My web application is using (is client of) some REST service that lies behind Apigee, and now when Apigee required communication only with TLS v1.2, we as a client of that REST service are also notified that our requests will be refused if we do not configure our web app to use newer version of TLS.
I am using Java 7 and Tomcat 7, and I know that those Java and Tomcat support TLS v1.2 connections out of the box, but I have no configured SSL/TLS on Tomcat server since I am using Tomcat only as HTTP and outbound proxy for SSL communication.
Question 1:
Is there any way to check what kind of requests is sending my web application on Tomcat and will those requests will be refused by server that accepts only TLS v1.2?
Question 2:
If it's not configured by default, how to configure it on Tomcat? I have found this from official doc, but I am wondering does this affect only INBOUND, or also OUTBOUND connections.
Is there any way to check what kind of requests is sending my web application on Tomcat and will those requests will be refused by server that accepts only TLS v1.2?
Run with system property javax.net.debug=ssl -- usually best set in CATALINA_OPTS in setenv.sh or setenv.bat although there may be other methods -- and capture the rather voluminous trace written to standard output -- how to do that varies depending on your environment. This will log all SSL/TLS connections in the JVM process, but since you are not using SSL/TLS (HTTPS) inbound, this should not be a problem.
Alternatively, capture from the network with Wireshark or tcpdump or similar; this may require root or some (Linux) capability, but can be filtered down to only the connection(s) of interest.
Yes, if you (via Java) are sending handshakes that don't offer 1.2, and the server requires (only) 1.2, the handshakes will fail.
If it's not configured by default, how to configure it on Tomcat? I have found this from official doc, but I am wondering does this affect only INBOUND, or also OUTBOUND connections.
Yes, that affects only inbound SSL/TLS (HTTPS) connections. Tomcat code in general handles only inbound HTTP or HTTPS connections; any outbound connections are either explicit in your code, or library code you call such as a database driver.
The free versions of Oracle Java 7 implement TLS 1.2 but disable it (and 1.1 also) for client side by default. How to change this depends on how your code makes the connections, such as through what library, and you didn't provide any information on this. There are many Stack questions about this (many of them years ago), such as:
https://superuser.com/questions/747377/enable-tls-1.1-and-1.2-for-clients-on-java-7
getting javax.net.ssl.SSLException: Received fatal alert: protocol_version while scraping data using Jsoup
Enable TLS 1.2 on JDK7 Client side
How to enable TLSv1.1+ outbound communication from web app on Win10/Tomcat7/Java7?
Server closes connections made using httpclient and Java 7
SSLHandshakeException : Remote host closed connection during handshake
How to enable TLS 1.2 in Java 7
TLS 1.2 was supported in Java 8 but not in Java 7
The last two point out that if you pay for an Oracle support contract you can simply upgrade to 7u131 (or better). Or if you (can) use OpenJDK.