I'm using Tomcat (v 7 and v 8 depending on the project) with Java. I want to force Tomcat to use only TLS 1.2 (more specifically, prohibit TLS v1.0 or v1.1). In development in Eclipse I've added
-Dhttps.protocols=TLSv1.2 to the eclipse.ini file; and I've modified the server.xml file with
sslEnabledProtocols="TLSv1.2" sslProtocol="TLSv1.2". This seems to have worked, as when I hit the development server with an old version of Firefox (v 17esr), I get this message in the browser:
Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)
This is not good practice, however. It's an ugly error message and doesn't really tell the user what's wrong or how to fix it. My preference would be to identify on the server that the browser is attempting to connect with an outdated version of TLS, and redirect such users to a page notifying them of the need to upgrade their browser if they want to use the site.
One way is to use the user agent though I consider this inelegant, and not necessarily accurate - some browsers give the user control over what TLS version to enable. The browser might support TLS v1.2, but it might disabled by the user.
What's the best practice here for Java/Tomcat? Is there a way to do it using using HttpServletRequest? I'm afraid I would have to re-enable "old" versions of TLS, though, allowing the user to connect via HTTPS, and then identify that the user is using an old version of TLS, and redirect.