I am in the process of phasing out support for TLS 1.0 and TLS 1.1 for a web application.
I would like to detect users this will impact based on the connections they are making to my servers.
I am running Tomcat 7 and Java 8.
How do I detect the TLS version of an HttpServletRequest?
This is a lot easier than this person describes. If you are using Spring Boot or Tomcat (spring boot is built on Tomcat) you can simply get the information out of the HttpServletRequest attributes automatically put in session. Tomcat puts it in there for you:
HttpServletRequest httpRequest = .....;
String tlsVersion = httpRequest.getAttribute("org.apache.tomcat.util.net.secure_protocol_version");
String tlsCipherSuites = httpRequest.getAttribute("javax.servlet.request.cipher_suite");
You can read more about these attributes and other related attributes in the catalina documentation: https://tomcat.apache.org/tomcat-8.0-doc/api/constant-values.html This is the version 8 tomcat docs, but I don't think this stuff has changed in 15 years or more. It's a pretty safe bet this will work in any version you can get to run.