Using TLSv1.2 with Microsoft JDBC driver and Oracle JRE 7

Question

There is an application which runs on Oracle JRE 7 and exchanges data with Microsoft SQL Server using standard Microsoft jdbc driver.

It worked fine until the company where this application is deployed decided to update database to SQL Server 2017 and disabled all TLS protocols lower than TLSv1.2. Now the application is getting following error when trying to connect to SQL Server:

com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. 
Error: "SQL Server did not return a response. The connection has been closed. ClientConnectionId:5892fb2f-67c4-45f5-a01d-cc7c1db8f69e".
    at com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:1667)
    at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1668)
    at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:1323)
    at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:991)
    at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:827)
    at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:1012)
    at com.mchange.v2.c3p0.DriverManagerDataSource.getConnection(DriverManagerDataSource.java:131)
    at com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:156)
    at com.mchange.v2.c3p0.WrapperConnectionPoolDataSource.getPooledConnection(WrapperConnectionPoolDataSource.java:145)
    at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool$1PooledConnectionResourcePoolManager.acquireResource(C3P0PooledConnectionPool.java:200)
    at com.mchange.v2.resourcepool.BasicResourcePool.doAcquire(BasicResourcePool.java:1086)
    at com.mchange.v2.resourcepool.BasicResourcePool.doAcquireAndDecrementPendingAcquiresWithinLockOnSuccess(BasicResourcePool.java:1073)
    at com.mchange.v2.resourcepool.BasicResourcePool.access$800(BasicResourcePool.java:44)
    at com.mchange.v2.resourcepool.BasicResourcePool$ScatteredAcquireTask.run(BasicResourcePool.java:1810)
    at com.mchange.v2.async.ThreadPoolAsynchronousRunner$PoolThread.run(ThreadPoolAsynchronousRunner.java:648)
Caused by: java.io.IOException: SQL Server did not return a response. The connection has been closed. ClientConnectionId:5892fb2f-67c4-45f5-a01d-cc7c1db8f69e
    at com.microsoft.sqlserver.jdbc.TDSChannel$SSLHandshakeInputStream.ensureSSLPayload(IOBuffer.java:651)
    at com.microsoft.sqlserver.jdbc.TDSChannel$SSLHandshakeInputStream.readInternal(IOBuffer.java:708)
    at com.microsoft.sqlserver.jdbc.TDSChannel$SSLHandshakeInputStream.read(IOBuffer.java:700)
    at com.microsoft.sqlserver.jdbc.TDSChannel$ProxyInputStream.readInternal(IOBuffer.java:895)
    at com.microsoft.sqlserver.jdbc.TDSChannel$ProxyInputStream.read(IOBuffer.java:883)
    at sun.security.ssl.InputRecord.readFully(InputRecord.java:442)
    at sun.security.ssl.InputRecord.read(InputRecord.java:480)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:927)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
    at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1618)
    ... 13 more

I've enabled SSL handshake logging with -Djavax.net.debug=ssl:handshake:verbose JVM option and I can see that jdbc driver is trying to use TLSv1:

*** ClientHello, TLSv1

I am a developer who supports this application, I have the sources and can make changes to it. In a while this application will be ported to JRE 8 but it will take substantial effort, and for now it would be nice to have some workaround.

What I've found while searching for the solution:

TLS 1.2 was supported in Java 8 but not in Java 7
Updating JRE to 1.7.0_131. But 131 update is available only for those who have Oracle Java support contract. Latest free update of Oracle JDK 7 is 1.7.0_80.

https://social.technet.microsoft.com/Forums/en-US/fb80c86c-97a2-4e35-b998-1030a5c77580/does-jdbc-driver-support-for-tlsv12-with-jre-17
Seems to be exact my problem. One user has found the solution but it only works for IBM JDK.

Answer 1

I ended up with ugly hakish solution, which uses internal jre classes to force using TLS 1.2. I call this function before establishing jdbc connection:

import java.security.NoSuchAlgorithmException;
import java.security.Provider;
import javax.net.ssl.SSLContextSpi;
import sun.security.jca.GetInstance;
import sun.security.jca.ProviderList;
import sun.security.jca.Providers;

public static void enableTLSv12ForMssqlJdbc() throws NoSuchAlgorithmException
{
    ProviderList providerList = Providers.getProviderList();
    GetInstance.Instance instance = GetInstance.getInstance("SSLContext", SSLContextSpi.class, "TLS");
    for (Provider provider : providerList.providers())
    {
        if (provider == instance.provider)
        {
            provider.put("Alg.Alias.SSLContext.TLS", "TLSv1.2");
        }
    }
}

Now I see that jdbc driver uses TLSv1.2 and successfully connects to SQL Server 2017

*** ClientHello, TLSv1.2