TLS Configuration FAQ in Repertoire 8.x

Below is a list of FAQ with explanations to help you enforce TLS 1.2 and disable weaker protocols in Elixir Repertoire 8.x environments.

Please note that you will need to be running your Repertoire server in HTTPS mode. Here are some guides to assist you:

• Configure Repertoire 8.x in HTTPS mode - Elixir Repertoire - Elixir Support Forum

1. How do I enforce TLS 1.2 on the JVM?

Add protocol flags to your Repertoire server startup script:

• For client-side connections: -Djdk.tls.client.protocols=TLSv1.2

• For server-side listeners: -Djdk.tls.server.protocols=TLSv1.2

• As an alternative (all-in-one): -Dhttps.protocols=TLSv1.2

This tells the JVM to limit its handshake to TLS 1.2 only. Always restart the server after making changes.

2. What edits are needed in the ERS2.xml (Jetty) configuration?

In Repertoire 8.8.0 and later, you can exclude older protocols directly:

<ers:mbean name="ERS2:name=Jetty">
  …
  <ers:property name="ExcludeSSLProtocols">SSLv3, TLSv1.0</ers:property>
  …
</ers:mbean>

Repertoire 8.6.1 or earlier doesn’t support ExcludeSSLProtocols. Remove any such block to prevent Jetty from ignoring newer flags.

3.How do I disable TLS 1.0 and TLS 1.1 at the JRE level?

Open the $JAVA_HOME/jre/lib/security/java.security file and locate the jdk.tls.disabledAlgorithms setting. Update it as follows:

Before:

jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, …

After:

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, …

Then run:
java -XshowSettings:all -version

to confirm that TLS 1.0 and 1.1 are disabled.

4. Which Java versions are recommended?

• Java 7 Update 94 and below: TLS 1.2 is technically available but not enabled by default. You’d need to explicitly configure it using system properties or override SSL context settings.

• Java 7 Update 95 and above: TLS 1.2 is supported but still requires manual enabling unless your application explicitly requests it.

• Java 8 Update 161 and above: TLS 1.2 is enabled by default, so no extra configuration is needed for most HTTPS or secure socket connections. And starting with Java 8 Update 261, TLS 1.3 support was added too.

• IBM Java 8.0.6.30 or higher (if using IBM JDK).

Please note that older or heavily customized JDK builds may default to TLS 1.0 despite proper flags, upgrading often resolves this.

5. How can I verify which TLS protocols my setup supports?

You can execute:
java -XshowSettings:all -version

And look under “Supported TLS Protocols” and “Enabled TLS Protocols.”

6. What if Jetty still defaults to TLS 1.0 after all changes?

• Ensure no older ExcludeSSLProtocols property is lingering in ERS2.xml.
• Check your load balancer or reverse proxy, which may impose its own SSL settings.
• Confirm you are running the Repertoire instance directly with the updated JVM flags.
• If persistence problems remain, consider upgrading to Repertoire 8.10 for more straightforward SSL configuration.