如何使用TLS1.0 / TLS1.1强制加载Java Applet

Question

I have an web application from which multiple users loads a Java applet. Now there is a problem that the loadbalancer does not support TLS1.2 which is the default for Java8 and it seems that Java8 does not automatically try lower version.

How can I force the applet to be loaded using TLS 1.0/1.1? I have tried to put this into the <applet>:

<PARAM name="java_arguments" value="-Dhttps.protocols=TLSv1">

Any help is appreciated, not very keen on solution where hundreds of users need to configure their Java clients.

This the starting point from which this question was brought up: Java applet not loading on Java8/HTTPS

Answer 1

I have an web application from which multiple users loads a Java applet... How can I force the applet to be loaded using TLS 1.0/1.1?

The applet is loaded by the browser, not by Java. So it does not help to make any Java related settings here. These settings are only relevant if the applet itself communicates with the server. Edit: The download is done by the Java plugin. This does not affect the rest of the answer ie that the problem must be fixed at the load balancer.

Now there is a problem that the loadbalancer does not support TLS1.2

Unless the load balancer is broken it will negotiate to a lower protocol version. It is inherent behavior of TLS that both parties agree to the best version both support. But, there are broken load balancers out there which simply do not understand TLS1.2 or behave strange when confronted with larger packets which are more likely with TLS1.2 (older F5, long fixed).

Unfortunately, if this happens to be such an old broken F5 you might be out of luck because a bug in these load balancers caused the packet to be dropped, so that the connection would stay open until timeout. In this case most browsers do not downgrade to a lower TLS version, because they only downgrade on immediate errors like a connection close from the peer. All you can do in this case is to fix the broken load balancer.