TLSv1 and TLSv1.1 protocols disabled by default in Data Studio

Henry Simms
Henry Simms Administrator
edited December 2023 in General

Towards the end of 2021, TLSv1 and TLSv1.1 protocols became disabled by default in Java 8, on which Aperture Data Studio is built.

As a result, when you upgrade to a new version of Data Studio, if you are using Data Studio's packaged OpenJDK, you may find that some connections to External systems (e.g. JDBC) no longer work. You may see errors like:

  • No appropriate protocol (protocol is disabled or cipher suites are inappropriate)
  • SSL Handshake failed: The server selected protocol version TLS11 is not accepted by client preferences
  • The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "The server selected protocol version TLS10 is not accepted by client preferences [TLS12]"

If you see this issue, the recommended course of action would be to connect to the external system using TLS 1.2, 1.3, or some other supported protocol - TLS 1.0 and 1.1 are considered to offer weaker security.

If you really do still need to connect to SSL services over these weaker protocols, for example because you connect to a legacy application which does not support modern algorithms, you have the option to modify Java's java.security file, to re-enable TLSv1 and TLSv1.1. Only do this if you are confident that you want to allow such connections.

Re-enabling TLSv1 and TLSv1.1

Locate the java.security file for the JRE used by Data Studio. By default this will be in C:\Program Files\Experian\Aperture Data Studio <version>\java64\jre\lib\security\java.security . In this file, find the line that disables weaker algorithms:

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
  DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
  include jdk.disabled.namedCurves

Remove the algorithms you want to re-enable, save, and restart Data Studio.

Using a separate java.security file

Unless you have configured Data Studio to use an alternate JRE, it will use the version packaged in the installer, which will be updated each time Data Studio is upgraded. As a result, you would need to make the above change to the java.security file after each upgrade.

A solution to this would be to save a version of the java.security file outside the Data Studio application root directory, and override the default file via -Djava.security.properties. Once again, seek advice if you are not sure whether it is advisable to do this in your particular setup. To override the default security properties file:

1) First check that the default security properties file can be overridden. If it can it will contain the following setting:

security.overridePropertiesFile=true

2) Override the file: In Aperture Data Studio Service 64bit.ini (in the installation root directory), set the path to the new modified security properties file by adding the following to the Virtual Machine Parameters= line:

Djava.security.properties="D:\path\to\myedited.java.security"

Comments

  • Henry Simms
    Henry Simms Administrator
    edited March 2023

    The January 2023 Data Studio v2.9.7 release upgraded from Java 8 to Java 17. The java.security properties file (containing default values of security properties) has been updated since Java 8, and can now be found at java64/conf/security/java.security in the Data Studio installation directory.

    If you were using the approaches described above to modify java.security in earlier versions of Data Studio, after upgrading I would recommend taking Java 17 properties file and re-apply the changes.

    Only do this if you are confident that you want to allow connections using weaker protocols.