific protect action acting on connections is enforced (e.g. enforcing TLS upgrade by specifying connection: upgrade-tls key-value), only wildcard IP and port are supported

Then (Action)

protectUpgrade SSL/TLS server sockets. If configured, a log message is generated with details of the event. The stacktrace: "full" action parameter is not a valid configuration for the TLS-Upgrade rule.If configured, a log message is generated with details of the event.

Examples

Upgrade TLS connections for connections.

app("myapp"):
requires(version: ARMR/2.8)
    socket("Upgrade TLS connections for connections"):
        accept("0.0.0.0:0")
        protect(connection: upgrade-tls, message: "TLS connection upgraded", severity: High)
    endsocket
endapp

Logging

When the above TLS upgrade rule is triggered a log entry similar to the following is generated:

<10>1 2020-09-14T13:56:40.095+01:00 userX_system java 18420 - - CEF:0|ARMR:Walter|Walter|2.8|Force TCP connections to use TLS for connections|Execute Rule|High|rt=Sep 14 2020 13:56:40.094 +0100 dvchost=ckang-XPS-15-9570 procid=18420 ruleType=socket securityFeature=socket tlsupgrade act=protect msg=Forced TLS on every connection dst=0 localPort=40071 localName=0.0.0.0