Updating this question because I think my main issue is our ORDS Standalone seems stuck in self-signed mode per reply below. At this point I'm not sure if my original problem with only generating tls v1 is related and/or who's the cause and whose the effect. It may be 2 different problems as well.

Sincere thanks if anyone can help. I've been trying to isolate the variables 1 by 1 but no luck so far......

---

Hi, I’ve got an ORDS Standalone Jetty installed with Java 1.8. We need it to produce TLSv1.2 but it only seems to generate TLSv1 instead.

Trace below shows "*** ClientHello, TLSv1.2"  followed by  "*** ServerHello, TLSv1".

I suspect something is wrong in the java.security default values but I can't figure out what to change.

Thanks ahead of time for any help/ideas anyone may have ?

--------------------------

Oracle DB=12.2, ORDS=18.1, Apex=5.1, OS=AIX

works fine from IE 11 so long as TLS1 is enabled

--------------------------

java -version

java version "1.8.0"

Java(TM) SE Runtime Environment (build pap6480sr4fp10-20170727_01(SR4 FP10))

IBM J9 VM (build 2.8, JRE 1.8.0 AIX ppc64-64 Compressed References 20170722_357405 (JIT enabled, AOT enabled)

J9VM - R28_20170722_0201_B357405

JIT  - tr.r14.java_20170722_357405

GC   - R28_20170722_0201_B357405_CMPRSS

J9CL - 20170722_357405)

JCL - 20170726_01 based on Oracle jdk8u144-b01

--------------------------

echo $JAVA_HOME

/usr/java8_64

echo $PATH

....omitted....:/user/java8_64/jre/bin:/usr/java8_64/bin:.....omitted.....

--------------------------

java -Djavax.net.debug=ssl:handshake:verbose -Dhttps.protocols=TLSv1.2 -jar ords.war standalone > zzz

selected contents of zzz are:

IBMJSSE2 will not allow protocol SSLv3 per com.ibm.jsse2.disableSSLv3 set to TRUE or default

IBMJSSEProvider2 Build-Level: -20170606

...

Installed Providers =

IBMJSSE2

IBMJCE

IBMJGSSProvider

IBMCertPath

IBMSASL

IBMXMLCRYPTO

IBMXMLEnc

IBMSPNEGO

SUN

SSLContextImpl:  Using X509ExtendedKeyManager org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager

SSLContextImpl:  Using X509TrustManager com.ibm.jsse2.aB

JsseJCE:  Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.8

trigger seeding of SecureRandom

done seeding SecureRandom

IBMJSSE2 will enable CBC protection

JsseJCE:  Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.8

JsseJCE:  Using signature SHA1withECDSA from provider TBD via init

JsseJCE:  Using signature NONEwithECDSA from provider TBD via init

JsseJCE:  Using KeyAgreement ECDH from provider IBMJCE version 1.8

JsseJCE:  Using KeyFactory EC from provider IBMJCE version 1.8

JsseJCE:  Using KeyPairGenerator EC from provider TBD via init

jdk.tls.client.protocols is defined as null

SSLv3 protocol was requested but was not enabled

SSLv3 protocol was requested but was not enabled

SUPPORTED: [TLSv1, TLSv1.1, TLSv1.2]

SERVER_DEFAULT: [TLSv1, TLSv1.1, TLSv1.2]

CLIENT_DEFAULT: [TLSv1, TLSv1.1, TLSv1.2]

IBMJSSE2 will enable CBC protection

Using SSLEngineImpl.

...

IBMJSSE2 will allow RFC 5746 renegotiation per com.ibm.jsse2.renegotiate set to none or default

IBMJSSE2 will not require renegotiation indicator during initial handshake per com.ibm.jsse2.renegotiation.indicator set to OPTION

AL or default taken

IBMJSSE2 will not perform identity checking against the peer cert check during renegotiation per com.ibm.jsse2.renegotiation.peer.

cert.check set to OFF or default

IBMJSSE2 will allow client initiated renegotiation per jdk.tls.rejectClientInitiatedRenegotiation set to FALSE or default

Is initial handshake: true

Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256

Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_CBC_SHA256

Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256

Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256

Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_CBC_SHA256

Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_CBC_SHA256

JsseJCE:  Using AlgorithmParameters EC from provider IBMJCE version 1.8

JsseJCE:  Using AlgorithmParameters EC from provider IBMJCE version 1.8

JsseJCE:  Using AlgorithmParameters EC from provider IBMJCE version 1.8

JsseJCE:  Using AlgorithmParameters EC from provider IBMJCE version 1.8

Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Ignoring unsupported cipher suite: SSL_RSA_WITH_AES_128_GCM_SHA256

Ignoring unsupported cipher suite: SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256

Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256

Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_GCM_SHA256

Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_GCM_SHA256

qtp-1006810652-31, READ: TLSv1.2 Handshake, length = 219

*** ClientHello, TLSv1.2

RandomCookie:  GMT: 1507727810 bytes = { .....

...

Extension signature_algorithms, signature_algorithms: SHA256withRSA, SHA384withRSA, SHA512withRSA, SHA1withRSA, SHA256withECDSA, S

HA384withECDSA, SHA512withECDSA, SHA1withECDSA, SHA1withDSA

Unsupported extension type_23, data:

Extension renegotiation_info, ri_length: 0, ri_connection_data: { null }

***

JsseJCE:  Using MessageDigest MD5 from provider IBMJCE version 1.8

JsseJCE:  Using MessageDigest SHA from provider IBMJCE version 1.8

%% Initialized:  [Session-1, SSL_NULL_WITH_NULL_NULL]

ssl: ServerHandshaker.setupPrivateKeyAndChain EC_EC

ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseEngineServerAlias null

ssl: ServerHandshaker.setupPrivateKeyAndChain RSA

matching alias: selfsigned

ssl: ServerHandshaker.setupPrivateKeyAndChain, chooseEngineServerAlias selfsigned

ssl: ServerHandshaker.setupPrivateKeyAndChain, return true

JsseJCE:  Using KeyPairGenerator EC from provider TBD via init

JsseJCE:  Using SecureRandom IBMSecureRandom from provider IBMJCE version 1.8

JsseJCE:  Using KeyPairGenerator EC from provider TBD via init

ECDHCrypt:  ECDH KeyPairGenerator  from provider from init IBMJCE version 1.8

%% Negotiating:  [Session-1, SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA]

*** ServerHello, TLSv1

--------------------------

selected lines from the default jre/lib/security/java.security:

ssl.KeyManagerFactory.algorithm=IbmX509

ssl.TrustManagerFactory.algorithm=PKIX

jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \

DSA keySize < 1024, EC keySize < 224

jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, 3DES_EDE_CBC, DESede, \

EC keySize < 224

jdk.tls.legacyAlgorithms= \

K_NULL, C_NULL, M_NULL, \

DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \

DH_RSA_EXPORT, RSA_EXPORT, \

DH_anon, ECDH_anon, \

RC4_128, RC4_40, DES_CBC, DES40_CBC

jdk.xml.dsig.secureValidationPolicy=\

disallowAlg http://www.w3.org/TR/1999/REC-xslt-19991116 ,\

disallowAlg http://www.w3.org/2001/04/xmldsig-more#rsa-md5 ,\

disallowAlg http://www.w3.org/2001/04/xmldsig-more#hmac-md5 ,\

disallowAlg http://www.w3.org/2001/04/xmldsig-more#md5 ,\

maxTransforms 5,\

maxReferences 30,\

disallowReferenceUriSchemes file http https,\

minKeySize RSA 1024,\

minKeySize DSA 1024,\

noDuplicateIds,\

noRetrievalMethodLoops